diff --git a/src/crypto/x509/name_constraints_test.go b/src/crypto/x509/name_constraints_test.go
index bc91b28401f..1f506502678 100644
--- a/src/crypto/x509/name_constraints_test.go
+++ b/src/crypto/x509/name_constraints_test.go
@@ -1658,6 +1658,22 @@ var nameConstraintsTests = []nameConstraintsTest{
 		},
 		expectedError: "\"*.example.com\" is not permitted",
 	},
+	// #89: a TLD constraint doesn't exclude unrelated wildcards
+	{
+		roots: []constraintsSpec{
+			{
+				bad: []string{"dns:tld"},
+			},
+		},
+		intermediates: [][]constraintsSpec{
+			{
+				{},
+			},
+		},
+		leaf: leafSpec{
+			sans: []string{"dns:*.example.com"},
+		},
+	},
 }
 
 func makeConstraintsCACert(constraints constraintsSpec, name string, key *ecdsa.PrivateKey, parent *Certificate, parentKey *ecdsa.PrivateKey) (*Certificate, error) {
diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
index 3de9f93b2c4..076e82666a4 100644
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@@ -546,7 +546,7 @@ func matchDomainConstraint(domain, constraint string, excluded bool, reversedDom
 		return false, nil
 	}
 
-	if excluded && wildcardDomain && len(domainLabels) > 1 && len(constraintLabels) > 0 {
+	if excluded && wildcardDomain && len(domainLabels) > 1 && len(constraintLabels) > 1 {
 		domainLabels = domainLabels[:len(domainLabels)-1]
 		constraintLabels = constraintLabels[:len(constraintLabels)-1]
 	}