diff --git a/.github/workflows/system-tests.yml b/.github/workflows/system-tests.yml
index 4cad52e3..be4910f1 100644
--- a/.github/workflows/system-tests.yml
+++ b/.github/workflows/system-tests.yml
@@ -240,3 +240,40 @@ jobs:
     - name: Print log files on any failure in this job
       uses: ./.github/actions/print-logfiles
       if: failure()
+
+  incremental-signing:
+    name: Sign two versions of a zone and verify that the second one has the expected output.
+    runs-on: ${{ matrix.os }}
+    needs: build
+    strategy:
+      matrix:
+        os: [ubuntu-latest]
+        rust: [stable] # see build job
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+    - name: Prepare the system test environment
+      uses: ./.github/actions/prepare-systest-env
+      with:
+        artifact-name: ${{ format('cascade_{0}_{1}_{2}', github.sha, matrix.os, matrix.rust) }}
+    - run: target/debug/cascade --version
+    - name: Setup and start the cascade daemon
+      uses: ./.github/actions/setup-and-start-cascade
+    - name: Add a policy
+      run: |
+        # Based on actions/setup-and-start-cascade/, query the Cascade config
+        # to find the policy directory, at least until we have a better way of
+        # doing this.
+        CASCADE_CONF="${GITHUB_WORKSPACE}/cascade-dir/config.toml"
+        POLICY_DIR=$(grep -E '^policy-dir.*=' ${CASCADE_CONF} | cut -d '=' -f 2 | cut -d '"' -f 2)
+        INCREMENTAL_SIGNING_DIR="${PWD}/integration-tests/incremental-signing"
+        # Copy the new test policy into the Cascade policy directory.
+        cp ${INTEGRATION_TEST_DIR}/policies/*.toml ${POLICY_DIR}/
+        # Tell Cascade to load our new test policy.
+        target/debug/cascade policy reload
+    - name: Run tests
+      run: |
+	integration-tests/tests.sh
+    - name: Print log files on any failure in this job
+      uses: ./.github/actions/print-logfiles
+      if: failure()
diff --git a/integration-tests/incremental-signing/keys/Kexample.+015+02835.key b/integration-tests/incremental-signing/keys/Kexample.+015+02835.key
new file mode 100644
index 00000000..3c034aef
--- /dev/null
+++ b/integration-tests/incremental-signing/keys/Kexample.+015+02835.key
@@ -0,0 +1 @@
+example. IN DNSKEY 256 3 15 BnnbKMXdvQp2v+tzyvO/HxQGY8iYcJsWD4MN6fnr84Q=
diff --git a/integration-tests/incremental-signing/keys/Kexample.+015+02835.private b/integration-tests/incremental-signing/keys/Kexample.+015+02835.private
new file mode 100644
index 00000000..a7a4a799
--- /dev/null
+++ b/integration-tests/incremental-signing/keys/Kexample.+015+02835.private
@@ -0,0 +1,3 @@
+Private-key-format: v1.2
+Algorithm: 15 (ED25519)
+PrivateKey: LoWBrHTJZ84e56m6cYfrtsRcTCaA3y33mWsV7CzUnyU=
diff --git a/integration-tests/incremental-signing/policies/nsec.toml b/integration-tests/incremental-signing/policies/nsec.toml
new file mode 100644
index 00000000..fce3cd1a
--- /dev/null
+++ b/integration-tests/incremental-signing/policies/nsec.toml
@@ -0,0 +1,89 @@
+# The policy file version.
+#
+# This is the only required option.  All other settings, and their defaults, are
+# associated with this version number.  More versions may be added in the future
+# and Cascade may drop support for older versions over time.
+#
+# - 'v1': This format.
+version = "v1"
+
+
+# How denial-of-existence records are generated.
+[signer.denial]
+
+# The type of denial-of-existence records to generate.
+#
+# Supported options:
+# - 'nsec': Use NSEC records (RFC 4034).
+# - 'nsec3': Use NSEC3 records (RFC 5155).
+type = "nsec"
+
+# How zones are signed.
+#
+# Note that certain records (e.g. DNSKEY and CDS records at the apex of the
+# zone) are signed by the key manager, rather than the zone signer; see the
+# `[key-manager.records]` section for configuring the signing of those records.
+[signer]
+
+# How SOA serial numbers are generated for signed zones.
+#
+# Supported options:
+# - 'keep': use the same serial number as the unsigned zone.
+# - 'counter': increment the serial number every time.
+# - 'unixtime': use the current Unix time, in seconds.
+# - 'date-counter': format the number as '<YYYY><MM><DD><xx>' in decimal.
+#     '<xx>' is a simple counter to allow up to 100 versions per day.
+serial-policy = "keep"
+
+# The offset for generated signature inceptions.
+#
+# Record signatures have a fixed inception time, from when they are considered
+# valid.  An imprecise computer clock could cause signatures to be considered
+# invalid, because their inception point appears to be some time in the future.
+# To prevent such cases, this setting allows the inception time to be offset
+# into the past.
+#
+# An integer value is interpreted as seconds; inception times will be calculated
+# as 'now - offset' at the time of signing.
+signature-inception-offset = 0
+
+# The lifetime of generated signatures.
+#
+# Record signatures have a fixed lifetime, after which they are considered
+# invalid.  To keep the zone valid, the signatures should be regenerated before
+# they expire; see 'signature-remain-time' to control regeneration time.
+#
+# An integer value is interpreted as seconds.
+signature-lifetime = 100000000
+
+# The management of DNS records by the key manager.
+# 
+# The key manager generates and signs several records (DNSKEY and CDS).  This
+# section controls its behaviour towards them.
+[key-manager.records]
+
+# The offset for generated signature inceptions.
+#
+# Record signatures have a fixed inception time, from when they are considered
+# valid.  An imprecise computer clock could cause signatures to be considered
+# invalid, because their inception point appears to be some time in the future.
+# To prevent such cases, this setting allows the inception time to be offset
+# into the past.
+#
+# Independent offsets can be set for each type of record.  An integer value is
+# intepreted as seconds; inception times will be calculated as 'now - offset'
+# at the time of signing.
+dnskey.signature-inception-offset = 0
+cds.signature-inception-offset = 0
+
+# The lifetime of generated signatures.
+#
+# Record signatures have a fixed lifetime, after which they are considered
+# invalid.  To keep the zone valid, the signatures should be regenerated before
+# they expire; see 'signature-remain-time' to control regeneration time.
+#
+# Independent lifetimes can be set for each type of record.  An integer value is
+# interpreted as seconds.
+dnskey.signature-lifetime = 100000000
+cds.signature-lifetime = 100000000
+
diff --git a/integration-tests/incremental-signing/policies/nsec3-opt-out.toml b/integration-tests/incremental-signing/policies/nsec3-opt-out.toml
new file mode 100644
index 00000000..51dcc2ce
--- /dev/null
+++ b/integration-tests/incremental-signing/policies/nsec3-opt-out.toml
@@ -0,0 +1,90 @@
+# The policy file version.
+#
+# This is the only required option.  All other settings, and their defaults, are
+# associated with this version number.  More versions may be added in the future
+# and Cascade may drop support for older versions over time.
+#
+# - 'v1': This format.
+version = "v1"
+
+
+# How denial-of-existence records are generated.
+[signer.denial]
+
+# The type of denial-of-existence records to generate.
+#
+# Supported options:
+# - 'nsec': Use NSEC records (RFC 4034).
+# - 'nsec3': Use NSEC3 records (RFC 5155).
+type = "nsec3"
+opt-out = true
+
+# How zones are signed.
+#
+# Note that certain records (e.g. DNSKEY and CDS records at the apex of the
+# zone) are signed by the key manager, rather than the zone signer; see the
+# `[key-manager.records]` section for configuring the signing of those records.
+[signer]
+
+# How SOA serial numbers are generated for signed zones.
+#
+# Supported options:
+# - 'keep': use the same serial number as the unsigned zone.
+# - 'counter': increment the serial number every time.
+# - 'unixtime': use the current Unix time, in seconds.
+# - 'date-counter': format the number as '<YYYY><MM><DD><xx>' in decimal.
+#     '<xx>' is a simple counter to allow up to 100 versions per day.
+serial-policy = "keep"
+
+# The offset for generated signature inceptions.
+#
+# Record signatures have a fixed inception time, from when they are considered
+# valid.  An imprecise computer clock could cause signatures to be considered
+# invalid, because their inception point appears to be some time in the future.
+# To prevent such cases, this setting allows the inception time to be offset
+# into the past.
+#
+# An integer value is interpreted as seconds; inception times will be calculated
+# as 'now - offset' at the time of signing.
+signature-inception-offset = 0
+
+# The lifetime of generated signatures.
+#
+# Record signatures have a fixed lifetime, after which they are considered
+# invalid.  To keep the zone valid, the signatures should be regenerated before
+# they expire; see 'signature-remain-time' to control regeneration time.
+#
+# An integer value is interpreted as seconds.
+signature-lifetime = 100000000
+
+# The management of DNS records by the key manager.
+# 
+# The key manager generates and signs several records (DNSKEY and CDS).  This
+# section controls its behaviour towards them.
+[key-manager.records]
+
+# The offset for generated signature inceptions.
+#
+# Record signatures have a fixed inception time, from when they are considered
+# valid.  An imprecise computer clock could cause signatures to be considered
+# invalid, because their inception point appears to be some time in the future.
+# To prevent such cases, this setting allows the inception time to be offset
+# into the past.
+#
+# Independent offsets can be set for each type of record.  An integer value is
+# intepreted as seconds; inception times will be calculated as 'now - offset'
+# at the time of signing.
+dnskey.signature-inception-offset = 0
+cds.signature-inception-offset = 0
+
+# The lifetime of generated signatures.
+#
+# Record signatures have a fixed lifetime, after which they are considered
+# invalid.  To keep the zone valid, the signatures should be regenerated before
+# they expire; see 'signature-remain-time' to control regeneration time.
+#
+# Independent lifetimes can be set for each type of record.  An integer value is
+# interpreted as seconds.
+dnskey.signature-lifetime = 100000000
+cds.signature-lifetime = 100000000
+
diff --git a/integration-tests/incremental-signing/policies/nsec3.toml b/integration-tests/incremental-signing/policies/nsec3.toml
new file mode 100644
index 00000000..88392552
--- /dev/null
+++ b/integration-tests/incremental-signing/policies/nsec3.toml
@@ -0,0 +1,90 @@
+# The policy file version.
