From 29292902c06021cd51ee5fbd93a3432e3142faed Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 9 Jan 2024 12:12:33 +1100
Subject: [PATCH] Properly build the NSEC/NSEC3 type bit map

DNSKEY was incorrectly being added to the NESC/NSEC3 type bit map
when it was obscured by the delegation.  This lead to zone verification
failures.

(cherry picked from commit ec3c6248148dec0696eeab62abdf53ea71116c0b)
---
 lib/dns/zoneverify.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/lib/dns/zoneverify.c b/lib/dns/zoneverify.c
index b3ff4461b9..8e70618266 100644
--- a/lib/dns/zoneverify.c
+++ b/lib/dns/zoneverify.c
@@ -939,7 +939,6 @@ verifynode(vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
 		 * other than NSEC and DS is not signed at a delegation.
 		 */
 		if (rdataset.type != dns_rdatatype_rrsig &&
-		    rdataset.type != dns_rdatatype_dnskey &&
 		    (!delegation || rdataset.type == dns_rdatatype_ds ||
 		     rdataset.type == dns_rdatatype_nsec))
 		{
@@ -954,9 +953,7 @@ verifynode(vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
 			if (rdataset.type > maxtype) {
 				maxtype = rdataset.type;
 			}
-		} else if (rdataset.type != dns_rdatatype_rrsig &&
-			   rdataset.type != dns_rdatatype_dnskey)
-		{
+		} else if (rdataset.type != dns_rdatatype_rrsig) {
 			if (rdataset.type == dns_rdatatype_ns) {
 				dns_nsec_setbit(types, rdataset.type, 1);
 				if (rdataset.type > maxtype) {