dnssec-validate: also check nodes affected by changes of NSEC3 chain...

...this especially covers the case when only NSEC3 chain is changed, and thus a_ctx->node_ptrs empty

src/knot/dnssec/nsec-chain.c

@@ -408,6 +408,11 @@ static int check_nsec_bitmap(zone_node_t *node, void *ctx)
 	const zone_node_t *nsec_node = node;
 	bool shall_no_nsec = node_no_nsec(node);
 	if (data->nsec3_params != NULL) {
+		if ((node->flags & NODE_FLAGS_DELETED) ||
+		    node_rrtype_exists(node, KNOT_RRTYPE_NSEC3)) {
+			// this can happen when checking nodes from adjust_ptrs
+			return KNOT_EOK;
+		}
 		nsec_node = node_nsec3_get(node);
 		shall_no_nsec = (node->flags & NODE_FLAGS_DELETED) ||
 		                (node->flags & NODE_FLAGS_NONAUTH);

src/knot/dnssec/nsec3-chain.c

@@ -724,5 +724,10 @@ int knot_nsec3_check_chain_fix(zone_update_t *update, const dnssec_nsec3_params_
 		return ret;
 	}
 
+	ret = nsec_check_bitmaps(update->a_ctx->adjust_ptrs, &data); // adjust_ptrs contain also NSEC3-nodes. See check_nsec_bitmap() how this is handled.
+	if (ret != KNOT_EOK) {
+		return ret;
+	}
+
 	return nsec_check_new_connects(update->a_ctx->nsec3_ptrs, &data);
 }