diff --git a/nsecx.go b/nsecx.go
index 3f5f0548..8b52999b 100644
--- a/nsecx.go
+++ b/nsecx.go
@@ -88,7 +88,6 @@ func (rr *NSEC3) Cover(name string) bool {
 		// hname > rr.NextDomain
 		// TODO(miek)
 	}
-
 	if hname <= hash {
 		return false
 	}
diff --git a/nsecx_test.go b/nsecx_test.go
index 611e6628..598ab937 100644
--- a/nsecx_test.go
+++ b/nsecx_test.go
@@ -53,7 +53,7 @@ func TestNsec3Proof(t *testing.T) {
 		t.Logf("Failed to validate NSEC3")
 		t.Fail()
 	}
-	nsec3 = []RR{ // closest encloser can not be found
+	nsec3 = []RR{ // closest encloser can not be found, 1st NSEC3
 		newNSEC3("bk4e8fj94u78smusb40o1n0oltbblu2r.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 SK4F38CQ0ATIEI8MH3RGD0P5I4II6QAN NS SOA TXT RRSIG DNSKEY NSEC3PARAM"),
 		newNSEC3("39p91242oslggest5e6a7cci4iaeqvnk.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 39P99DCGG0MDLARTCRMCF6OFLLUL7PR6 NS DS RRSIG"),
 		newNSEC3("t98kg1p1cjtdoc4ksb7g57jc9vulltcd.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 T98MULSKU3E499AGCTTRJK6H0L3E5T92 NS DS RRSIG")}
@@ -63,4 +63,24 @@ func TestNsec3Proof(t *testing.T) {
 		t.Logf("Should fail validate NSEC3")
 		t.Fail()
 	}
+	nsec3 = []RR{ // wildcard not covered, 3rd NSEC3
+		newNSEC3("sk4e8fj94u78smusb40o1n0oltbblu2r.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 SK4F38CQ0ATIEI8MH3RGD0P5I4II6QAN NS SOA TXT RRSIG DNSKEY NSEC3PARAM"),
+		newNSEC3("39p91242oslggest5e6a7cci4iaeqvnk.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 39P99DCGG0MDLARTCRMCF6OFLLUL7PR6 NS DS RRSIG"),
+		newNSEC3("t98kg1p1cjtdoc4ksb7g57jc9vulltcd.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 T98LULSKU3E499AGCTTRJK6H0L3E5T92 NS DS RRSIG")}
+
+	err = Proof(nsec3, "snasajsksasasa.nl.", TypeA)
+	if err == nil {
+		t.Logf("Should fail validate NSEC3")
+		t.Fail()
+	}
+	nsec3 = []RR{ // nextcloser not covered, 2rd NSEC3
+		newNSEC3("sk4e8fj94u78smusb40o1n0oltbblu2r.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 SK4F38CQ0ATIEI8MH3RGD0P5I4II6QAN NS SOA TXT RRSIG DNSKEY NSEC3PARAM"),
+		newNSEC3("39p91242oslggest5e6a7cci4iaeqvnk.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 39P89DCGG0MDLARTCRMCF6OFLLUL7PR6 NS DS RRSIG"),
+		newNSEC3("t98kg1p1cjtdoc4ksb7g57jc9vulltcd.nl. IN NSEC3 1 1 5 F10E9F7EA83FC8F3 T98LULSKU3E499AGCTTRJK6H0L3E5T92 NS DS RRSIG")}
+
+	err = Proof(nsec3, "snasajsksasasa.nl.", TypeA)
+	if err == nil {
+		t.Logf("Should fail validate NSEC3")
+		t.Fail()
+	}
 }