Type-bitmap error in NSEC and NSEC3 records

[huguei]

When signing a zone, the NSEC and NSEC3 records are lacking of the "DNSKEY" type in the apex of the domain. This can cause problems with validators using "aggressive caching", and also a security problem with DoS and replay attacks.

For example in a live test zone, signed with a fresh dns-tools:

$ dig ns1.dtc.dnssec.lab.nic.cl. cname +dnssec

; <<>> DiG 9.16.5 <<>> ns1.dtc.dnssec.lab.nic.cl. cname +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58520
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;ns1.dtc.dnssec.lab.nic.cl. IN  CNAME

;; AUTHORITY SECTION:
ns1.dtc.dnssec.lab.nic.cl. 1800 IN  SOA ns.niceto.cl. hsalgado.nic.cl. 2021110500 28800 14400 3600000 7200
ns1.dtc.dnssec.lab.nic.cl. 1800 IN  RRSIG   SOA 8 6 1800 20211205140207 20211105140207 3051 ns1.dtc.dnssec.lab.nic.cl. BP+cleMjGtcZWO268XlxN8Qk5np85krHJP+4lLHadGWJKqhT5cN80L+A zVb0/ZmVik4DcT/krgH7BDn16rvs0lEe91MUBgDMxvg2O05Vprt4aX5b YRzA9qrhqx8mvU9uFxwhbrWSFTmi5N2B/x4Br0w9BRUO8sRRS0h7+Wyx c9U=
ns1.dtc.dnssec.lab.nic.cl. 900  IN  NSEC    check.ns1.dtc.dnssec.lab.nic.cl. A NS SOA NSEC ZONEMD
ns1.dtc.dnssec.lab.nic.cl. 900  IN  RRSIG   NSEC 8 6 900 20211205140207 20211105140207 3051 ns1.dtc.dnssec.lab.nic.cl. NiE5mrWDQWXk0hSeRHWRTPXrCMn4A+22US2FBFCHlLPcGAkXp6lPZ6j5 4+K7Jf00gtNfZN+A1luXpXagf2bYOIhAlXRDhWctrq0El7h7x7ujbLnA mtzkdB4c5l3EQEGNRrUFJeSIj+B8wLgBpoacPq3WkAf/i2Vka29hdOMU iYg=

There's no "DNSKEY" type in the NSEC bitmap answer, but certainly there're DNSKEY records in the zone.

This problem is also reported in the extended view of dnsviz validator: https://dnsviz.net/d/ns1.dtc.dnssec.lab.nic.cl/dnssec/?rr=all&a=all&ds=all&doe=on&ta=.&tk=

[eriverosr]

We have just added DNSKEY type to the NSEC/NSEC3 Bitmaps. Can you try again with the code in master branch?

[huguei]

Checked and now works perfect! Thanks for the quick solution!