+#
+# This is the only required option.  All other settings, and their defaults, are
+# associated with this version number.  More versions may be added in the future
+# and Cascade may drop support for older versions over time.
+#
+# - 'v1': This format.
+version = "v1"
+
+
+# How denial-of-existence records are generated.
+[signer.denial]
+
+# The type of denial-of-existence records to generate.
+#
+# Supported options:
+# - 'nsec': Use NSEC records (RFC 4034).
+# - 'nsec3': Use NSEC3 records (RFC 5155).
+type = "nsec3"
+opt-out = false
+
+# How zones are signed.
+#
+# Note that certain records (e.g. DNSKEY and CDS records at the apex of the
+# zone) are signed by the key manager, rather than the zone signer; see the
+# `[key-manager.records]` section for configuring the signing of those records.
+[signer]
+
+# How SOA serial numbers are generated for signed zones.
+#
+# Supported options:
+# - 'keep': use the same serial number as the unsigned zone.
+# - 'counter': increment the serial number every time.
+# - 'unixtime': use the current Unix time, in seconds.
+# - 'date-counter': format the number as '<YYYY><MM><DD><xx>' in decimal.
+#     '<xx>' is a simple counter to allow up to 100 versions per day.
+serial-policy = "keep"
+
+# The offset for generated signature inceptions.
+#
+# Record signatures have a fixed inception time, from when they are considered
+# valid.  An imprecise computer clock could cause signatures to be considered
+# invalid, because their inception point appears to be some time in the future.
+# To prevent such cases, this setting allows the inception time to be offset
+# into the past.
+#
+# An integer value is interpreted as seconds; inception times will be calculated
+# as 'now - offset' at the time of signing.
+signature-inception-offset = 0
+
+# The lifetime of generated signatures.
+#
+# Record signatures have a fixed lifetime, after which they are considered
+# invalid.  To keep the zone valid, the signatures should be regenerated before
+# they expire; see 'signature-remain-time' to control regeneration time.
+#
+# An integer value is interpreted as seconds.
+signature-lifetime = 100000000
+
+# The management of DNS records by the key manager.
+# 
+# The key manager generates and signs several records (DNSKEY and CDS).  This
+# section controls its behaviour towards them.
+[key-manager.records]
+
+# The offset for generated signature inceptions.
+#
+# Record signatures have a fixed inception time, from when they are considered
+# valid.  An imprecise computer clock could cause signatures to be considered
+# invalid, because their inception point appears to be some time in the future.
+# To prevent such cases, this setting allows the inception time to be offset
+# into the past.
+#
+# Independent offsets can be set for each type of record.  An integer value is
+# intepreted as seconds; inception times will be calculated as 'now - offset'
+# at the time of signing.
+dnskey.signature-inception-offset = 0
+cds.signature-inception-offset = 0
+
+# The lifetime of generated signatures.
+#
+# Record signatures have a fixed lifetime, after which they are considered
+# invalid.  To keep the zone valid, the signatures should be regenerated before
+# they expire; see 'signature-remain-time' to control regeneration time.
+#
+# Independent lifetimes can be set for each type of record.  An integer value is
+# interpreted as seconds.
+dnskey.signature-lifetime = 100000000
+cds.signature-lifetime = 100000000
+
diff --git a/integration-tests/incremental-signing/reference-output/incremental-signing-test1-input2.zone.nsec.signed.sorted b/integration-tests/incremental-signing/reference-output/incremental-signing-test1-input2.zone.nsec.signed.sorted
new file mode 100644
index 00000000..d28e3c1c
--- /dev/null
+++ b/integration-tests/incremental-signing/reference-output/incremental-signing-test1-input2.zone.nsec.signed.sorted
@@ -0,0 +1,61 @@
+aaaa.modify.example.	3600	IN	AAAA	2001:db8::1
+aaaa.modify.example.	3600	IN	NSEC	cname.modify.example. AAAA RRSIG NSEC
+aaaa.modify.example.	3600	IN	RRSIG	AAAA 15 3 3600 20231114221320 20200913122640 2835 example. jaZ0iZ+CHYF7t3u7f/68WqZONY1H3hoVVWSD9U9ndoY3s6t7ZjkdORnXAD9YqpG4BDfscrTE2p8TterfZD92BQ==
+aaaa.modify.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. Bm313NSOrs6KJjWcuC3P2mlNFH6kU79EawtfXZXZXtzD3RiEOVCTuz6+tTv5TQaHKy1W1DsC+3aVf6vyhCNWCQ==
+aaaa.modify.not-auth.example.	3600	IN	AAAA	2001:db8::1
+a.modify.example.	3600	IN	A	192.0.2.1
+a.modify.example.	3600	IN	NSEC	aaaa.modify.example. A RRSIG NSEC
+a.modify.example.	3600	IN	RRSIG	A 15 3 3600 20231114221320 20200913122640 2835 example. zzi8zBAaudH4nHnprPexIKkVt0qdMLMxN9NEk1Uh1Um90BAJORqjyrYN8fXVpLqsOLZ1pJicFLKA5XzWrk1PBw==
+a.modify.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. uDI67iOmDtDYexjvoJrraLKJgPa2HwdU6fjILT4tb1sQb8fyrDTqeE6Nbl47BCXdKTcOdBpwfUytF0VY7uvTCA==
+a.modify.not-auth.example.	3600	IN	A	192.0.2.1
+cname.modify.example.	3600	IN	CNAME	cname-target2.example.
+cname.modify.example.	3600	IN	NSEC	dname.modify.example. CNAME RRSIG NSEC
+cname.modify.example.	3600	IN	RRSIG	CNAME 15 3 3600 20231114221320 20200913122640 2835 example. RzMYCLMv2cVDZClmC18R7LhZ+0pMGNCyY7RNUCmQimafyadS2QyOoYKb3G5i4n6Yi74eu8ZBoMS5xp9WSANEDA==
+cname.modify.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. SJxhqphIXPOHAdii3FkmaOrC9e5mXoMTTHSMtvMNpAOaLEx55nnbOdiit7RjCVbtNr2eIuKSbGPjZEhYqEErCQ==
+cname.modify.not-auth.example.	3600	IN	CNAME	cname-target2.example.
+delegation1.example.	3600	IN	DS	12345 13 253 00
+delegation1.example.	3600	IN	NSEC	ent2nt.example. NS DS RRSIG NSEC
+delegation1.example.	3600	IN	NS	ns.example.
+delegation1.example.	3600	IN	RRSIG	DS 15 2 3600 20231114221320 20200913122640 2835 example. EJcI7l72ZEAO6Kp5IwDkKtWuwqxeS6IIg9M6+Jb3MamNM1pSd12VgMkI6ItB321fqEjbVnrh2VEzwxiRMh3BBA==
+delegation1.example.	3600	IN	RRSIG	NSEC 15 2 3600 20231114221320 20200913122640 2835 example. lUXU9BPtqvegBHnMUGUK0944a/qaRETsgObPcOSsnHoJFqxkPvymHTtvDOtbvJx/0HsL8YbUW+FqV1Xr849UAw==
+dname.modify.example.	3600	IN	DNAME	dname-target2.example.
+dname.modify.example.	3600	IN	NSEC	txt.modify.example. DNAME RRSIG NSEC
+dname.modify.example.	3600	IN	RRSIG	DNAME 15 3 3600 20231114221320 20200913122640 2835 example. wBvJ3qKVTjKuTydVTEmnPv47IQ9Gs4JF8y1U0/qJ90pODlfkAUnQDDqDkDv7ZMZbV2mhPJgBH7R+MSUtPSV6Ag==
+dname.modify.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. LxhaKg+u4m3K8RMy8hId1bjX7KijmJUvUxiYRvxZJPpzQwAuA1w21906GZbKOylPwI57WbCMGScPHUYS2XgIAw==
+dname.modify.not-auth.example.	3600	IN	DNAME	dname-target2.example.
+ds.new-ent.example.	3600	IN	DS	12345 13 253 01
+ds.new-ent.example.	3600	IN	NSEC	txt.new-ent.example. NS DS RRSIG NSEC
+ds.new-ent.example.	3600	IN	NS	ns.example.
+ds.new-ent.example.	3600	IN	RRSIG	DS 15 3 3600 20231114221320 20200913122640 2835 example. ugnXumZ3uVN+dwmm93XRrQxwIwtBEedWzG7ShGRgpUcHVzeQr9DYIW+tEqx8Nf06nBBMx22hhiFS8wH1midHBA==
+ds.new-ent.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. dGWRBV9W82JSg0bWojQy0E+Xv6hdXXlBtwsh+42CrexUzgfiWsnhYfpsDiobecviSjvgWHMp8IceQx4QIJ6mBA==
+ent2nt.example.	3600	IN	NSEC	txt.ent2nt.example. TXT RRSIG NSEC
+ent2nt.example.	3600	IN	RRSIG	NSEC 15 2 3600 20231114221320 20200913122640 2835 example. 2VvXz7I83iZ71oBSxX3RwjfL4vZCdFBkOYcRRozGaSvSqJobGlUrgfNQ7gm1xls1lKf8cZ+Dw6VIR9NunaykBQ==
+ent2nt.example.	3600	IN	RRSIG	TXT 15 2 3600 20231114221320 20200913122640 2835 example. mUuqtmkeyjB15acdOBT+kmjg3g/a2KSoSOkKKLiQXPiA6wZV9dfmdMYAv0X8ywFIcJlMWO5Jk9T4abqJFfHjBw==
+ent2nt.example.	3600	IN	TXT	"was ENT, now NT"
+ent2nt.not-auth.example.	3600	IN	TXT	"was ENT, now NT"
+example.	3600	IN	DNSKEY	256 3 15 BnnbKMXdvQp2v+tzyvO/HxQGY8iYcJsWD4MN6fnr84Q=
+example.	3600	IN	NSEC	delegation1.example. SOA TXT RRSIG NSEC DNSKEY
+example.	3600	IN	RRSIG	DNSKEY 15 1 3600 20231114221320 20200913122640 2835 example. RMn96put9kteW8DjunEY3o0J7+MZlrC/zXVBU0h0gpFwjz9mrqo/1EvQUSO6faKaNLD2uhiJ9mg91Z1AQSq4AQ==
+example.	3600	IN	RRSIG	NSEC 15 1 3600 20231114221320 20200913122640 2835 example. K9SQkuBggZKN4WDIgIiO0owwsVyvXjZIkvUUEpJE9vlf6L0RWeMAixbg4y1N60KWailvoTWfqgbW3FDESc5lBw==
+example.	3600	IN	RRSIG	SOA 15 1 3600 20231114221320 20200913122640 2835 example. bBmNKlKLUZIRG8VveJE3bONbEq7DWywLm2wG2bRxLTTWXvX7IfLbb1RFogxT7fH0BIeyBde1azsA+/nAjUBiDg==
+example.	3600	IN	RRSIG	TXT 15 1 3600 20231114221320 20200913122640 2835 example. j8c6wYn06sejbNlk30spLVazOBmp7Xxawl2R8BbVnFtUt5p8/KTXz/7aNYqxjvO+MO+ZV/c9bZx0QAB2VwCRAA==
+example.	3600	IN	SOA	ns.example. hostmaster.example. 23456 3600 3600 86400 3600
+example.	3600	IN	TXT	"New apex record"
+not-auth.example.	3600	IN	NSEC	example. NS RRSIG NSEC
+not-auth.example.	3600	IN	NS	ns.example.
