As a mental exercise, I like to ignore that DNSSEC exists when coming
to grips with wild cards. Without DNSSEC, the client can not
distinguish between a synthesized answer from an non-synthesized
(i.e., from the zone file) answer. If a cache held a wild card
record, it wouldn't know to use it - because doesn't have the
necessary information (as enumerated in 4.3.2) to know when to apply
synthesis.
This does not create a protocol issue unless you use DNSSEC though.
Without DNSSEC or zone transfers there is no 'wildcard' issue, there are
merely administrative conveniences in BIND that do not affect any other
party.
With DNSSEC you can only use wildcards if they can be in expressed in a form
that can be signed using DNSSEC.
We are talking about wildcard RESULTS here, not wildcard queries.
Phill