diff --git a/msg.go b/msg.go
index f4501d46..02308bf9 100644
--- a/msg.go
+++ b/msg.go
@@ -57,6 +57,7 @@ var (
 	ErrDenialNc    error = &Error{Err: "no covering NSEC3 found for next closer"}
 	ErrDenialSo    error = &Error{Err: "no covering NSEC3 found for source of synthesis"}
 	ErrDenialBit   error = &Error{Err: "type not denied in NSEC3 bitmap"}
+	ErrDenialWc    error = &Error{Err: "wildcard exist, but closest encloser is denied"}
 )
 
 // A manually-unpacked version of (id, bits).
diff --git a/nsec3.go b/nsec3.go
index 2f4b6af5..dcf240b7 100644
--- a/nsec3.go
+++ b/nsec3.go
@@ -160,10 +160,23 @@ func (m *Msg) Nsec3Verify(q Question) (int, error) {
 				return 0, ErrDenialNc // add next closer name here
 			}
 			// For NODATA we need to to check if the matching nsec3 has to correct type bit map
+			// And we need to check that the wildcard does NOT exist
+			for _, nsec := range nsec3 {
+				if nsec.Cover(so) {
+					sodenied = true
+					break
+				}
+			}
+			if sodenied {
+				// Whoa, the closest encloser is denied, but there does exist
+				// a wildcard a that level. That's not good
+				return 0, ErrDenialWc
+			}
+
 			goto NoData
 		}
 
-		// Check if the source of synthesis is covered and thus denied
+		// Check if the source of synthesis is covered and thus also denied
 		for _, nsec := range nsec3 {
 			if nsec.Cover(so) {
 				sodenied = true