+not-auth.example.	3600	IN	RRSIG	NSEC 15 2 3600 20231114221320 20200913122640 2835 example. tvTt+23SrsOGLbr9h1RHMs+GNAD5VrX0eEiYL6qJpsypwoSQ2yz2WOKhE13CJkUw/EddSxrBaRzBBMQBveLFDA==
+txt.ent2nt.example.	3600	IN	NSEC	a.modify.example. TXT RRSIG NSEC
+txt.ent2nt.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. duq6f2MPCxNU1PPy83bBPj/pERJubhNKUwfpqRSO4IKES48z7EnWWbQGsHyfCy73EwhlKVIEaFpE6Z8g9KRCDw==
+txt.ent2nt.example.	3600	IN	RRSIG	TXT 15 3 3600 20231114221320 20200913122640 2835 example. T4aySP1d7bSYFIWyJ8ic+877Ad34Zntpqgtqqm8QZH7+VHdONArMK87K6mizPoHF9IcjS0SgTylLOMyIZr9MBw==
+txt.ent2nt.example.	3600	IN	TXT	"ENT to become NT"
+txt.ent2nt.not-auth.example.	3600	IN	TXT	"ENT to become NT"
+txt.modify.example.	3600	IN	NSEC	ds.new-ent.example. TXT RRSIG NSEC
+txt.modify.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. ye7ELxyT+p0SnWVP3byYfNQHIEtwft77QVJr02kugMKJpRtHhayzaihSUyTTdaWRaTVGLDwcTyasrAuKETW5AA==
+txt.modify.example.	3600	IN	RRSIG	TXT 15 3 3600 20231114221320 20200913122640 2835 example. uYIaNtjsI7txYRPu8RWHfAZLMXMJ9xr302HJN9F3ZzxCkJAGa0cFcwc0eJXtu0TtkvPQtFrDrMw3Skq6cdr2Aw==
+txt.modify.example.	3600	IN	TXT	"Modified zone"
+txt.modify.not-auth.example.	3600	IN	TXT	"Modified zone"
+txt.new-ent.example.	3600	IN	NSEC	not-auth.example. TXT RRSIG NSEC
+txt.new-ent.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. O3OcofwcSM6xHus78+PcB2585oq84JhLQJymAcqknAHP+SNRYjtQJ+ycO9KdkpFvuncd2OAzBgxNKqWJdznUDw==
+txt.new-ent.example.	3600	IN	RRSIG	TXT 15 3 3600 20231114221320 20200913122640 2835 example. TMF0sKLrrfW/3ZQW0sCWIiWBUOe9B2tvlw7C9SzQ7YiJQNj730l84gm+xpBx+gM62iFBcdZBshAXboYEqzySDA==
+txt.new-ent.example.	3600	IN	TXT	"New authoritative ENT"
+txt.new-ent.not-auth.example.	3600	IN	TXT	"New not authoritative ENT"
diff --git a/integration-tests/incremental-signing/reference-output/incremental-signing-test1-input2.zone.nsec3-opt-out.signed.sorted b/integration-tests/incremental-signing/reference-output/incremental-signing-test1-input2.zone.nsec3-opt-out.signed.sorted
new file mode 100644
index 00000000..ef8e7730
--- /dev/null
+++ b/integration-tests/incremental-signing/reference-output/incremental-signing-test1-input2.zone.nsec3-opt-out.signed.sorted
@@ -0,0 +1,65 @@
+27ilutqtna72n3b4qd7f1n9ip0u27rkv.example.	3600	IN	NSEC3	1 1 0 - 3MSEV9USMD4BR9S97V51R2TDVMR9IQO1 TXT RRSIG
+27ilutqtna72n3b4qd7f1n9ip0u27rkv.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. 74hUwLr3lLeSko7ljOqqIxlLXJCud72ozrY7lIxSVygAZYjHANf/Ljx2h7+Gtoz0oZCRgKdcbUTBVeHjSMsUAw==
+3msev9usmd4br9s97v51r2tdvmr9iqo1.example.	3600	IN	NSEC3	1 1 0 - 42NDU2NEO9PG0NO20OPEE5GJV8BJS5ES SOA TXT RRSIG DNSKEY NSEC3PARAM
+3msev9usmd4br9s97v51r2tdvmr9iqo1.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. kxHaK9S45Ow8P3LuMB+9iaUbHYHZiPyn3t1N/QczaRFJbIjVvsT7lnBiQML2a8KfhEN/pZPhG4mdzUS7dAXrAg==
+42ndu2neo9pg0no20opee5gjv8bjs5es.example.	3600	IN	NSEC3	1 1 0 - 9DEVIEM4V1G0CK0GO4RV4HV8LAR6KR1G TXT RRSIG
+42ndu2neo9pg0no20opee5gjv8bjs5es.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. A7GbNAWw5KyYqXkC/k3eZ2I3c8F4KjBW8KVb3R7f7cQ+809/rU+/vmTgYww8nlvjSiRXcukV9rDR9N8YW2/EAQ==
+9deviem4v1g0ck0go4rv4hv8lar6kr1g.example.	3600	IN	NSEC3	1 1 0 - FFCABUVK6NLQV54UEBNRE3HU2C4CM95D TXT RRSIG
+9deviem4v1g0ck0go4rv4hv8lar6kr1g.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. AFR7KFzZRmxGG14mYfmxq+TzSoUkV5saRWefKw7zjs7jokOaJLcNHRfWEjm9ZS6CLqvlgp8xUV/tOoxZT9aYDQ==
+aaaa.modify.example.	3600	IN	AAAA	2001:db8::1
+aaaa.modify.example.	3600	IN	RRSIG	AAAA 15 3 3600 20231114221320 20200913122640 2835 example. jaZ0iZ+CHYF7t3u7f/68WqZONY1H3hoVVWSD9U9ndoY3s6t7ZjkdORnXAD9YqpG4BDfscrTE2p8TterfZD92BQ==
+aaaa.modify.not-auth.example.	3600	IN	AAAA	2001:db8::1
+a.modify.example.	3600	IN	A	192.0.2.1
+a.modify.example.	3600	IN	RRSIG	A 15 3 3600 20231114221320 20200913122640 2835 example. zzi8zBAaudH4nHnprPexIKkVt0qdMLMxN9NEk1Uh1Um90BAJORqjyrYN8fXVpLqsOLZ1pJicFLKA5XzWrk1PBw==
+a.modify.not-auth.example.	3600	IN	A	192.0.2.1
+cname.modify.example.	3600	IN	CNAME	cname-target2.example.
+cname.modify.example.	3600	IN	RRSIG	CNAME 15 3 3600 20231114221320 20200913122640 2835 example. RzMYCLMv2cVDZClmC18R7LhZ+0pMGNCyY7RNUCmQimafyadS2QyOoYKb3G5i4n6Yi74eu8ZBoMS5xp9WSANEDA==
+cname.modify.not-auth.example.	3600	IN	CNAME	cname-target2.example.
+delegation1.example.	3600	IN	DS	12345 13 253 00
+delegation1.example.	3600	IN	NS	ns.example.
+delegation1.example.	3600	IN	RRSIG	DS 15 2 3600 20231114221320 20200913122640 2835 example. EJcI7l72ZEAO6Kp5IwDkKtWuwqxeS6IIg9M6+Jb3MamNM1pSd12VgMkI6ItB321fqEjbVnrh2VEzwxiRMh3BBA==
+dname.modify.example.	3600	IN	DNAME	dname-target2.example.
+dname.modify.example.	3600	IN	RRSIG	DNAME 15 3 3600 20231114221320 20200913122640 2835 example. wBvJ3qKVTjKuTydVTEmnPv47IQ9Gs4JF8y1U0/qJ90pODlfkAUnQDDqDkDv7ZMZbV2mhPJgBH7R+MSUtPSV6Ag==
+dname.modify.not-auth.example.	3600	IN	DNAME	dname-target2.example.
+ds.new-ent.example.	3600	IN	DS	12345 13 253 01
+ds.new-ent.example.	3600	IN	NS	ns.example.
