Introducing NS records appears to break NSEC chain

Our ripe.net zone was modified by the following changes, which I've extracted from the BIND journal on the server where these changes were made:

del ripe.net.           3600    IN      SOA     manus.authdns.ripe.net. dns.ripe.net. 1605598974 3600 600 864000 3600
add ripe.net.           3600    IN      SOA     manus.authdns.ripe.net. dns.ripe.net. 1605602048 3600 600 864000 3600
add ad1.auth.ripe.net.  86400   IN      A       193.0.4.66
add ad2.auth.ripe.net.  86400   IN      A       193.0.4.67
add reth0-10.fw-2.ripe.net.     86400   IN      A       193.0.4.65
add ad1.auth.ripe.net.  86400   IN      AAAA    2001:67c:2e8:10::c100:442
add ad2.auth.ripe.net.  86400   IN      AAAA    2001:67c:2e8:10::c100:442
add reth0-10.fw-2.ripe.net.     86400   IN      AAAA    2001:67c:2e8:10::1

del ripe.net.           3600    IN      SOA     manus.authdns.ripe.net. dns.ripe.net. 1606299560 3600 600 864000 3600
del ad1.auth.ripe.net.  86400   IN      AAAA    2001:67c:2e8:10::c100:442
add ripe.net.           3600    IN      SOA     manus.authdns.ripe.net. dns.ripe.net. 1606301911 3600 600 864000 3600
add ad1.auth.ripe.net.  86400   IN      AAAA    2001:67c:2e8:10::c100:441

del ripe.net.           3600    IN      SOA     manus.authdns.ripe.net. dns.ripe.net. 1606301911 3600 600 864000 3600
del ad1.auth.ripe.net.  86400   IN      AAAA    2001:67c:2e8:10::c100:441
del ad2.auth.ripe.net.  86400   IN      AAAA    2001:67c:2e8:10::c100:442
add ripe.net.           3600    IN      SOA     manus.authdns.ripe.net. dns.ripe.net. 1606302273 3600 600 864000 3600
add ad1.auth.ripe.net.  86400   IN      AAAA    2001:67c:2e8:10::c100:442
add ad2.auth.ripe.net.  86400   IN      AAAA    2001:67c:2e8:10::c100:443

del ripe.net.           3600    IN      SOA     manus.authdns.ripe.net. dns.ripe.net. 1606906031 3600 600 864000 3600
add ripe.net.           3600    IN      SOA     manus.authdns.ripe.net. dns.ripe.net. 1606907539 3600 600 864000 3600
add auth.ripe.net.              86400   IN      NS      ad1.auth.ripe.net.
add auth.ripe.net.              86400   IN      NS      ad2.auth.ripe.net.

After the last set of changes, our Knot 2.9.5 signer appeared to have gotten confused, and messed up its NSEC chain. The offending record is here:

dnssec-verify -o ripe.net ripe.net.signer4
Loading zone 'ripe.net' from file 'ripe.net.signer4'
Verifying the zone using the following algorithms: RSASHA256.
unexpected NSEC RRset at ad1.auth.ripe.net

grep ad1.auth.ripe.net ripe.net.signer4
auth.ripe.net.          86400   IN      NS      ad1.auth.ripe.net.
ad1.auth.ripe.net.      86400   IN      A       193.0.4.66
ad1.auth.ripe.net.      86400   IN      AAAA    2001:67c:2e8:10::c100:442
ad1.auth.ripe.net.      3600    IN      NSEC    ad2.auth.ripe.net. A AAAA RRSIG NSEC

So that NSEC record for ad1.auth.ripe.net should not be there.

Admin message

Admin message

Introducing NS records appears to break NSEC chain