From 07a4d63fd97e9ff665860499bfe91e6d1d6f5033 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 9 Dec 2025 18:03:13 +0100
Subject: [PATCH] Add NSEC for opt-out names

When switching from NSEC3 opt-out to NSEC, add NSEC records if we saw an
RR. This corrects a mistake in style cleanups done in commit
308ab1b4a5c5239860ca06c64b0def9b98ae4b17.

(cherry picked from commit 6f285bff6a5f79574529848082c2e7acc08ba1f0)
---
 lib/dns/zone.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 605dfbd21d..e9c630862f 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -8893,7 +8893,8 @@ zone_nsec3chain(dns_zone_t *zone) {
 				seen_nsec = true;
 			} else if (rdataset.type == dns_rdatatype_nsec3) {
 				seen_nsec3 = true;
-			} else if (rdataset.type != dns_rdatatype_rrsig) {
+			}
+			if (rdataset.type != dns_rdatatype_rrsig) {
 				seen_rr = true;
 			}
 			dns_rdataset_disassociate(&rdataset);