+ds.new-ent.example.	3600	IN	RRSIG	DS 15 3 3600 20231114221320 20200913122640 2835 example. ugnXumZ3uVN+dwmm93XRrQxwIwtBEedWzG7ShGRgpUcHVzeQr9DYIW+tEqx8Nf06nBBMx22hhiFS8wH1midHBA==
+ent2nt.example.	3600	IN	RRSIG	TXT 15 2 3600 20231114221320 20200913122640 2835 example. mUuqtmkeyjB15acdOBT+kmjg3g/a2KSoSOkKKLiQXPiA6wZV9dfmdMYAv0X8ywFIcJlMWO5Jk9T4abqJFfHjBw==
+ent2nt.example.	3600	IN	TXT	"was ENT, now NT"
+ent2nt.not-auth.example.	3600	IN	TXT	"was ENT, now NT"
+example.	3600	IN	DNSKEY	256 3 15 BnnbKMXdvQp2v+tzyvO/HxQGY8iYcJsWD4MN6fnr84Q=
+example.	3600	IN	NSEC3PARAM	1 1 0 -
+example.	3600	IN	RRSIG	DNSKEY 15 1 3600 20231114221320 20200913122640 2835 example. RMn96put9kteW8DjunEY3o0J7+MZlrC/zXVBU0h0gpFwjz9mrqo/1EvQUSO6faKaNLD2uhiJ9mg91Z1AQSq4AQ==
+example.	3600	IN	RRSIG	NSEC3PARAM 15 1 3600 20231114221320 20200913122640 2835 example. Ladx6ZxxaehBhStbVOWTLQIsX0nrQmRyi6IHL4ClapIJfHMG0/w9xxE2/8kp5JRHhYNHBwFQ5g6djBBdVELvCA==
+example.	3600	IN	RRSIG	SOA 15 1 3600 20231114221320 20200913122640 2835 example. bBmNKlKLUZIRG8VveJE3bONbEq7DWywLm2wG2bRxLTTWXvX7IfLbb1RFogxT7fH0BIeyBde1azsA+/nAjUBiDg==
+example.	3600	IN	RRSIG	TXT 15 1 3600 20231114221320 20200913122640 2835 example. j8c6wYn06sejbNlk30spLVazOBmp7Xxawl2R8BbVnFtUt5p8/KTXz/7aNYqxjvO+MO+ZV/c9bZx0QAB2VwCRAA==
+example.	3600	IN	SOA	ns.example. hostmaster.example. 23456 3600 3600 86400 3600
+example.	3600	IN	TXT	"New apex record"
+ffcabuvk6nlqv54uebnre3hu2c4cm95d.example.	3600	IN	NSEC3	1 1 0 - HMTGUL15V9CLOSHQ32DRDNHH22VUSV3D AAAA RRSIG
+ffcabuvk6nlqv54uebnre3hu2c4cm95d.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. JSXdveSwJjM4IGIiqO9CBwERqsgz7+1Bv9QFi9PR5L1u1HE+e++uk9ErNRmfIT0Bt48JbqPDqAhbFFV29yXfBA==
+hmtgul15v9closhq32drdnhh22vusv3d.example.	3600	IN	NSEC3	1 1 0 - J0JU0NB39B77953UK1UT4N2O3OB6LCUJ
+hmtgul15v9closhq32drdnhh22vusv3d.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. zPtcpnljrMRH5SW67Mlg8sqDy2LSrZNC/H9NL3Rcz/w/tAingGsQGJzC5LE3KtGblPC7YzNXFxA4oh6MXVHjDg==
+j0ju0nb39b77953uk1ut4n2o3ob6lcuj.example.	3600	IN	NSEC3	1 1 0 - L4MF68MPNB6I33HUASM6JQCTHICDOKVJ NS DS RRSIG
+j0ju0nb39b77953uk1ut4n2o3ob6lcuj.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. 9w2Jz2Q8gz1wq668HO4JvTs9fsus1hIhL++vpBdGPuno7hIsi5/ofEQMyYV2EmCAgPqmTTMkKg6hE/HDe6cZCg==
+l4mf68mpnb6i33huasm6jqcthicdokvj.example.	3600	IN	NSEC3	1 1 0 - LEQBS18074OORDSAMIKLIIT74PR13H2U A RRSIG
+l4mf68mpnb6i33huasm6jqcthicdokvj.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. lIKjbPh5805r3XrmY6XlFR2J7lb4JKuxMpLZKjCDoLV8F9KRoo4/0Y68yUzd/YBZUfCH9sSr32LdaXPFUwUJDg==
+leqbs18074oordsamikliit74pr13h2u.example.	3600	IN	NSEC3	1 1 0 - LIN6VFP3N1IUA8J2IEPMNKUIDHTOT2NT
+leqbs18074oordsamikliit74pr13h2u.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. +MVFlUkJ+wOTsq70vppWr+ovm9CorG0IAsn24kKT7AqMsYcF6lvUwE5u3Yj343G1C8QKwQxrg8I87HOWpk7oBQ==
+lin6vfp3n1iua8j2iepmnkuidhtot2nt.example.	3600	IN	NSEC3	1 1 0 - MPHTM83H132FQC8GSQV6BHAEJTGVTQ5E NS DS RRSIG
+lin6vfp3n1iua8j2iepmnkuidhtot2nt.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. mn+V1LOVv4OgRVGMvp8BnUBy04v2knclMZbTXWotMr5H2Tqpe05pLfhYILL7qqEssD4ru4WteIZrG8ZnOp05Cw==
+mphtm83h132fqc8gsqv6bhaejtgvtq5e.example.	3600	IN	NSEC3	1 1 0 - ONC00HA1N467P1VV3NT1R25P9LOAJ199 DNAME RRSIG
+mphtm83h132fqc8gsqv6bhaejtgvtq5e.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. Zb/KyPIzrEd/9ENj4iy1xsO1G4d96nOfL/4AgpTtzrFz7djHJyC/taHtUiTo6ncrAfb0/PN/gZz9IvE3jhDlAw==
+not-auth.example.	3600	IN	NS	ns.example.
+onc00ha1n467p1vv3nt1r25p9loaj199.example.	3600	IN	NSEC3	1 1 0 - RCL9KSE7ESB8Q84U948KUBGEKNCA4RBQ TXT RRSIG
+onc00ha1n467p1vv3nt1r25p9loaj199.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. B9nr955qY9gNZSgSD5Z9gWC0bjwlS002EGXdiCBPNB/N7S+WbioOgy05GIJQVivGN4cJq4QqfrXeTyu8IMbiDQ==
+rcl9kse7esb8q84u948kubgeknca4rbq.example.	3600	IN	NSEC3	1 1 0 - 27ILUTQTNA72N3B4QD7F1N9IP0U27RKV CNAME RRSIG
+rcl9kse7esb8q84u948kubgeknca4rbq.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. RC89MviKp3JExJhmutlyoSoxz1OjJtTb6LBydAzdbtfeGygK7qeYkpzy/Kr7F/Y93Wb2nlCJgGyY9Ea7U584CQ==
+txt.ent2nt.example.	3600	IN	RRSIG	TXT 15 3 3600 20231114221320 20200913122640 2835 example. T4aySP1d7bSYFIWyJ8ic+877Ad34Zntpqgtqqm8QZH7+VHdONArMK87K6mizPoHF9IcjS0SgTylLOMyIZr9MBw==
+txt.ent2nt.example.	3600	IN	TXT	"ENT to become NT"
+txt.ent2nt.not-auth.example.	3600	IN	TXT	"ENT to become NT"
+txt.modify.example.	3600	IN	RRSIG	TXT 15 3 3600 20231114221320 20200913122640 2835 example. uYIaNtjsI7txYRPu8RWHfAZLMXMJ9xr302HJN9F3ZzxCkJAGa0cFcwc0eJXtu0TtkvPQtFrDrMw3Skq6cdr2Aw==
+txt.modify.example.	3600	IN	TXT	"Modified zone"
+txt.modify.not-auth.example.	3600	IN	TXT	"Modified zone"
+txt.new-ent.example.	3600	IN	RRSIG	TXT 15 3 3600 20231114221320 20200913122640 2835 example. TMF0sKLrrfW/3ZQW0sCWIiWBUOe9B2tvlw7C9SzQ7YiJQNj730l84gm+xpBx+gM62iFBcdZBshAXboYEqzySDA==
+txt.new-ent.example.	3600	IN	TXT	"New authoritative ENT"
+txt.new-ent.not-auth.example.	3600	IN	TXT	"New not authoritative ENT"
diff --git a/integration-tests/incremental-signing/reference-output/incremental-signing-test1-input2.zone.nsec3.signed.sorted b/integration-tests/incremental-signing/reference-output/incremental-signing-test1-input2.zone.nsec3.signed.sorted
new file mode 100644
index 00000000..c47c8be6
--- /dev/null
+++ b/integration-tests/incremental-signing/reference-output/incremental-signing-test1-input2.zone.nsec3.signed.sorted
@@ -0,0 +1,67 @@
+27ilutqtna72n3b4qd7f1n9ip0u27rkv.example.	3600	IN	NSEC3	1 0 0 - 3MSEV9USMD4BR9S97V51R2TDVMR9IQO1 TXT RRSIG
+27ilutqtna72n3b4qd7f1n9ip0u27rkv.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. 6YaAcp3D4e1Ag8YwwHmsCTZnhmmlul/CBvCxkcp5Xhs7yf07YXbNt6ioNAZjVO5emct8RfC0ZzVKDgjjKrtfAw==
+3msev9usmd4br9s97v51r2tdvmr9iqo1.example.	3600	IN	NSEC3	1 0 0 - 42NDU2NEO9PG0NO20OPEE5GJV8BJS5ES SOA TXT RRSIG DNSKEY NSEC3PARAM
+3msev9usmd4br9s97v51r2tdvmr9iqo1.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. hfCQky8yZaYXr7B+ziHcTkkOguCEciUGS9xBH16ch3YoVZm5hB9Jl+vgQPutXdU/5XxhQxyIHrxopyqKYlNfAQ==
+42ndu2neo9pg0no20opee5gjv8bjs5es.example.	3600	IN	NSEC3	1 0 0 - 9DEVIEM4V1G0CK0GO4RV4HV8LAR6KR1G TXT RRSIG
+42ndu2neo9pg0no20opee5gjv8bjs5es.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. SnFI3uj5Nv1vPiH3NrAgka09QI5pjXaD2sQejHrtevCMCLr6eqNbLDUsu//MN6rJlhZqBmH+zd+1YMLDgIIgDA==
+9deviem4v1g0ck0go4rv4hv8lar6kr1g.example.	3600	IN	NSEC3	1 0 0 - 9UL8A946RQ5DF11M948TE451286A0ULK TXT RRSIG
+9deviem4v1g0ck0go4rv4hv8lar6kr1g.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. bMZPeXosItvkugOSdM7/nRg4fMQDAkyJIvU5U4FMYKQX9L/jBk12TNFSAdDxC81WP+thr7waEiH/n9PMTYmLBQ==
+9ul8a946rq5df11m948te451286a0ulk.example.	3600	IN	NSEC3	1 0 0 - FFCABUVK6NLQV54UEBNRE3HU2C4CM95D NS
+9ul8a946rq5df11m948te451286a0ulk.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. zXvGk/MK+tjK8+GqaUdJjUtA/BhhlRQG2FU8vjBKKpp+2lsUfXnmCf632PFu/ZfKchkIZ+bzQjsbmpyX3b/TDw==
+aaaa.modify.example.	3600	IN	AAAA	2001:db8::1
+aaaa.modify.example.	3600	IN	RRSIG	AAAA 15 3 3600 20231114221320 20200913122640 2835 example. jaZ0iZ+CHYF7t3u7f/68WqZONY1H3hoVVWSD9U9ndoY3s6t7ZjkdORnXAD9YqpG4BDfscrTE2p8TterfZD92BQ==
+aaaa.modify.not-auth.example.	3600	IN	AAAA	2001:db8::1
+a.modify.example.	3600	IN	A	192.0.2.1
+a.modify.example.	3600	IN	RRSIG	A 15 3 3600 20231114221320 20200913122640 2835 example. zzi8zBAaudH4nHnprPexIKkVt0qdMLMxN9NEk1Uh1Um90BAJORqjyrYN8fXVpLqsOLZ1pJicFLKA5XzWrk1PBw==
+a.modify.not-auth.example.	3600	IN	A	192.0.2.1
+cname.modify.example.	3600	IN	CNAME	cname-target2.example.
