4405. [bug] Change 4342 introduced a regression where you could

not remove a delegation in a NSEC3 signed zone using
                        OPTOUT via nsupdate. [RT #42702]

(cherry picked from commit d811a7d9ef)

bin/tests/system/nsupdate/tests.sh

@@ -647,5 +647,34 @@ grep "bad name" nsupdate.out4-$n > /dev/null && ret=1
 
 [ $ret = 0 ] || { echo I:failed; status=1; }
 
+n=`expr $n + 1`
+echo "I:check adding of delegating NS records processing ($n)"
+ret=0
+$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 || ret=1
+server 10.53.0.3 5300
+zone delegation.test.
+update add child.delegation.test. 3600 NS foo.example.net.
+update add child.delegation.test. 3600 NS bar.example.net.
+send
+EOF
+$DIG +tcp @10.53.0.3 -p 5300 ns child.delegation.test > dig.out.ns1.test$n
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
+grep "AUTHORITY: 2" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo I:failed; status=1; }
+
+n=`expr $n + 1`
+echo "I:check deleting of delegating NS records processing ($n)"
+ret=0
+$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 || ret=1
+server 10.53.0.3 5300
+zone delegation.test.
+update del child.delegation.test. 3600 NS foo.example.net.
+update del child.delegation.test. 3600 NS bar.example.net.
+send
+EOF
+$DIG +tcp @10.53.0.3 -p 5300 ns child.delegation.test > dig.out.ns1.test$n
+grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo I:failed; status=1; }
+
 echo "I:exit status: $status"
 [ $status -eq 0 ] || exit 1