[ISC-support #13767] NSEC3 typemap improperly includes DNSKEY RRset instead of ignoring it as out-of-zone

Summary

During an in-depth validation of a DNSSEC-signed zone (using NSEC3), it was uncovered that there was an inconsistency that not all zone validation tools highlighted.

Due to an administrative error, a delegated zone had inserted both its DS and KSK DNSKEY RRs into the parent zone. The NSEC3 RR covering those included DNSKEY in the typemap, even though the DNSKEY RR should be occluded by the delegation and ignored. (We don't know if named also signed the out-of-zone RRset, but this should be checked for also as a potential extension to this defect).

We do not believe that this defect causes validation failures in DNSSEC-validating resolvers.

BIND version used

9.11.4-P2

What is the current bug behavior?

As identified by jdnssec-verifyzone:

$ jdnssec-verifyzone -v 2 (zone redacted for privacy) WARNING: Typemap for NSEC3 RR (name redacted for privacy) for (zone redacted for privacy) did not match what was expected. Expected 'NS DS RRSIG', got 'NS DS RRSIG DNSKEY' zone did not verify.

(Note that neither dnssec-verify nor validns perceived this as wrong)

What is the expected correct behavior?

The covering NSEC3 should not have included the DNSKEY RR in the typemap

Reported in Support ticket https://support.isc.org/Ticket/Display.html?id=13767