+cname.modify.example.	3600	IN	RRSIG	CNAME 15 3 3600 20231114221320 20200913122640 2835 example. RzMYCLMv2cVDZClmC18R7LhZ+0pMGNCyY7RNUCmQimafyadS2QyOoYKb3G5i4n6Yi74eu8ZBoMS5xp9WSANEDA==
+cname.modify.not-auth.example.	3600	IN	CNAME	cname-target2.example.
+delegation1.example.	3600	IN	DS	12345 13 253 00
+delegation1.example.	3600	IN	NS	ns.example.
+delegation1.example.	3600	IN	RRSIG	DS 15 2 3600 20231114221320 20200913122640 2835 example. EJcI7l72ZEAO6Kp5IwDkKtWuwqxeS6IIg9M6+Jb3MamNM1pSd12VgMkI6ItB321fqEjbVnrh2VEzwxiRMh3BBA==
+dname.modify.example.	3600	IN	DNAME	dname-target2.example.
+dname.modify.example.	3600	IN	RRSIG	DNAME 15 3 3600 20231114221320 20200913122640 2835 example. wBvJ3qKVTjKuTydVTEmnPv47IQ9Gs4JF8y1U0/qJ90pODlfkAUnQDDqDkDv7ZMZbV2mhPJgBH7R+MSUtPSV6Ag==
+dname.modify.not-auth.example.	3600	IN	DNAME	dname-target2.example.
+ds.new-ent.example.	3600	IN	DS	12345 13 253 01
+ds.new-ent.example.	3600	IN	NS	ns.example.
+ds.new-ent.example.	3600	IN	RRSIG	DS 15 3 3600 20231114221320 20200913122640 2835 example. ugnXumZ3uVN+dwmm93XRrQxwIwtBEedWzG7ShGRgpUcHVzeQr9DYIW+tEqx8Nf06nBBMx22hhiFS8wH1midHBA==
+ent2nt.example.	3600	IN	RRSIG	TXT 15 2 3600 20231114221320 20200913122640 2835 example. mUuqtmkeyjB15acdOBT+kmjg3g/a2KSoSOkKKLiQXPiA6wZV9dfmdMYAv0X8ywFIcJlMWO5Jk9T4abqJFfHjBw==
+ent2nt.example.	3600	IN	TXT	"was ENT, now NT"
+ent2nt.not-auth.example.	3600	IN	TXT	"was ENT, now NT"
+example.	3600	IN	DNSKEY	256 3 15 BnnbKMXdvQp2v+tzyvO/HxQGY8iYcJsWD4MN6fnr84Q=
+example.	3600	IN	NSEC3PARAM	1 0 0 -
+example.	3600	IN	RRSIG	DNSKEY 15 1 3600 20231114221320 20200913122640 2835 example. RMn96put9kteW8DjunEY3o0J7+MZlrC/zXVBU0h0gpFwjz9mrqo/1EvQUSO6faKaNLD2uhiJ9mg91Z1AQSq4AQ==
+example.	3600	IN	RRSIG	NSEC3PARAM 15 1 3600 20231114221320 20200913122640 2835 example. P2RB351zNKtTPLwcLl7L5JQQavx0p+EouCys04F9AVFfJS4VK2ddPLINAQIa5P7medk1bbcrHtWQEj9w41uiAg==
+example.	3600	IN	RRSIG	SOA 15 1 3600 20231114221320 20200913122640 2835 example. bBmNKlKLUZIRG8VveJE3bONbEq7DWywLm2wG2bRxLTTWXvX7IfLbb1RFogxT7fH0BIeyBde1azsA+/nAjUBiDg==
+example.	3600	IN	RRSIG	TXT 15 1 3600 20231114221320 20200913122640 2835 example. j8c6wYn06sejbNlk30spLVazOBmp7Xxawl2R8BbVnFtUt5p8/KTXz/7aNYqxjvO+MO+ZV/c9bZx0QAB2VwCRAA==
+example.	3600	IN	SOA	ns.example. hostmaster.example. 23456 3600 3600 86400 3600
+example.	3600	IN	TXT	"New apex record"
+ffcabuvk6nlqv54uebnre3hu2c4cm95d.example.	3600	IN	NSEC3	1 0 0 - HMTGUL15V9CLOSHQ32DRDNHH22VUSV3D AAAA RRSIG
+ffcabuvk6nlqv54uebnre3hu2c4cm95d.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. pISqmrEdDxSrJh7RpWptaquF014YgzYFc44lNzI+MW0iwVyk68Rf4osChsyF00TP+x8H7HaoO4TuHL7EgwytCg==
+hmtgul15v9closhq32drdnhh22vusv3d.example.	3600	IN	NSEC3	1 0 0 - J0JU0NB39B77953UK1UT4N2O3OB6LCUJ
+hmtgul15v9closhq32drdnhh22vusv3d.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. tuITOdxohDCg0bES+wdtltlYOn+olPstiLy6JuN6gz8chisHxXpkAykkhmW+vU/EDRHl3ycHKPNZek30qsKPCg==
+j0ju0nb39b77953uk1ut4n2o3ob6lcuj.example.	3600	IN	NSEC3	1 0 0 - L4MF68MPNB6I33HUASM6JQCTHICDOKVJ NS DS RRSIG
+j0ju0nb39b77953uk1ut4n2o3ob6lcuj.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. /GWhyng1sW7s+whFLTcTIwP1yLA4yhrwNfhNPfgl3D6Ks/P5ei/5Mnsx/9ai7nv2vc64VCiwFgQXk4GY4Bp3AA==
+l4mf68mpnb6i33huasm6jqcthicdokvj.example.	3600	IN	NSEC3	1 0 0 - LEQBS18074OORDSAMIKLIIT74PR13H2U A RRSIG
+l4mf68mpnb6i33huasm6jqcthicdokvj.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. K+YWocuGdy5ifZ/5r7Sb/hCHU1A2Y95H7r/vj7H51zV/kpqPmfJA3yGZB9/CaE2RLiJIgN+VyIV4+G+eKht5Dg==
+leqbs18074oordsamikliit74pr13h2u.example.	3600	IN	NSEC3	1 0 0 - LIN6VFP3N1IUA8J2IEPMNKUIDHTOT2NT
+leqbs18074oordsamikliit74pr13h2u.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. 262YCpbWRYklkAILcwlAJaSWQKbI9JTYaDm+gOM5yRotg6PHQNoJDT8ys/SVT38vOtFbWJtad//ZvbFAUYzMDQ==
+lin6vfp3n1iua8j2iepmnkuidhtot2nt.example.	3600	IN	NSEC3	1 0 0 - MPHTM83H132FQC8GSQV6BHAEJTGVTQ5E NS DS RRSIG
+lin6vfp3n1iua8j2iepmnkuidhtot2nt.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. PdXnlOcoifsCnbxJBFFq9/oNNKwbHMvOLf/acs1CfnFE0MZbUJ4ZdZ6yKxJ1rS8kKAqE+X03GEj1FfxB4nYpCA==
+mphtm83h132fqc8gsqv6bhaejtgvtq5e.example.	3600	IN	NSEC3	1 0 0 - ONC00HA1N467P1VV3NT1R25P9LOAJ199 DNAME RRSIG
+mphtm83h132fqc8gsqv6bhaejtgvtq5e.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. /2xnwBlQki3DFuLIm9pGUQakLEZcIJYixnT2o/p86YsbayUzEN6VXXqmv1bxsYzOmoEiOL+ottwdXviic6BqCQ==
+not-auth.example.	3600	IN	NS	ns.example.
