diff --git a/CHANGES b/CHANGES
index dca637ab1e..88344538ff 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+3487.	[bug]		Change 3444 was not complete.  There was a additional
+			place where the NOQNAME proof needed to be saved.
+                        [RT #32629]
+
 3486.	[bug]		named could crash when using TKEY-negotiated keys
 			that had been deleted and then recreated. [RT #32506]
 
diff --git a/bin/tests/system/wildcard/clean.sh b/bin/tests/system/wildcard/clean.sh
index 4aa51d6380..34cc9868d6 100644
--- a/bin/tests/system/wildcard/clean.sh
+++ b/bin/tests/system/wildcard/clean.sh
@@ -22,6 +22,7 @@ rm -f ns1/K*
 rm -f ns1/*.db
 rm -f ns1/*.signed
 rm -f ns1/dsset-*
+rm -f ns1/keyset-*
 rm -f ns1/trusted.conf
 rm -f ns1/private.nsec.conf
 rm -f ns1/private.nsec3.conf
diff --git a/bin/tests/system/wildcard/ns1/dlv.db.in b/bin/tests/system/wildcard/ns1/dlv.db.in
new file mode 100644
index 0000000000..9de4b7a1db
--- /dev/null
+++ b/bin/tests/system/wildcard/ns1/dlv.db.in
@@ -0,0 +1,19 @@
+; Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id$
+
+$TTL 120
+@	SOA a.root-servers.nil. hostmaster.root-servers.nil. 1 1800 900 604800 86400
+@	NS  a.root-servers.nil.
diff --git a/bin/tests/system/wildcard/ns1/named.conf b/bin/tests/system/wildcard/ns1/named.conf
index 8ad4206b6c..6e3564c867 100644
--- a/bin/tests/system/wildcard/ns1/named.conf
+++ b/bin/tests/system/wildcard/ns1/named.conf
@@ -33,6 +33,8 @@ options {
 
 zone "." { type master; file "root.db.signed"; };
 
+zone "dlv" { type master; file "dlv.db.signed"; };
+
 zone "nsec" { type master; file "nsec.db.signed"; };
 zone "private.nsec" { type master; file "private.nsec.db.signed"; };
 
diff --git a/bin/tests/system/wildcard/ns1/root.db.in b/bin/tests/system/wildcard/ns1/root.db.in
index 54cf2d2e0a..102eea811b 100644
--- a/bin/tests/system/wildcard/ns1/root.db.in
+++ b/bin/tests/system/wildcard/ns1/root.db.in
@@ -18,5 +18,6 @@ $TTL 120
 @	SOA a.root-servers.nil hostmaster.root-servers.nil 1 1800 900 604800 86400
 @	NS  a.root-servers.nil
 a.root-servers.nil A 10.53.0.1
+dlv	NS  a.root-servers.nil
 nsec	NS  a.root-servers.nil
 nsec3	NS  a.root-servers.nil
diff --git a/bin/tests/system/wildcard/ns1/sign.sh b/bin/tests/system/wildcard/ns1/sign.sh
index 35269928ab..bae0e43fba 100755
--- a/bin/tests/system/wildcard/ns1/sign.sh
+++ b/bin/tests/system/wildcard/ns1/sign.sh
@@ -22,6 +22,20 @@ SYSTEMTESTTOP=../..
 RANDFILE=../random.data
 dssets=
 
