diff --git a/opendnssec-1.4.0b1-nonempty-terminals.patch b/opendnssec-1.4.0b1-nonempty-terminals.patch
new file mode 100644
index 0000000..8ad2135
--- /dev/null
+++ b/opendnssec-1.4.0b1-nonempty-terminals.patch
@@ -0,0 +1,54 @@
+diff -Naur opendnssec-1.4.0b1-orig/signer/src/signer/domain.c opendnssec-1.4.0b1/signer/src/signer/domain.c
+--- opendnssec-1.4.0b1-orig/signer/src/signer/domain.c	2012-11-23 11:17:00.752148535 -0500
++++ opendnssec-1.4.0b1/signer/src/signer/domain.c	2012-11-23 11:23:00.243158628 -0500
+@@ -399,6 +399,7 @@
+ {
+     ldns_rbnode_t* n = LDNS_RBTREE_NULL;
+     domain_type* d = NULL;
++    int unsigned_delegpt = 1;
+ 
+     ods_log_assert(domain);
+     if (domain->rrsets) {
+@@ -411,20 +412,15 @@
+             break;
+         }
+         if (d->rrsets) {
+-            if (domain_is_delegpt(d) == LDNS_RR_TYPE_NS) {
+-                /* domain has unsigned delegation */
+-                return 1;
+-            } else {
+-                /* domain has authoritative data or signed delegation */
++	if (domain_is_delegpt(d) != LDNS_RR_TYPE_NS) {
++		/* domain has signed delegation/auth */
+                 return 0;
+             }
+         }
+         /* maybe there is data at the next domain */
+         n = ldns_rbtree_next(n);
+     }
+-    ods_log_warning("[%s] encountered empty terminal that is treated as "
+-        "non-terminal", dname_str);
+-    return 0;
++    return unsigned_delegpt;
+ }
+ 
+ 
+diff -Naur opendnssec-1.4.0b1-orig/signer/src/signer/namedb.c opendnssec-1.4.0b1/signer/src/signer/namedb.c
+--- opendnssec-1.4.0b1-orig/signer/src/signer/namedb.c	2012-08-28 09:43:15.000000000 -0400
++++ opendnssec-1.4.0b1/signer/src/signer/namedb.c	2012-11-23 11:23:39.420172841 -0500
+@@ -788,13 +788,13 @@
+     if (!db || !db->domains) {
+         return;
+     }
+-    node = ldns_rbtree_first(db->domains);
++    node = ldns_rbtree_last(db->domains);
+     if (!node || node == LDNS_RBTREE_NULL) {
+         return;
+     }
+     while (node && node != LDNS_RBTREE_NULL) {
+         domain = (domain_type*) node->data;
+-        node = ldns_rbtree_next(node);
++        node = ldns_rbtree_previous(node);
+         domain_diff(domain, is_ixfr);
+         domain = namedb_del_denial_trigger(db, domain, 0);
+         if (domain) {
diff --git a/opendnssec.spec b/opendnssec.spec
index e60d9d8..d01f5c8 100644
--- a/opendnssec.spec
+++ b/opendnssec.spec
@@ -2,7 +2,7 @@
 Summary: DNSSEC key and zone management software
 Name: opendnssec
 Version: 1.4.0
-Release: 0.5.%{?prever}%{?dist}
+Release: 0.6.%{?prever}%{?dist}
 License: BSD
 Url: http://www.opendnssec.org/
 Source0: http://www.opendnssec.org/files/source/%{?prever:testing/}%{name}-%{version}%{?prever}.tar.gz
@@ -17,6 +17,7 @@ Patch2: opendnssec-1.4.0a3-nsec3param.patch
 Patch3: opendnssec-1.4.0b1-occluded.patch
 Patch4: opendnssec-1.4.0b1-r6816.patch
 Patch5: opendnssec-1.4.0b1-r6817.patch
+Patch6: opendnssec-1.4.0b1-nonempty-terminals.patch
 Group: Applications/System
 Requires: opencryptoki, softhsm
 BuildRequires: ldns-devel >= 1.6.13, sqlite-devel , openssl-devel
@@ -42,6 +43,7 @@ name server. It requires a PKCS#11 crypto module library, such as softhsm
 %patch3 -p1 -b .occluded
 %patch4 -p1 -b .r6816
 %patch5 -p1 -b .r6817
+%patch6 -p1 
 
 %build
 %configure --with-ldns=%{_libdir}
@@ -120,6 +122,9 @@ if [ "$1" -ge "1" ]; then
 fi
 
 %changelog
+* Fri Nov 23 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.6.b1
+- Patch for empty nonterminal NSEC3 records
+
 * Sat Nov 10 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.5.b1
 - Patch r6816 fixes enforcer/signer communication
 - Patch r6817 Don't add double RRSIGs generated by same key for DNSKEY RRset