diff --git a/lib/dns/include/dns/result.h b/lib/dns/include/dns/result.h
index 2ee379beb0..f2f71a809d 100644
--- a/lib/dns/include/dns/result.h
+++ b/lib/dns/include/dns/result.h
@@ -40,7 +40,7 @@
 #define DNS_R_BITSTRINGTOOLONG		(ISC_RESULTCLASS_DNS + 3)
 #define DNS_R_EMPTYLABEL		(ISC_RESULTCLASS_DNS + 4)
 #define DNS_R_BADDOTTEDQUAD		(ISC_RESULTCLASS_DNS + 5)
-/* 6 is unused */
+#define DNS_R_INVALIDNS			(ISC_RESULTCLASS_DNS + 6)
 #define DNS_R_UNKNOWN			(ISC_RESULTCLASS_DNS + 7)
 #define DNS_R_BADLABELTYPE		(ISC_RESULTCLASS_DNS + 8)
 #define DNS_R_BADPOINTER		(ISC_RESULTCLASS_DNS + 9)
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index ce47de1992..a555374ee9 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -3585,6 +3585,12 @@ loading_addrdataset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset) {
 	 */
 
 	if (dns_name_iswildcard(name)) {
+		/*
+		 * NS record owners cannot legally be wild cards.
+		 */
+		if (rdataset->type == dns_rdatatype_ns)
+			return (DNS_R_INVALIDNS);
+
 		/*
 		 * In order for wildcard matching to work correctly in
 		 * zone_find(), we must ensure that a node for the wildcarding
diff --git a/lib/dns/result.c b/lib/dns/result.c
index eaddc2ff03..b98fa9fd85 100644
--- a/lib/dns/result.c
+++ b/lib/dns/result.c
@@ -30,7 +30,7 @@ static const char *text[DNS_R_NRESULTS] = {
 	"bitstring too long",			/*  3 */
 	"empty label",				/*  4 */
 	"bad dotted quad",			/*  5 */
-	"UNUSED6",				/*  6 */
+	"invalid NS owner name (wildcard)",	/*  6 */
 	"unknown class/type",			/*  7 */
 	"bad label type",			/*  8 */
 	"bad compression pointer",		/*  9 */