+onc00ha1n467p1vv3nt1r25p9loaj199.example.	3600	IN	NSEC3	1 0 0 - RCL9KSE7ESB8Q84U948KUBGEKNCA4RBQ TXT RRSIG
+onc00ha1n467p1vv3nt1r25p9loaj199.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. Zu3ogmNRjxiZS+RGM1Ys9M7Jj0H1MUGqH9OAssteDjg9QbRwtIUxmVjA+KJyTnRpHWzPJeIp7vSvA+4znOnIAg==
+rcl9kse7esb8q84u948kubgeknca4rbq.example.	3600	IN	NSEC3	1 0 0 - 27ILUTQTNA72N3B4QD7F1N9IP0U27RKV CNAME RRSIG
+rcl9kse7esb8q84u948kubgeknca4rbq.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. COi1254t/IGS5EVRn8xOAu7d1nu2AZVTF/UpTm0QXci7Zl4VxHioj65g8IbrrOU/c0M1XoXuWG2+3FPHjhfRBA==
+txt.ent2nt.example.	3600	IN	RRSIG	TXT 15 3 3600 20231114221320 20200913122640 2835 example. T4aySP1d7bSYFIWyJ8ic+877Ad34Zntpqgtqqm8QZH7+VHdONArMK87K6mizPoHF9IcjS0SgTylLOMyIZr9MBw==
+txt.ent2nt.example.	3600	IN	TXT	"ENT to become NT"
+txt.ent2nt.not-auth.example.	3600	IN	TXT	"ENT to become NT"
+txt.modify.example.	3600	IN	RRSIG	TXT 15 3 3600 20231114221320 20200913122640 2835 example. uYIaNtjsI7txYRPu8RWHfAZLMXMJ9xr302HJN9F3ZzxCkJAGa0cFcwc0eJXtu0TtkvPQtFrDrMw3Skq6cdr2Aw==
+txt.modify.example.	3600	IN	TXT	"Modified zone"
+txt.modify.not-auth.example.	3600	IN	TXT	"Modified zone"
+txt.new-ent.example.	3600	IN	RRSIG	TXT 15 3 3600 20231114221320 20200913122640 2835 example. TMF0sKLrrfW/3ZQW0sCWIiWBUOe9B2tvlw7C9SzQ7YiJQNj730l84gm+xpBx+gM62iFBcdZBshAXboYEqzySDA==
+txt.new-ent.example.	3600	IN	TXT	"New authoritative ENT"
+txt.new-ent.not-auth.example.	3600	IN	TXT	"New not authoritative ENT"
diff --git a/integration-tests/incremental-signing/reference-output/incremental-signing-test2-input2.zone.nsec.signed.sorted b/integration-tests/incremental-signing/reference-output/incremental-signing-test2-input2.zone.nsec.signed.sorted
new file mode 100644
index 00000000..8e233aad
--- /dev/null
+++ b/integration-tests/incremental-signing/reference-output/incremental-signing-test2-input2.zone.nsec.signed.sorted
@@ -0,0 +1,77 @@
+3msev9usmd4br9s97v51r2tdvmr9iqo1.example.	3600	IN	NSEC	txt.ent.add.example. TXT RRSIG NSEC
+3msev9usmd4br9s97v51r2tdvmr9iqo1.example.	3600	IN	RRSIG	NSEC 15 2 3600 20231114221320 20200913122640 2835 example. VWUuLKLDh8RGF5grYWgk1gDmahzd7iAjFa9ujasFZwFcf67x4ExkjhM+hfQ5TpxZu3rbHjNiEE7qOH2YxcTiAA==
+3msev9usmd4br9s97v51r2tdvmr9iqo1.example.	3600	IN	RRSIG	TXT 15 2 3600 20231114221320 20200913122640 2835 example. uwQV+V+4An/FmhvLnmpAilSJrdfRiuXxq4QsQduhGwA6kn+F1zdP0U2iyh24Z7w2na5YIqFhHHx+CXCXNl1uBg==
+3msev9usmd4br9s97v51r2tdvmr9iqo1.example.	3600	IN	TXT	"At NSEC3 name"
+aaaa.delegation.ent.example.	3600	IN	AAAA	2001:db8::1
+aaaa.delegation.example.	3600	IN	AAAA	2001:db8::
+aaaa.ds-delegation.example.	3600	IN	AAAA	2001:db8::1
+aaaa.ds-delegation.example.	3600	IN	NSEC	txt.ent.ds-delegation.example. AAAA RRSIG NSEC
+aaaa.ds-delegation.example.	3600	IN	RRSIG	AAAA 15 3 3600 20231114221320 20200913122640 2835 example. Zbwm2ubJLrWdbWBbEEYF0OYEG6q6N12mZ304TT2l/18abaQuly7oKvy3GJDIQK952bGzGlwxC9a6D/8wZ1yoCA==
+aaaa.ds-delegation.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. bLmhAGuHY13TwGRDrTpvrDXEV8YuzPBN8XLXzVSkBKXONdbaM/Y4vWP3l+EiXpyt0Y3qxsj+t9hwlDcgYYH/Bg==
+a.delegation.ent.example.	3600	IN	A	192.0.2.1
+a.delegation.example.	3600	IN	A	192.0.2.0
+a.ds-delegation.example.	3600	IN	A	192.0.2.1
+a.ds-delegation.example.	3600	IN	NSEC	aaaa.ds-delegation.example. A RRSIG NSEC
+a.ds-delegation.example.	3600	IN	RRSIG	A 15 3 3600 20231114221320 20200913122640 2835 example. zdw5dDNTd+HqxcIlXaLR2IAa2+VIjg0e+AIF9O01ux9VZ5dlbayWab2Ccnk+ZmcvjpaOcRw9AdTgv2Ae6h+qCA==
+a.ds-delegation.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. YSBMCS+D5vtyxKd2KXEbTDu+tnULGiOPTON24m8GbkXHSzkQKe4rEdZQpaQxO2PASqZGVIhB2UT94RkXG57FAw==
+cname.delegation.example.	3600	IN	CNAME	cname-target.example.
+delegation-ds.example.	3600	IN	DS	12345 13 253 03
+delegation-ds.example.	3600	IN	NSEC	a.ds-delegation.example. NS DS RRSIG NSEC
+delegation-ds.example.	3600	IN	NS	ns2.example.
+delegation-ds.example.	3600	IN	RRSIG	DS 15 2 3600 20231114221320 20200913122640 2835 example. QWGIa9mTCi8qeu2hBgLxZSNI9/BOSJNN1SQ/WdjxaMNLJJB0J2USEr6NqtPwXY79LyhRB6TUTjJiZUd+/MzlAQ==
+delegation-ds.example.	3600	IN	RRSIG	NSEC 15 2 3600 20231114221320 20200913122640 2835 example. 1tthcU5LKoS29AufkJhVrj9oC+9Ssw1HpFGWkLnw/7UUOrieRgCTqGVRrZy14bStjS3AcLFwZ/LT1lgTYOr7BQ==
+delegation.ent.example.	3600	IN	NSEC	existing-delegation.example. NS RRSIG NSEC
+delegation.ent.example.	3600	IN	NS	ns3.example.
+delegation.ent.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. os/goUGe2VeM1fhwgxh9qXHvbu4SbzTizYZaQnx/i/xXiiXhIzuUVdtIcMGtM0+RTBnBGgHXeNDLvefVmV4ABg==
+delegation.example.	3600	IN	NSEC	delegation-ds.example. NS RRSIG NSEC
+delegation.example.	3600	IN	NS	ns1.example.
+delegation.example.	3600	IN	RRSIG	NSEC 15 2 3600 20231114221320 20200913122640 2835 example. 6bLF1sKvXZeaZZxe0Rdw8XwHwu2CLH5OrdUuKK+iSVlaBzEU0wdeSLlf9Dgm8YTWi2aSolV1TCZOXNgHkBFJBQ==
+dname.delegation.example.	3600	IN	DNAME	dname-target.example.
+example.	3600	IN	DNSKEY	256 3 15 BnnbKMXdvQp2v+tzyvO/HxQGY8iYcJsWD4MN6fnr84Q=
+example.	3600	IN	NSEC	3msev9usmd4br9s97v51r2tdvmr9iqo1.example. SOA RRSIG NSEC DNSKEY
+example.	3600	IN	RRSIG	DNSKEY 15 1 3600 20231114221320 20200913122640 2835 example. RMn96put9kteW8DjunEY3o0J7+MZlrC/zXVBU0h0gpFwjz9mrqo/1EvQUSO6faKaNLD2uhiJ9mg91Z1AQSq4AQ==
+example.	3600	IN	RRSIG	NSEC 15 1 3600 20231114221320 20200913122640 2835 example. LxReHqslGM/x92bpK9lghEyWYimY1xHN4XocS4txxYO5nnPX85V2ZVrvPrc28nHW1yHYmbKphdJtBvwKB83NCg==
+example.	3600	IN	RRSIG	SOA 15 1 3600 20231114221320 20200913122640 2835 example. bBmNKlKLUZIRG8VveJE3bONbEq7DWywLm2wG2bRxLTTWXvX7IfLbb1RFogxT7fH0BIeyBde1azsA+/nAjUBiDg==
+example.	3600	IN	SOA	ns.example. hostmaster.example. 23456 3600 3600 86400 3600
+existing-delegation.example.	3600	IN	NSEC	new-delegation.example. NS RRSIG NSEC
+existing-delegation.example.	3600	IN	NS	ns1.example.
+existing-delegation.example.	3600	IN	RRSIG	NSEC 15 2 3600 20231114221320 20200913122640 2835 example. EltRilU2QK9eSiLcctMHHSe81nrrsgPgpPG7qjs7iU/8jRlg5F63Mg7MyBTn2gcsAOuC4e+g6X0P2Q3FQJ5lDQ==
+new-delegation.example.	3600	IN	NSEC	qitpxpm.example. NS RRSIG NSEC
+new-delegation.example.	3600	IN	NS	ns3.example.
+new-delegation.example.	3600	IN	RRSIG	NSEC 15 2 3600 20231114221320 20200913122640 2835 example. ZAQDo2aLbXGNcF3aprf0kH4CfDfbeA0i1pwBwpu4VEXNvEdT5als3jgAzmfSnuTWFJnzLouWKmAWcZm8HPALBA==
+occluded.existing-delegation.example.	3600	IN	DS	12345 13 253 04
+occluded.existing-delegation.example.	3600	IN	NS	ns2.example.
+qitpxpm.example.	3600	IN	NSEC	syogkgc.example. TXT RRSIG NSEC
+qitpxpm.example.	3600	IN	RRSIG	NSEC 15 2 3600 20231114221320 20200913122640 2835 example. 7FC6pgENSHpfFET24gJtXgKOLdaLe8aKRfmnMuW24Fsv8mJdySFWlR9Q8L9x+CeHTazuWZ4J//G+HoE5w1qZCg==
+qitpxpm.example.	3600	IN	RRSIG	TXT 15 2 3600 20231114221320 20200913122640 2835 example. km6M81Y4PDdQoicv7nMO1KDHcCrNhPEMNq25EZ3PGjGtwj9M86ziNSVXcHj788K85HJQidHkKQMbqxEJYxTqBA==
+qitpxpm.example.	3600	IN	TXT	"new first NSEC3 hash"
+syogkgc.example.	3600	IN	NSEC	zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.example. TXT RRSIG NSEC
+syogkgc.example.	3600	IN	RRSIG	NSEC 15 2 3600 20231114221320 20200913122640 2835 example. 08h6QbWqScMPxDRsfMFbJELDlVpHL2ewPC+5dMHYJR5NRcY/vjwvmt1pvyljKf12f354gVgao9pI7CRyJv26Dw==
+syogkgc.example.	3600	IN	RRSIG	TXT 15 2 3600 20231114221320 20200913122640 2835 example. kvEEC1BFJ4sfp3jlAwzrqRlehU/OxLCru123mBojcY47Jy0bzclUWqVUOEXowLtPyPISlc6GYbgRbLndlJUjCQ==
+syogkgc.example.	3600	IN	TXT	"new last NSEC3 hash"
+to-be-occluded.new-delegation.example.	3600	IN	DS	12345 13 253 05
+to-be-occluded.new-delegation.example.	3600	IN	NS	ns4.example.
