diff --git a/pkg/dns/nsec.go b/pkg/dns/nsec.go
index 3f76b1d..f8df733 100644
--- a/pkg/dns/nsec.go
+++ b/pkg/dns/nsec.go
@@ -76,11 +76,12 @@ func GetNextName(tld string) string {
 // PrevName returns the canonical predecessor for a top-level domain name.
 //
 // The helper lowercases and trims any trailing dot before applying the
-// reference ordering logic.
+// reference ordering logic. Empty trimmed names are invalid, matching the
+// reference helper's assertion behavior.
 func PrevName(tld string) string {
 	tld = trimFQDN(strings.ToLower(tld))
 	if len(tld) == 0 {
-		return "."
+		panic("dns.PrevName: invalid top-level domain")
 	}
 
 	last := tld[len(tld)-1] - 1
diff --git a/pkg/dns/nsec_test.go b/pkg/dns/nsec_test.go
index 4802245..19cc47b 100644
--- a/pkg/dns/nsec_test.go
+++ b/pkg/dns/nsec_test.go
@@ -92,7 +92,6 @@ func TestPrevName(t *testing.T) {
 	}{
 		{name: "fqdn", in: "Foo-Bar.", want: "foo-baq\xff."},
 		{name: "label", in: "example", want: "exampld\xff."},
-		{name: "root", in: ".", want: "."},
 	}
 
 	for _, tc := range cases {
@@ -105,3 +104,13 @@ func TestPrevName(t *testing.T) {
 		}
 	}
 }
+
+func TestPrevNameRejectsEmptyName(t *testing.T) {
+	defer func() {
+		if recover() == nil {
+			t.Fatal("PrevName should panic for an empty trimmed name")
+		}
+	}()
+
+	_ = PrevName(".")
+}