diff --git a/CHANGES b/CHANGES
index 9f211b6819..75efc6fb7a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+4958.	[bug]		Remove redundant space from NSEC3 record. [GL #281]
+
 4957.	[func]		The default setting for "dnssec-validation" is now
 			"auto", which activates DNSSEC validation using the
 			IANA root key. (The default can be changed back to
diff --git a/bin/tests/system/xfer/dig1.good b/bin/tests/system/xfer/dig1.good
index 5af1e5928a..aba6a43ac3 100644
--- a/bin/tests/system/xfer/dig1.good
+++ b/bin/tests/system/xfer/dig1.good
@@ -149,7 +149,7 @@ wks01.example.		3600	IN	WKS	10.0.0.1 6 0 1 2 21 23
 wks02.example.		3600	IN	WKS	10.0.0.1 17 0 1 2 53
 wks03.example.		3600	IN	WKS	10.0.0.2 6 65535
 x2501.example.		3600	IN	X25	"123456789"
-8f1tmio9avcom2k0frp92lgcumak0cad.example. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C 8FPNS2UCT7FBS643THP2B77PEQ77K6IU  A NS SOA MX AAAA RRSIG DNSKEY NSEC3PARAM
+8f1tmio9avcom2k0frp92lgcumak0cad.example. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C 8FPNS2UCT7FBS643THP2B77PEQ77K6IU A NS SOA MX AAAA RRSIG DNSKEY NSEC3PARAM
 kcd3juae64f9c5csl1kif1htaui7un0g.example. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C KD5MN2M20340DGO0BL7NTSB8JP4BSC7E
-mr5ukvsk1l37btu4q7b1dfevft4hkqdk.example. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C MT38J6VG7S0SN5G17MCUF6IQIKFUAJ05  A AAAA RRSIG
+mr5ukvsk1l37btu4q7b1dfevft4hkqdk.example. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C MT38J6VG7S0SN5G17MCUF6IQIKFUAJ05 A AAAA RRSIG
 example.		86400	IN	SOA	ns2.example. hostmaster.example. 1397051952 5 5 1814400 3600
diff --git a/bin/tests/system/xfer/dig2.good b/bin/tests/system/xfer/dig2.good
index e12ec118c5..40c8c405b4 100644
--- a/bin/tests/system/xfer/dig2.good
+++ b/bin/tests/system/xfer/dig2.good
@@ -149,7 +149,7 @@ wks01.example.		3600	IN	WKS	10.0.0.1 6 0 1 2 21 23
 wks02.example.		3600	IN	WKS	10.0.0.1 17 0 1 2 53
 wks03.example.		3600	IN	WKS	10.0.0.2 6 65535
 x2501.example.		3600	IN	X25	"123456789"
-8f1tmio9avcom2k0frp92lgcumak0cad.example. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C 8FPNS2UCT7FBS643THP2B77PEQ77K6IU  A NS SOA MX AAAA RRSIG DNSKEY NSEC3PARAM
+8f1tmio9avcom2k0frp92lgcumak0cad.example. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C 8FPNS2UCT7FBS643THP2B77PEQ77K6IU A NS SOA MX AAAA RRSIG DNSKEY NSEC3PARAM
 kcd3juae64f9c5csl1kif1htaui7un0g.example. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C KD5MN2M20340DGO0BL7NTSB8JP4BSC7E
-mr5ukvsk1l37btu4q7b1dfevft4hkqdk.example. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C MT38J6VG7S0SN5G17MCUF6IQIKFUAJ05  A AAAA RRSIG
+mr5ukvsk1l37btu4q7b1dfevft4hkqdk.example. 3600 IN NSEC3 1 0 10 D2CF0294C020CE6C MT38J6VG7S0SN5G17MCUF6IQIKFUAJ05 A AAAA RRSIG
 example.		86400	IN	SOA	ns2.example. hostmaster.example. 1397051953 5 5 1814400 3600
diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c
index aebf254292..0594bc2f01 100644
--- a/lib/dns/rdata.c
+++ b/lib/dns/rdata.c
@@ -469,7 +469,7 @@ typemap_totext(isc_region_t *sr, dns_rdata_textctx_t *tctx,
 {
 	unsigned int i, j, k;
 	unsigned int window, len;
-	isc_boolean_t first = ISC_FALSE;
+	isc_boolean_t first = ISC_TRUE;
 
 	for (i = 0; i < sr->length; i += len) {
 		if (tctx != NULL &&
diff --git a/lib/dns/rdata/generic/csync_62.c b/lib/dns/rdata/generic/csync_62.c
index eff2ef5e41..35c840ba1c 100644
--- a/lib/dns/rdata/generic/csync_62.c
+++ b/lib/dns/rdata/generic/csync_62.c
@@ -69,6 +69,12 @@ totext_csync(ARGS_TOTEXT) {
 	snprintf(buf, sizeof(buf), "%lu", num);
 	RETERR(str_totext(buf, target));
 