+txt.add.example.	3600	IN	NSEC	delegation.example. TXT RRSIG NSEC
+txt.add.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. q33pcv7Ux7n59r2KsIXsr36oRywF5Q3lPNCuQi+44T/TVyGuURJgLr9RYxnOff6ufWr2MTgjtWKdw2d6OrplDw==
+txt.add.example.	3600	IN	RRSIG	TXT 15 3 3600 20231114221320 20200913122640 2835 example. IMXtwJrrNyIwGJsdYyKkRXF4IwdZlT/Azc8jnmaKoG/dOqfzmCtbbVTgiZTxuLmXzVDSRZX4PWTDGXPXWmn4BQ==
+txt.add.example.	3600	IN	TXT	"New name and RRset"
+txt.delegation.ent.example.	3600	IN	TXT	"TXT not-below/below delegation"
+txt.delegation.example.	3600	IN	TXT	"TXT not-below/below delegation"
+txt.ds-delegation.example.	3600	IN	NSEC	delegation.ent.example. TXT RRSIG NSEC
+txt.ds-delegation.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. y/j50NfC2uLn36baf6LjYleVjVeaKgpQPwhkLrk9lEkP2bpAUkQZC1Vx/JH/e0PlzN3QakCJLEY2OKeDveeODA==
+txt.ds-delegation.example.	3600	IN	RRSIG	TXT 15 3 3600 20231114221320 20200913122640 2835 example. sB4znen/9vniVltQ/45rCZxUCNQ2VuVONM582yaU+VTCHqBxcYWBhOZ9jPv3pgV93kuLcUIRS8DVNDIFESJGAA==
+txt.ds-delegation.example.	3600	IN	TXT	"TXT not-below/below delegation"
+txt.ent.add.example.	3600	IN	NSEC	txt.add.example. TXT RRSIG NSEC
+txt.ent.add.example.	3600	IN	RRSIG	NSEC 15 4 3600 20231114221320 20200913122640 2835 example. EzQrccDzd8aY5QW1RFfXch0CkzgNm855aeI3EceGQMgaIcgcg/aWwc9jvAsqnK+WzXMGY+A2JrrNL2y8CHyZDQ==
+txt.ent.add.example.	3600	IN	RRSIG	TXT 15 4 3600 20231114221320 20200913122640 2835 example. BPfdNFmSA0wb++38mNQtjmaXumHS5Fx+9hmUa7RywPbfU1uu7nCfFAdeGOlmgrUL5WtmeTvNNbR7UzZMoSJWBQ==
+txt.ent.add.example.	3600	IN	TXT	"New name and RRset with ENT"
+txt.ent.delegation.ent.example.	3600	IN	TXT	"TXT not-below/below delegation with ENT"
+txt.ent.delegation.example.	3600	IN	TXT	"TXT not-below/below delegation with ENT"
+txt.ent.ds-delegation.example.	3600	IN	NSEC	txt.ds-delegation.example. TXT RRSIG NSEC
+txt.ent.ds-delegation.example.	3600	IN	RRSIG	NSEC 15 4 3600 20231114221320 20200913122640 2835 example. V9QuWYA5UkrFE0xbPPOqesagOhTbcRvKF/5LHIpHBFY6KcFSqOrZiUsy6lTdb7xZDOCyL/8FIU8n+98rAXJpCA==
+txt.ent.ds-delegation.example.	3600	IN	RRSIG	TXT 15 4 3600 20231114221320 20200913122640 2835 example. Vh4XGQIU6puRdejkYTfmJOuJ2DBFdlxEGMjHoDNykw5yW0UEB1MBQM/yExwOmUOCupsfUcPzYjiLaq9sDguAAQ==
+txt.ent.ds-delegation.example.	3600	IN	TXT	"TXT not-below/below delegation with ENT"
+zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.example.	3600	IN	NSEC	example. TXT RRSIG NSEC
+zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.example.	3600	IN	RRSIG	NSEC 15 2 3600 20231114221320 20200913122640 2835 example. AgaMQSxYZO85kqB4GCO1C8c1yQYjIQ5MIxjVOtQFF0o4Peb+C3jDr8j7N1mMNRHYhYrsttj1m4C1zfpZEuUgAg==
+zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.example.	3600	IN	RRSIG	TXT 15 2 3600 20231114221320 20200913122640 2835 example. ZZ3iuui2JD8U9BF1AkUyJMxRkdnyi079sPuyQYcVJ/kLaXBfGffp7JzEHz0FXadC4OdKAv9tQ7I4rS45k9d3CQ==
+zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.example.	3600	IN	TXT	"Last"
diff --git a/integration-tests/incremental-signing/reference-output/incremental-signing-test2-input2.zone.nsec3-opt-out.signed.sorted b/integration-tests/incremental-signing/reference-output/incremental-signing-test2-input2.zone.nsec3-opt-out.signed.sorted
new file mode 100644
index 00000000..1b9894c6
--- /dev/null
+++ b/integration-tests/incremental-signing/reference-output/incremental-signing-test2-input2.zone.nsec3-opt-out.signed.sorted
@@ -0,0 +1,79 @@
+000000kqrttushp6q101dur3od76sjl5.example.	3600	IN	NSEC3	1 1 0 - 1ICM6A4EFJBIVALABS3RVFCK0ONCRSK4 TXT RRSIG
+000000kqrttushp6q101dur3od76sjl5.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. b9uxEdqXbiViEpWrryW1NDSGC8PRvYrZNaAl8dkMhnGlSa9+oEq3LhDPCpw2ZicNufUMlCuwYZafyF1tyB9PDA==
+1icm6a4efjbivalabs3rvfck0oncrsk4.example.	3600	IN	NSEC3	1 1 0 - 3MSEV9USMD4BR9S97V51R2TDVMR9IQO1 TXT RRSIG
+1icm6a4efjbivalabs3rvfck0oncrsk4.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. qc1j07aJPFKGisKseSNmcMFteHReRO8keOoFnQsZ13ycpMImYHFw0lUBqvxWcCciZFg+tqm+IvPfh+Z0fY4pDw==
+3msev9usmd4br9s97v51r2tdvmr9iqo1.example.	3600	IN	NSEC3	1 1 0 - 5FS5CIQJCTH0TJA38UV0ALJQK6RCGR9E SOA RRSIG DNSKEY NSEC3PARAM
+3msev9usmd4br9s97v51r2tdvmr9iqo1.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. 2vCB68mk0qCmiqal/+xaB/4nlj8lnrebALcQGJcigZ6H9M73K+wKCLrUFSH5mGfb+Kpf4zPWNbOYFo31tmdQDw==
+3msev9usmd4br9s97v51r2tdvmr9iqo1.example.	3600	IN	RRSIG	TXT 15 2 3600 20231114221320 20200913122640 2835 example. uwQV+V+4An/FmhvLnmpAilSJrdfRiuXxq4QsQduhGwA6kn+F1zdP0U2iyh24Z7w2na5YIqFhHHx+CXCXNl1uBg==
+3msev9usmd4br9s97v51r2tdvmr9iqo1.example.	3600	IN	TXT	"At NSEC3 name"
+5fs5ciqjcth0tja38uv0aljqk6rcgr9e.example.	3600	IN	NSEC3	1 1 0 - 9LD84QTATMM054KFKS4DKCHTJPBCV0GU
+5fs5ciqjcth0tja38uv0aljqk6rcgr9e.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. LGspD8tijQbZ25Qz3Owdb7AMSAEusULR2OumugKMyNJSCnFpKCBpqblzujR6C10NjcIO35zbxIYMI2X0ZfqzAA==
+9ld84qtatmm054kfks4dkchtjpbcv0gu.example.	3600	IN	NSEC3	1 1 0 - CDVM5167K7H0DLEVVDMR9N1NI9MM1PFS
+9ld84qtatmm054kfks4dkchtjpbcv0gu.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. /UyPUzJIsutYKRPlFkR3d5xWt8QqItdc82MkdY2HYsrvmFOINn9OwtC+dWH+k0gTRNnISQZ9lkwxr7oEnGbfBg==
+aaaa.delegation.ent.example.	3600	IN	AAAA	2001:db8::1
+aaaa.delegation.example.	3600	IN	AAAA	2001:db8::
+aaaa.ds-delegation.example.	3600	IN	AAAA	2001:db8::1
+aaaa.ds-delegation.example.	3600	IN	RRSIG	AAAA 15 3 3600 20231114221320 20200913122640 2835 example. Zbwm2ubJLrWdbWBbEEYF0OYEG6q6N12mZ304TT2l/18abaQuly7oKvy3GJDIQK952bGzGlwxC9a6D/8wZ1yoCA==
+a.delegation.ent.example.	3600	IN	A	192.0.2.1
+a.delegation.example.	3600	IN	A	192.0.2.0
+a.ds-delegation.example.	3600	IN	A	192.0.2.1
+a.ds-delegation.example.	3600	IN	RRSIG	A 15 3 3600 20231114221320 20200913122640 2835 example. zdw5dDNTd+HqxcIlXaLR2IAa2+VIjg0e+AIF9O01ux9VZ5dlbayWab2Ccnk+ZmcvjpaOcRw9AdTgv2Ae6h+qCA==
+cdvm5167k7h0dlevvdmr9n1ni9mm1pfs.example.	3600	IN	NSEC3	1 1 0 - FOMV2BK1GF4G9UGEAVBBM8FKQN0NCPK1 A RRSIG
+cdvm5167k7h0dlevvdmr9n1ni9mm1pfs.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. UFp4wF8Sdf7Aq6A++bDN56wxJmAuN5+bZ0L7GN+zZyqR5Q7grPQkFy+PMZ3KF3LdeMvMbt4dgGM7QbztRwkkBg==
+cname.delegation.example.	3600	IN	CNAME	cname-target.example.
+delegation-ds.example.	3600	IN	DS	12345 13 253 03
+delegation-ds.example.	3600	IN	NS	ns2.example.
+delegation-ds.example.	3600	IN	RRSIG	DS 15 2 3600 20231114221320 20200913122640 2835 example. QWGIa9mTCi8qeu2hBgLxZSNI9/BOSJNN1SQ/WdjxaMNLJJB0J2USEr6NqtPwXY79LyhRB6TUTjJiZUd+/MzlAQ==
+delegation.ent.example.	3600	IN	NS	ns3.example.
+delegation.example.	3600	IN	NS	ns1.example.
+dname.delegation.example.	3600	IN	DNAME	dname-target.example.
