Conversion from NSEC3 to NSEC removes the NSEC3PARAM too early

The NSEC3PARAM was being removed immediately by dns_nsec3param_deletechains rather than waiting for the NSEC chain to be generated then removing it as part of the clean up. This could result in named returning unsigned answers which would not validate as secure. This state was transitory being corrected when the NSEC chain completed building.