Signed wildcard RRset may be cached too long
The DNS response is validated and the answer is cached. It looks like it does not take into account the denial of existence records when determining the TTL. If the denial of existence records have shorter TTL, the wildcard RRset may be cached for too long.
This is only a problem for requests that do not require validation, they will be served the cached wildcard RRset without a "fresh" validation.