Figure out that kasp changes from NSEC only DNSKEY zone to NSEC3

A story:

I was too quick switching to NSEC3, which is incompatible with the old key. Switching back to NSEC allowed the rollover to complete. Still, shouldn't BIND have been able to figure this out on its own? It kept using NSEC because of the incompatible key, and it kept the incompatible key needed to verify the NSEC records.

I realized we have code to detect such an erroneous state, but we can use that code also to fallback using NSEC if there are offending DNSKEYs in the zone.

So yes, I think BIND is capable of figuring this out.