+zone=dlv.
+infile=dlv.db.in
+zonefile=dlv.db
+outfile=dlv.db.signed
+dssets="$dssets dsset-$zone"
+
+keyname1=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone 2> /dev/null` 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key > $zonefile
+
+$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
 zone=nsec.
 infile=nsec.db.in
 zonefile=nsec.db
diff --git a/bin/tests/system/wildcard/ns5/hints b/bin/tests/system/wildcard/ns5/hints
new file mode 100644
index 0000000000..fed19b972d
--- /dev/null
+++ b/bin/tests/system/wildcard/ns5/hints
@@ -0,0 +1,18 @@
+; Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: hints,v 1.1.2.1 2010/06/01 03:55:02 marka Exp $
+
+. 0 NS ns.root-servers.nil.
+ns.root-servers.nil. 0 A 10.53.0.1
diff --git a/bin/tests/system/wildcard/ns5/named.conf b/bin/tests/system/wildcard/ns5/named.conf
new file mode 100644
index 0000000000..184546af79
--- /dev/null
+++ b/bin/tests/system/wildcard/ns5/named.conf
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.1.2.1 2010/06/01 03:55:02 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	dnssec-lookaside . trust-anchor dlv;
+};
+
+include "../ns1/trusted.conf";
+
+zone "." { type hint; file "hints"; };
diff --git a/bin/tests/system/wildcard/tests.sh b/bin/tests/system/wildcard/tests.sh
index 8dc97720c7..2ba525f062 100644
--- a/bin/tests/system/wildcard/tests.sh
+++ b/bin/tests/system/wildcard/tests.sh
@@ -53,6 +53,15 @@ if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
+echo "I: checking that NSEC wildcard non-existance proof is returned validating + CD ($n)"
+ret=0
+$DIG $DIGOPTS +cd a b.wild.nsec @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep -i 'a\.wild\.nsec\..*NSEC.*nsec\..*NSEC'  dig.out.ns5.test$n > /dev/null || ret=1
+grep -i 'flags:.* ad[ ;]'  dig.out.ns5.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
 echo "I: checking that returned NSEC wildcard non-existance proof validates ($n)"
 ret=0
 $DIG $DIGOPTS a b.wild.nsec @10.53.0.4 > dig.out.ns4.test$n || ret=1
@@ -105,6 +114,15 @@ grep -i 'flags:.* ad[ ;]'  dig.out.ns3.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo "I: checking that NSEC3 wildcard non-existance proof is returned validating + CD ($n)"
+ret=0
+$DIG $DIGOPTS +cd a b.wild.nsec3 @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep -i 'O3TJ8D9AJ54CBTFCQCJ3QK49CH7SF6H9\.nsec3\..*V5DLFB6UJNHR94LQ61FO607KGK12H88A'  dig.out.ns5.test$n > /dev/null || ret=1
+grep -i 'flags:.* ad[ ;]'  dig.out.ns5.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 n=`expr $n + 1`
 echo "I: checking that returned NSEC3 wildcard non-existance proof validates ($n)"
 ret=0
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 9b460fdd1a..232709a049 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -4511,13 +4511,12 @@ findnoqname(fetchctx_t *fctx, dns_name_t *name, dns_rdatatype_t type,
 			isc_boolean_t optout = ISC_FALSE, unknown = ISC_FALSE;
 			isc_boolean_t setclosest = ISC_FALSE;
 			isc_boolean_t setnearest = ISC_FALSE;
-			char namebuf[DNS_NAME_FORMATSIZE];
 
 			next = ISC_LIST_NEXT(nrdataset, link);
 			if (nrdataset->type != dns_rdatatype_nsec &&
 			    nrdataset->type != dns_rdatatype_nsec3)
 				continue;
-			dns_name_format(nsec, namebuf, sizeof(namebuf));
+
 			if (nrdataset->type == dns_rdatatype_nsec &&
 			    NXND(dns_nsec_noexistnodata(type, name, nsec,
 							nrdataset, &exists,
@@ -4745,6 +4744,22 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 			if (sigrdataset != NULL)
 				sigrdataset->trust = trust;
 			if (!need_validation || !ANSWER(rdataset)) {
+				if (ANSWER(rdataset) &&
+				   rdataset->type != dns_rdatatype_rrsig) {
+					isc_result_t tresult;
+					dns_name_t *noqname = NULL;
+					tresult = findnoqname(fctx, name,
+							      rdataset->type,
+							      &noqname);
+					if (tresult == ISC_R_SUCCESS &&
+					    noqname != NULL) {
+						tresult =
+						     dns_rdataset_addnoqname(
+							    rdataset, noqname);
+						RUNTIME_CHECK(tresult ==
+							      ISC_R_SUCCESS);
+					}
+				}
 				addedrdataset = ardataset;
 				result = dns_db_addrdataset(fctx->cache, node,
 							    NULL, now, rdataset,