+	/*
+	 * Don't leave a trailing space when there's no typemap present.
+	 */
+	if (sr.length > 0) {
+		RETERR(str_totext(" ", target));
+	}
 	return (typemap_totext(&sr, NULL, target));
 }
 
diff --git a/lib/dns/rdata/generic/nsec3_50.c b/lib/dns/rdata/generic/nsec3_50.c
index c58e575463..294e856fc4 100644
--- a/lib/dns/rdata/generic/nsec3_50.c
+++ b/lib/dns/rdata/generic/nsec3_50.c
@@ -162,9 +162,9 @@ totext_nsec3(ARGS_TOTEXT) {
 	/*
 	 * Don't leave a trailing space when there's no typemap present.
 	 */
-	if (((tctx->flags & DNS_STYLEFLAG_MULTILINE) == 0) && (sr.length > 0))
+	if (((tctx->flags & DNS_STYLEFLAG_MULTILINE) == 0) && (sr.length > 0)) {
 		RETERR(str_totext(" ", target));
-
+	}
 	RETERR(typemap_totext(&sr, tctx, target));
 
 	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
diff --git a/lib/dns/rdata/generic/nsec_47.c b/lib/dns/rdata/generic/nsec_47.c
index e6647bbc9c..67f9967fd3 100644
--- a/lib/dns/rdata/generic/nsec_47.c
+++ b/lib/dns/rdata/generic/nsec_47.c
@@ -61,6 +61,12 @@ totext_nsec(ARGS_TOTEXT) {
 	dns_name_fromregion(&name, &sr);
 	isc_region_consume(&sr, name_length(&name));
 	RETERR(dns_name_totext(&name, ISC_FALSE, target));
+	/*
+	 * Don't leave a trailing space when there's no typemap present.
+	 */
+	if (sr.length > 0) {
+		RETERR(str_totext(" ", target));
+	}
 	return (typemap_totext(&sr, NULL, target));
 }
 
diff --git a/lib/dns/tests/rdata_test.c b/lib/dns/tests/rdata_test.c
index d145bd5cd8..ff4f89ecd7 100644
--- a/lib/dns/tests/rdata_test.c
+++ b/lib/dns/tests/rdata_test.c
@@ -1093,6 +1093,35 @@ ATF_TC_BODY(nsec, tc) {
 		    dns_rdatatype_nsec, sizeof(dns_rdata_nsec_t));
 }
 
+/*
+ * NSEC3 tests.
+ *
+ * RFC 5155.
+ */
+ATF_TC(nsec3);
+ATF_TC_HEAD(nsec3, tc) {
+	atf_tc_set_md_var(tc, "descr", "NSEC3 RDATA manipulations");
+}
+ATF_TC_BODY(nsec3, tc) {
+	text_ok_t text_ok[] = {
+		TEXT_INVALID(""),
+		TEXT_INVALID("."),
+		TEXT_INVALID(". RRSIG"),
+		TEXT_INVALID("1 0 10 76931F"),
+		TEXT_INVALID("1 0 10 76931F IMQ912BREQP1POLAH3RMONG;UED541AS"),
+		TEXT_INVALID("1 0 10 76931F IMQ912BREQP1POLAH3RMONG;UED541AS A RRSIG"),
+		TEXT_VALID("1 0 10 76931F AJHVGTICN6K0VDA53GCHFMT219SRRQLM A RRSIG"),
+		TEXT_VALID("1 0 10 76931F AJHVGTICN6K0VDA53GCHFMT219SRRQLM"),
+		TEXT_VALID("1 0 10 - AJHVGTICN6K0VDA53GCHFMT219SRRQLM"),
+		TEXT_SENTINEL()
+	};
+
+	UNUSED(tc);
+
+	check_rdata(text_ok, NULL, ISC_FALSE, dns_rdataclass_in,
+		    dns_rdatatype_nsec3, sizeof(dns_rdata_nsec3_t));
+}
+
 /*
  * WKS tests.
  *
@@ -1191,6 +1220,7 @@ ATF_TP_ADD_TCS(tp) {
 	ATF_TP_ADD_TC(tp, hip);
 	ATF_TP_ADD_TC(tp, isdn);
 	ATF_TP_ADD_TC(tp, nsec);
+	ATF_TP_ADD_TC(tp, nsec3);
 	ATF_TP_ADD_TC(tp, wks);
 
 	return (atf_no_error());