server: remove NSEC3PARAM from NSEC bitmap

src/knot/dnssec/nsec-chain.c

@@ -47,7 +47,7 @@ static int create_nsec_rrset(knot_rrset_t *rrset, const zone_node_t *from,
 		return KNOT_ENOMEM;
 	}
 
-	bitmap_add_node_rrsets(rr_types, from);
+	bitmap_add_node_rrsets(rr_types, KNOT_RRTYPE_NSEC, from);
 	dnssec_nsec_bitmap_add(rr_types, KNOT_RRTYPE_NSEC);
 	dnssec_nsec_bitmap_add(rr_types, KNOT_RRTYPE_RRSIG);
 	if (node_rrtype_exists(from, KNOT_RRTYPE_SOA)) {

src/knot/dnssec/nsec-chain.h

@@ -26,6 +26,7 @@
 
 #pragma once
 
+#include <assert.h>
 #include <stdbool.h>
 #include <stdint.h>
 
@@ -59,17 +60,21 @@ typedef int (*chain_iterate_create_cb)(zone_node_t *, zone_node_t *,
  * \brief Add all RR types from a node into the bitmap.
  */
 inline static void bitmap_add_node_rrsets(dnssec_nsec_bitmap_t *bitmap,
+                                          enum knot_rr_type nsec_type,
                                           const zone_node_t *node)
 {
 	bool deleg = node->flags & NODE_FLAGS_DELEG;
+	bool apex = node->parent == NULL;
 	for (int i = 0; i < node->rrset_count; i++) {
 		knot_rrset_t rr = node_rrset_at(node, i);
-		if (deleg && (rr.type != KNOT_RRTYPE_NS &&
-		              rr.type != KNOT_RRTYPE_DS)) {
+		if (deleg && (rr.type != KNOT_RRTYPE_NS && rr.type != KNOT_RRTYPE_DS)) {
 			continue;
 		}
-		if (rr.type == KNOT_RRTYPE_NSEC ||
-		    rr.type == KNOT_RRTYPE_RRSIG) {
+		if (rr.type == KNOT_RRTYPE_NSEC || rr.type == KNOT_RRTYPE_RRSIG) {
+			continue;
+		}
+		// NSEC3PARAM in zone apex is maintained automatically
+		if (apex && rr.type == KNOT_RRTYPE_NSEC3PARAM && nsec_type != KNOT_RRTYPE_NSEC3) {
 			continue;
 		}
 

src/knot/dnssec/nsec3-chain.c

@@ -332,7 +332,7 @@ static zone_node_t *create_nsec3_node_for_node(zone_node_t *node,
 		return NULL;
 	}
 
-	bitmap_add_node_rrsets(rr_types, node);
+	bitmap_add_node_rrsets(rr_types, KNOT_RRTYPE_NSEC3, node);
 	if (node->rrset_count > 0 && node_should_be_signed_nsec3(node)) {
 		dnssec_nsec_bitmap_add(rr_types, KNOT_RRTYPE_RRSIG);
 	}