Hello! We have ~30 servers running BIND (9.8, 9.7, 9.6). A week ago we have signed first of our zones with RSA/SHA1 + NSEC3 + OPT-OUT. Recently we realised that our servers don't generate NSEC3 for signed zone. Problem has gone after we restarted BIND instances. Is described behaviour normal for BIND or not? -- -- AP