Properly build the NSEC/NSEC3 type bit map

DNSKEY was incorrectly being added to the NESC/NSEC3 type bit map
when it was obscured by the delegation.  This lead to zone verification
failures.

diff --git a/lib/dns/zoneverify.c b/lib/dns/zoneverify.c
index ce60441a448ee1680094d0b328662c4c4accecf4..3419ef1f9192a26cbb11c8de0f581fd477f49bc3 100644 (file)
--- a/lib/dns/zoneverify.c
+++ b/lib/dns/zoneverify.c
@@ -940,7 +940,6 @@ verifynode(vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
                 * other than NSEC and DS is not signed at a delegation.
                 */
                if (rdataset.type != dns_rdatatype_rrsig &&
-                   rdataset.type != dns_rdatatype_dnskey &&
                    (!delegation || rdataset.type == dns_rdatatype_ds ||
                     rdataset.type == dns_rdatatype_nsec))
                {
@@ -955,9 +954,7 @@ verifynode(vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
                        if (rdataset.type > maxtype) {
                                maxtype = rdataset.type;
                        }
-               } else if (rdataset.type != dns_rdatatype_rrsig &&
-                          rdataset.type != dns_rdatatype_dnskey)
-               {
+               } else if (rdataset.type != dns_rdatatype_rrsig) {
                        if (rdataset.type == dns_rdatatype_ns) {
                                dns_nsec_setbit(types, rdataset.type, 1);
                                if (rdataset.type > maxtype) {