diff --git a/doc/Changelog b/doc/Changelog
index 7bfecdf63..952ff7d19 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+12 June 2017: Wouter
+	- Fix #1278: Incomplete wildcard proof.
+
 8 June 2017: Ralph
 	- Added domain name based ECS whitelist.
 
diff --git a/services/cache/dns.c b/services/cache/dns.c
index 4543aa5ed..764205e53 100644
--- a/services/cache/dns.c
+++ b/services/cache/dns.c
@@ -41,6 +41,7 @@
 #include "config.h"
 #include "iterator/iter_delegpt.h"
 #include "validator/val_nsec.h"
+#include "validator/val_utils.h"
 #include "services/cache/dns.h"
 #include "services/cache/rrset.h"
 #include "util/data/msgreply.h"
@@ -755,10 +756,16 @@ dns_cache_lookup(struct module_env* env,
 	if( qtype != LDNS_RR_TYPE_DS &&
 	   (rrset=rrset_cache_lookup(env->rrset_cache, qname, qnamelen, 
 		LDNS_RR_TYPE_CNAME, qclass, 0, now, 0))) {
-		struct dns_msg* msg = rrset_msg(rrset, region, now, &k);
-		if(msg) {
-			lock_rw_unlock(&rrset->entry.lock);
-			return msg;
+		uint8_t* wc = NULL;
+		/* if the rrset is not a wildcard expansion, with wcname */
+		/* because, if we return that CNAME rrset on its own, it is
+		 * missing the NSEC or NSEC3 proof */
+		if(!(val_rrset_wildcard(rrset, &wc) && wc != NULL)) {
+			struct dns_msg* msg = rrset_msg(rrset, region, now, &k);
+			if(msg) {
+				lock_rw_unlock(&rrset->entry.lock);
+				return msg;
+			}
 		}
 		lock_rw_unlock(&rrset->entry.lock);
 	}