diff --git a/bin/named/query.c b/bin/named/query.c
index 4077bc2a15..3010aee720 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.236 2002/09/08 18:40:58 explorer Exp $ */
+/* $Id: query.c,v 1.237 2002/09/11 06:36:17 marka Exp $ */
 
 #include <config.h>
 
@@ -2237,6 +2237,67 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db,
 		query_releasename(client, &fname);
 }
 
+static void
+query_addnxrrsetnxt(ns_client_t *client, dns_db_t *db, dns_name_t **namep,
+		    dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp)
+{
+	dns_name_t *name;
+	dns_rdataset_t *sigrdataset;
+	dns_rdata_t sigrdata;
+	dns_rdata_sig_t sig;
+	unsigned int labels;
+	isc_buffer_t *dbuf, b;
+	dns_name_t *fname;
+	isc_result_t result;
+
+	name = *namep;
+	if ((name->attributes & DNS_NAMEATTR_WILDCARD) == 0) {
+		query_addrrset(client, namep, rdatasetp, sigrdatasetp,
+			       NULL, DNS_SECTION_AUTHORITY);
+		return;
+	}
+
+	if (sigrdatasetp == NULL)
+		return;
+	sigrdataset = *sigrdatasetp;
+	if (sigrdataset == NULL || !dns_rdataset_isassociated(sigrdataset))
+		return;
+	result = dns_rdataset_first(sigrdataset);
+	if (result != ISC_R_SUCCESS)
+		return;
+	dns_rdata_init(&sigrdata);
+	dns_rdataset_current(sigrdataset, &sigrdata);
+	result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
+	if (result != ISC_R_SUCCESS)
+		return;
+
+	labels = dns_name_countlabels(name);
+	if ((unsigned int)sig.labels + 1 >= labels)
+		return;
+
+	/* XXX */
+	query_addwildcardproof(client, db,
+			       client->query.qname,
+			       ISC_TRUE);
+
+	/*
+	 * We'll need some resources...
+	 */
+	dbuf = query_getnamebuf(client);
+	if (dbuf == NULL)
+		return;
+	fname = query_newname(client, dbuf, &b);
+	if (fname == NULL)
+		return;
+	RUNTIME_CHECK(dns_name_splitatdepth(name, sig.labels + 1, NULL,
+					    fname) == ISC_R_SUCCESS);
+	/* This will succeed, since we've stripped labels. */
+	RUNTIME_CHECK(dns_name_concatenate(dns_wildcardname, fname, fname,
+					   NULL) == ISC_R_SUCCESS);
+	query_addrrset(client, &fname, rdatasetp, sigrdatasetp,
+		       dbuf, DNS_SECTION_AUTHORITY);
+}
+
 static void
 query_resume(isc_task_t *task, isc_event_t *event) {
 	dns_fetchevent_t *devent = (dns_fetchevent_t *)event;
@@ -2916,9 +2977,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		 */
 		if (WANTDNSSEC(client)) {
 			if (dns_rdataset_isassociated(rdataset))
-				query_addrrset(client, &fname, &rdataset,
-					       &sigrdataset,
-					       NULL, DNS_SECTION_AUTHORITY);
+				query_addnxrrsetnxt(client, db, &fname,
+						    &rdataset, &sigrdataset);
 		}
 		goto cleanup;
 	case DNS_R_NXDOMAIN: