diff --git a/CHANGES b/CHANGES
index 45a341eb51..98b8314ab2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+6250.	[bug]		The wrong covered value was being set by
+			dns_ncache_current for RRSIG records in the returned
+			rdataset structure. This resulted in TYPE0 being
+			reported as the covered value of the RRSIG when dumping
+			the cache contents. [GL #4314]
+
 6249.	[cleanup]	Reduce the number of reserved UDP dispatches
 			to the number of loops, replace the round-robin
 			mechanism in dns_dispatchset_t with dispatches
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index f3e579d1fd..5daa9bff50 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -377,6 +377,14 @@ if [ -x "${DELV}" ] ; then
    status=$((status+ret))
 fi
 
+echo_i "checking RRSIG covered type in negative cache entry ($n)"
+ret=0
+rndc_dumpdb ns4
+grep -F '; example. RRSIG NSEC ...' ns4/named_dump.db.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
 echo_i "checking negative validation NXDOMAIN NSEC3 ($n)"
 ret=0
 dig_with_opts +noauth q.nsec3.example. \
diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c
index 26c92317a8..f6ec3cbb93 100644
--- a/lib/dns/ncache.c
+++ b/lib/dns/ncache.c
@@ -722,7 +722,7 @@ dns_ncache_current(dns_rdataset_t *ncacherdataset, dns_name_t *found,
 		raw += 2;
 		sigregion.base = raw;
 		dns_rdata_reset(&rdata);
-		dns_rdata_fromregion(&rdata, rdataset->rdclass, rdataset->type,
+		dns_rdata_fromregion(&rdata, ncacherdataset->rdclass, type,
 				     &sigregion);
 		(void)dns_rdata_tostruct(&rdata, &rrsig, NULL);
 		covers = rrsig.covered;