When signing with a new algorithm preserve NSEC/NSEC3 chains

If the zone already has existing NSEC/NSEC3 chains then zone_sign
needs to continue to use them.  If there are no chains then use
kasp setting otherwise generate an NSEC chain.

bin/tests/system/nsec3/tests.sh

@@ -421,12 +421,6 @@ then
 	set_key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "omnipresent"
 	set_key_default_values "KEY2"
 	echo_i "check zone ${ZONE} after reconfig"
-
-	ret=0
-	wait_for_log 10 "zone $ZONE/IN (signed): wait building NSEC3 chain until NSEC only DNSKEYs are removed" ns3/named.run || ret=1
-	test "$ret" -eq 0 || echo_i "failed"
-	status=$((status+ret))
-
 	check_nsec
 
 	# Zone: nsec3-to-rsasha1.kasp.

lib/dns/zone.c

@@ -9197,23 +9197,23 @@ zone_sign(dns_zone_t *zone) {
 		   use_kasp ? "yes" : "no");
 
 	/* Determine which type of chain to build */
-	if (use_kasp) {
-		build_nsec3 = dns_kasp_nsec3(kasp);
-		if (!dns_zone_check_dnskey_nsec3(zone, db, version, NULL,
-						 (dst_key_t **)&zone_keys,
-						 nkeys))
-		{
-			dnssec_log(zone, ISC_LOG_INFO,
-				   "wait building NSEC3 chain until NSEC only "
-				   "DNSKEYs are removed");
-			build_nsec3 = false;
-		}
-		build_nsec = !build_nsec3;
-	} else {
-		CHECK(dns_private_chains(db, version, zone->privatetype,
-					 &build_nsec, &build_nsec3));
-		/* If neither chain is found, default to NSEC */
-		if (!build_nsec && !build_nsec3) {
+	CHECK(dns_private_chains(db, version, zone->privatetype, &build_nsec,
+				 &build_nsec3));
+	if (!build_nsec && !build_nsec3) {
+		if (use_kasp) {
+			build_nsec3 = dns_kasp_nsec3(kasp);
+			if (!dns_zone_check_dnskey_nsec3(
+				    zone, db, version, NULL,
+				    (dst_key_t **)&zone_keys, nkeys))
+			{
+				dnssec_log(zone, ISC_LOG_INFO,
+					   "wait building NSEC3 chain until "
+					   "NSEC only DNSKEYs are removed");
+				build_nsec3 = false;
+			}
+			build_nsec = !build_nsec3;
+		} else {
+			/* If neither chain is found, default to NSEC */
 			build_nsec = true;
 		}
 	}