diff --git a/src/rr-dict.c b/src/rr-dict.c
index b269e19b..f539ec73 100644
--- a/src/rr-dict.c
+++ b/src/rr-dict.c
@@ -263,13 +263,9 @@ static getdns_return_t
 ipseckey_gateway_2wire(
     const getdns_bindata *value, uint8_t *rdata, uint8_t *rdf, size_t *rdf_len)
 {
-	if (rdf - 2 < rdata)
-		return GETDNS_RETURN_GENERIC_ERROR;
+	assert(rdf - 2 >= rdata && rdf[-2] > 0);
 
 	switch (rdf[-2]) {
-	case 0:	if (value && value->size > 0)
-			return GETDNS_RETURN_INVALID_PARAMETER;
-		break;
 	case 1: if (!value || value->size != 4)
 			return GETDNS_RETURN_INVALID_PARAMETER;
 		if (*rdf_len < 4) {
@@ -310,7 +306,14 @@ ipseckey_gateway_dict2wire(
 	getdns_return_t r;
 	getdns_bindata *value;
 
-	if ((r = getdns_dict_get_bindata(dict, "gateway", &value)))
+	if (rdf - 2 < rdata)
+		return GETDNS_RETURN_GENERIC_ERROR;
+
+	else if (rdf[-2] == 0) {
+		*rdf_len = 0;
+		return GETDNS_RETURN_GOOD;
+	}
+	else if ((r = getdns_dict_get_bindata(dict, "gateway", &value)))
 		return r;
 	else
 		return ipseckey_gateway_2wire(value, rdata, rdf, rdf_len);
diff --git a/src/rr-iter.c b/src/rr-iter.c
index ede6b2b5..7d57ace7 100644
--- a/src/rr-iter.c
+++ b/src/rr-iter.c
@@ -518,8 +518,16 @@ rdf_iter_find_nxt(_getdns_rdf_iter *i)
 
 	    /* Empty rdata fields are only allowed in case of non-repeating
 	     * remaining data. So only the GETDNS_RDF_BINDATA bit is set.
+	     *
+	     * There is one exception, the IPSECKEY has an empty special rdata
+	     * field "gateway" when another rdata field, "gateway_type" is 0.
+	     * In general, the special wire2dict or list functions should
+	     * handle this case themselves, so allow for 0 sized RDF_SPECIAL
+	     * typed rdata fields too.
 	     */
-	    (i->nxt >  i->pos || (i->rdd_pos->type == GETDNS_RDF_BINDATA)))
+	    (  i->nxt >  i->pos
+	    || i->rdd_pos->type == GETDNS_RDF_BINDATA 
+	    || i->rdd_pos->type == GETDNS_RDF_SPECIAL))
 		return i;
 done:
 	i->pos = NULL;