diff --git a/acme/challenge.go b/acme/challenge.go
index 4fa39668..1c040f5d 100644
--- a/acme/challenge.go
+++ b/acme/challenge.go
@@ -385,11 +385,20 @@ func (dc *dns01Challenge) validate(db nosql.DB, jwk *jose.JSONWebKey, vo validat
 		return dc, nil
 	}
 
-	txtRecords, err := vo.lookupTxt("_acme-challenge." + dc.Value)
+	// Normalize domain for wildcard DNS names
+	// This is done to avoid making TXT lookups for domains like
+	// _acme-challenge.*.example.com
+	// Instead perform txt lookup for _acme-challenge.example.com
+	domain := dc.Value
+	if strings.HasPrefix(domain, "*") {
+		domain = strings.TrimPrefix(domain, "*.")
+	}
+
+	txtRecords, err := vo.lookupTxt("_acme-challenge." + domain)
 	if err != nil {
 		if err = dc.storeError(db,
 			DNSErr(errors.Wrapf(err, "error looking up TXT "+
-				"records for domain %s", dc.Value))); err != nil {
+				"records for domain %s", domain))); err != nil {
 			return nil, err
 		}
 		return dc, nil
diff --git a/acme/challenge_test.go b/acme/challenge_test.go
index 6291803d..720321e5 100644
--- a/acme/challenge_test.go
+++ b/acme/challenge_test.go
@@ -930,6 +930,47 @@ func TestDNS01Validate(t *testing.T) {
 				res: ch,
 			}
 		},
+		"ok/lookup-txt-wildcard": func(t *testing.T) test {
+			ch, err := newDNSCh()
+			assert.FatalError(t, err)
+			_ch, ok := ch.(*dns01Challenge)
+			assert.Fatal(t, ok)
+			_ch.baseChallenge.Value = "*.zap.internal"
+
+			jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
+			assert.FatalError(t, err)
+
+			expKeyAuth, err := KeyAuthorization(ch.getToken(), jwk)
+			assert.FatalError(t, err)
+			h := sha256.Sum256([]byte(expKeyAuth))
+			expected := base64.RawURLEncoding.EncodeToString(h[:])
+
+			baseClone := ch.clone()
+			baseClone.Status = StatusValid
+			baseClone.Error = nil
+			newCh := &dns01Challenge{baseClone}
+
+			return test{
+				ch:  ch,
+				res: newCh,
+				vo: validateOptions{
+					lookupTxt: func(url string) ([]string, error) {
+						assert.Equals(t, url, "_acme-challenge.zap.internal")
+						return []string{"foo", expected}, nil
+					},
+				},
+				jwk: jwk,
+				db: &db.MockNoSQLDB{
+					MCmpAndSwap: func(bucket, key, old, newval []byte) ([]byte, bool, error) {
+						dnsCh, err := unmarshalChallenge(newval)
+						assert.FatalError(t, err)
+						assert.Equals(t, dnsCh.getStatus(), StatusValid)
+						baseClone.Validated = dnsCh.getValidated()
+						return nil, true, nil
+					},
+				},
+			}
+		},
 		"fail/key-authorization-gen-error": func(t *testing.T) test {
 			ch, err := newDNSCh()
 			assert.FatalError(t, err)