src/crypto/x509/constraints.go           |  2 +-
 src/crypto/x509/name_constraints_test.go | 11 +++++++++++

diff --git a/src/crypto/x509/constraints.go b/src/crypto/x509/constraints.go
index 3c260a9b96fc3d92ac233aa49babf354ee45896a..83bfbcb2ef2e7fd640e7f995d7dc5d042cb4c309 100644
--- a/src/crypto/x509/constraints.go
+++ b/src/crypto/x509/constraints.go
@@ -375,7 +375,7 @@ 	if match {
 		return constraint, true
 	}
 
-	if !dnc.permitted && s[0] == '*' {
+	if !dnc.permitted && len(s) > 0 && s[0] == '*' {
 		trimmed := trimFirstLabel(s)
 		if constraint, found := dnc.parentConstraints[trimmed]; found {
 			return constraint, true
diff --git a/src/crypto/x509/name_constraints_test.go b/src/crypto/x509/name_constraints_test.go
index b325c8edb9c52cfbc116f52e3cebff4a216d65db..3e205e5caf44e964d2aa3534422755672aab9927 100644
--- a/src/crypto/x509/name_constraints_test.go
+++ b/src/crypto/x509/name_constraints_test.go
@@ -1645,6 +1645,17 @@ 		leaf: leafSpec{
 			sans: []string{"email:a@ExAmple.com"},
 		},
 	},
+	{
+		name: "excluded constraint, empty DNS san",
+		roots: []constraintsSpec{
+			{
+				bad: []string{"dns:example.com"},
+			},
+		},
+		leaf: leafSpec{
+			sans: []string{"dns:"},
+		},
+	},
 }
 
 func makeConstraintsCACert(constraints constraintsSpec, name string, key *ecdsa.PrivateKey, parent *Certificate, parentKey *ecdsa.PrivateKey) (*Certificate, error) {