Delete NSEC chain if NSEC3 is enabled.

Applies both for full zone resign and for DDNS sign.

refs #125

src/libknot/dnssec/zone-nsec.c

@@ -620,6 +620,18 @@ static knot_node_t *create_nsec3_node_for_node(knot_node_t *node,
 	return nsec3_node;
 }
 
+static int remove_nsec_from_node(const knot_node_t *node,
+                                 knot_changeset_t *chgset)
+{
+	assert(node);
+	assert(chgset);
+
+	const knot_rrset_t *nsec = knot_node_rrset(node, KNOT_RRTYPE_NSEC);
+	assert(knot_rrset_rdata_rr_count(nsec) <= 1);
+
+	return changeset_remove_nsec(nsec, chgset);
+}
+
 /*!
  * \brief Create NSEC3 node for each regular node in the zone.
  *
@@ -630,7 +642,8 @@ static knot_node_t *create_nsec3_node_for_node(knot_node_t *node,
  * \return Error code, KNOT_EOK if successful.
  */
 static int create_nsec3_nodes(const knot_zone_contents_t *zone, uint32_t ttl,
-                              knot_zone_tree_t *nsec3_nodes)
+                              knot_zone_tree_t *nsec3_nodes,
+                              knot_changeset_t *chgset)
 {
 	assert(zone);
 	assert(nsec3_nodes);
@@ -664,6 +677,14 @@ static int create_nsec3_nodes(const knot_zone_contents_t *zone, uint32_t ttl,
 			break;
 		}
 
+		/* Remove possible NSEC from the node. (Do not allow both NSEC
+		 * and NSEC3 in the zone at once.)
+		 */
+		result = remove_nsec_from_node(node, chgset);
+		if (result != KNOT_EOK) {
+			break;
+		}
+
 		hattrie_iter_next(it);
 	}
 
@@ -721,7 +742,7 @@ static int create_nsec3_chain(const knot_zone_contents_t *zone, uint32_t ttl,
 		return KNOT_ENOMEM;
 	}
 
-	result = create_nsec3_nodes(zone, ttl, nsec3_nodes);
+	result = create_nsec3_nodes(zone, ttl, nsec3_nodes, changeset);
 	if (result != KNOT_EOK) {
 		free_nsec3_tree(nsec3_nodes);
 		return result;