Hi, If dynamic signing is used with BIND 9.8, what is the recommended procedure to switch from NSEC3-signed zone to NSEC-signed without changing existing DNSKEYs (currently RSA/SHA-512 algorithms are used for both ZSK and KSK)? Any specific options for dnssec-signzone? Thanks, David