When signing with a new algorithm preserve NSEC/NSEC3 chains

If the zone already has existing NSEC/NSEC3 chains then zone_sign
needs to continue to use them.  If there are no chains then use
kasp setting otherwise generate an NSEC chain.

(cherry picked from commit 4b55201459)

bin/tests/system/nsec3/tests.sh

@@ -398,12 +398,6 @@ then
 	set_key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "omnipresent"
 	set_key_default_values "KEY2"
 	echo_i "check zone ${ZONE} after reconfig"
-
-	ret=0
-	wait_for_log 10 "zone $ZONE/IN (signed): wait building NSEC3 chain until NSEC only DNSKEYs are removed" ns3/named.run || ret=1
-	test "$ret" -eq 0 || echo_i "failed"
-	status=$((status+ret))
-
 	check_nsec
 
 	# Zone: nsec3-to-rsasha1.kasp.