+example.	3600	IN	DNSKEY	256 3 15 BnnbKMXdvQp2v+tzyvO/HxQGY8iYcJsWD4MN6fnr84Q=
+example.	3600	IN	NSEC3PARAM	1 1 0 -
+example.	3600	IN	RRSIG	DNSKEY 15 1 3600 20231114221320 20200913122640 2835 example. RMn96put9kteW8DjunEY3o0J7+MZlrC/zXVBU0h0gpFwjz9mrqo/1EvQUSO6faKaNLD2uhiJ9mg91Z1AQSq4AQ==
+example.	3600	IN	RRSIG	NSEC3PARAM 15 1 3600 20231114221320 20200913122640 2835 example. Ladx6ZxxaehBhStbVOWTLQIsX0nrQmRyi6IHL4ClapIJfHMG0/w9xxE2/8kp5JRHhYNHBwFQ5g6djBBdVELvCA==
+example.	3600	IN	RRSIG	SOA 15 1 3600 20231114221320 20200913122640 2835 example. bBmNKlKLUZIRG8VveJE3bONbEq7DWywLm2wG2bRxLTTWXvX7IfLbb1RFogxT7fH0BIeyBde1azsA+/nAjUBiDg==
+example.	3600	IN	SOA	ns.example. hostmaster.example. 23456 3600 3600 86400 3600
+existing-delegation.example.	3600	IN	NS	ns1.example.
+fomv2bk1gf4g9ugeavbbm8fkqn0ncpk1.example.	3600	IN	NSEC3	1 1 0 - KF1RHNB70EVBRF0851AE7GAA6FKVKDBJ AAAA RRSIG
+fomv2bk1gf4g9ugeavbbm8fkqn0ncpk1.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. rItXaCipnqujRXxPGbRco3JQ7919gWedh5GSIPD2s1GuGjGy6x0a1uEOAre9irEEnCps+h6ToUGYN0D+TrJ6DQ==
+kf1rhnb70evbrf0851ae7gaa6fkvkdbj.example.	3600	IN	NSEC3	1 1 0 - LCUVQLGRIAFC39QPRHC5GMTBLDCU7TK3 NS DS RRSIG
+kf1rhnb70evbrf0851ae7gaa6fkvkdbj.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. ZxMBlmISB6hZ4suT7IIiVjv7Nqq8URby+37nHasZo3LEYdborrD8IgVODbFyUpESQ9+ReZN8DyXQln4aHRnzDQ==
+lcuvqlgriafc39qprhc5gmtbldcu7tk3.example.	3600	IN	NSEC3	1 1 0 - NB22B13GH9L3RNER49Q4QTRBAU21CG8D TXT RRSIG
+lcuvqlgriafc39qprhc5gmtbldcu7tk3.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. /dCCMgPuGR9A2E7VMR0WMSHkaTGa5SEeVlFpvsNjkgay5hA1aI8hf+9bBzcX6vfZGUQJUO/XWX12Se5fUJ+XBw==
+nb22b13gh9l3rner49q4qtrbau21cg8d.example.	3600	IN	NSEC3	1 1 0 - NLI1QRN7KP2HF49T6LQ4M5SULQQ9PG9C TXT RRSIG
+nb22b13gh9l3rner49q4qtrbau21cg8d.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. yeumXmGvLfsPKnRtgtSYIm6QlThVfPkHKnbxr01z4r7xVWOPyPChd+4Ry8WIniso73wen2ID6pMgrANKtuuHDA==
+new-delegation.example.	3600	IN	NS	ns3.example.
+nli1qrn7kp2hf49t6lq4m5sulqq9pg9c.example.	3600	IN	NSEC3	1 1 0 - NPDC8R738P9834GTDPT4P9I26KGQUSBI
+nli1qrn7kp2hf49t6lq4m5sulqq9pg9c.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. dAnrb/Prawd2bg2brv9Rc30h63KP4awT/JkSD+eRbA+izbhN548G0VgjSVvK462QIrOkE/QH0WY0RmbnmeKmAA==
+npdc8r738p9834gtdpt4p9i26kgqusbi.example.	3600	IN	NSEC3	1 1 0 - REQ6PEC2CGGF6K9IVFB3NPNJVHEH89TG
+npdc8r738p9834gtdpt4p9i26kgqusbi.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. 42Mp3U5oqtttT/R8ZdTY22N9PgveAKkYtNstGXtu82bKbmDcgBDBjPTn6P73rBjhIn6RRUh86o/ML7DxZAEGCQ==
+occluded.existing-delegation.example.	3600	IN	DS	12345 13 253 04
+occluded.existing-delegation.example.	3600	IN	NS	ns2.example.
+qitpxpm.example.	3600	IN	RRSIG	TXT 15 2 3600 20231114221320 20200913122640 2835 example. km6M81Y4PDdQoicv7nMO1KDHcCrNhPEMNq25EZ3PGjGtwj9M86ziNSVXcHj788K85HJQidHkKQMbqxEJYxTqBA==
+qitpxpm.example.	3600	IN	TXT	"new first NSEC3 hash"
+req6pec2cggf6k9ivfb3npnjvheh89tg.example.	3600	IN	NSEC3	1 1 0 - RMG74O51HREJ2V8S5QE1Q5KKALUKR2IS TXT RRSIG
+req6pec2cggf6k9ivfb3npnjvheh89tg.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. CtDqA3o2m05QO+b78haA24hmSz+lpfk1PrK+GgGK4GstDEW0sFbo/LLegPYrAZYnm5rYPRevD5zm0sYWR40zCw==
+rmg74o51hrej2v8s5qe1q5kkalukr2is.example.	3600	IN	NSEC3	1 1 0 - U3RFK5PN7E74K2EGQKSJ22EVJNK4U3IC TXT RRSIG
+rmg74o51hrej2v8s5qe1q5kkalukr2is.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. RzjQLVKrtMd4j09RTb960T+zgQahQVpjsZ2p7hNJD3cXMct4Lkt62IjgL3OuDLBFIRmUGzNJRFsZGSmsWgKWDg==
+syogkgc.example.	3600	IN	RRSIG	TXT 15 2 3600 20231114221320 20200913122640 2835 example. kvEEC1BFJ4sfp3jlAwzrqRlehU/OxLCru123mBojcY47Jy0bzclUWqVUOEXowLtPyPISlc6GYbgRbLndlJUjCQ==
+syogkgc.example.	3600	IN	TXT	"new last NSEC3 hash"
+to-be-occluded.new-delegation.example.	3600	IN	DS	12345 13 253 05
+to-be-occluded.new-delegation.example.	3600	IN	NS	ns4.example.
+txt.add.example.	3600	IN	RRSIG	TXT 15 3 3600 20231114221320 20200913122640 2835 example. IMXtwJrrNyIwGJsdYyKkRXF4IwdZlT/Azc8jnmaKoG/dOqfzmCtbbVTgiZTxuLmXzVDSRZX4PWTDGXPXWmn4BQ==
+txt.add.example.	3600	IN	TXT	"New name and RRset"
+txt.delegation.ent.example.	3600	IN	TXT	"TXT not-below/below delegation"
+txt.delegation.example.	3600	IN	TXT	"TXT not-below/below delegation"
+txt.ds-delegation.example.	3600	IN	RRSIG	TXT 15 3 3600 20231114221320 20200913122640 2835 example. sB4znen/9vniVltQ/45rCZxUCNQ2VuVONM582yaU+VTCHqBxcYWBhOZ9jPv3pgV93kuLcUIRS8DVNDIFESJGAA==
+txt.ds-delegation.example.	3600	IN	TXT	"TXT not-below/below delegation"
+txt.ent.add.example.	3600	IN	RRSIG	TXT 15 4 3600 20231114221320 20200913122640 2835 example. BPfdNFmSA0wb++38mNQtjmaXumHS5Fx+9hmUa7RywPbfU1uu7nCfFAdeGOlmgrUL5WtmeTvNNbR7UzZMoSJWBQ==
+txt.ent.add.example.	3600	IN	TXT	"New name and RRset with ENT"
+txt.ent.delegation.ent.example.	3600	IN	TXT	"TXT not-below/below delegation with ENT"
+txt.ent.delegation.example.	3600	IN	TXT	"TXT not-below/below delegation with ENT"
+txt.ent.ds-delegation.example.	3600	IN	RRSIG	TXT 15 4 3600 20231114221320 20200913122640 2835 example. Vh4XGQIU6puRdejkYTfmJOuJ2DBFdlxEGMjHoDNykw5yW0UEB1MBQM/yExwOmUOCupsfUcPzYjiLaq9sDguAAQ==
+txt.ent.ds-delegation.example.	3600	IN	TXT	"TXT not-below/below delegation with ENT"
+u3rfk5pn7e74k2egqksj22evjnk4u3ic.example.	3600	IN	NSEC3	1 1 0 - VVVVVV7JIBEHNDFRSTRR0NQ4TCS5N69S TXT RRSIG
+u3rfk5pn7e74k2egqksj22evjnk4u3ic.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. Op/PHNC2DFWEPR4PP8REQgc7z8e3nb7+N7QTZdYFxxAddsCI6HMR8ACdapCDm/0oqRpf2x5ohNtudTuypwsyCg==
+vvvvvv7jibehndfrstrr0nq4tcs5n69s.example.	3600	IN	NSEC3	1 1 0 - 000000KQRTTUSHP6Q101DUR3OD76SJL5 TXT RRSIG
+vvvvvv7jibehndfrstrr0nq4tcs5n69s.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. SD/aIooxDyEuMmAGSNINybnqEpEgr21O2xDttMZPMkg+iPSZpvUCfM1OVBPoUB2YPCW5KlxN+bsUEihqRobCBw==
+zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.example.	3600	IN	RRSIG	TXT 15 2 3600 20231114221320 20200913122640 2835 example. ZZ3iuui2JD8U9BF1AkUyJMxRkdnyi079sPuyQYcVJ/kLaXBfGffp7JzEHz0FXadC4OdKAv9tQ7I4rS45k9d3CQ==
+zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.example.	3600	IN	TXT	"Last"
diff --git a/integration-tests/incremental-signing/reference-output/incremental-signing-test2-input2.zone.nsec3.signed.sorted b/integration-tests/incremental-signing/reference-output/incremental-signing-test2-input2.zone.nsec3.signed.sorted
new file mode 100644
index 00000000..01e2cd6e
--- /dev/null
+++ b/integration-tests/incremental-signing/reference-output/incremental-signing-test2-input2.zone.nsec3.signed.sorted
@@ -0,0 +1,89 @@
+000000kqrttushp6q101dur3od76sjl5.example.	3600	IN	NSEC3	1 0 0 - 1ICM6A4EFJBIVALABS3RVFCK0ONCRSK4 TXT RRSIG
+000000kqrttushp6q101dur3od76sjl5.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. bxZx55NhxJse58fvCZIrEdhReGrZSdsLZcEFxyx0BoAXIW7mTHIxSUXqVGXPSMRyeLSzTKIf92Nuj2+blLwtCw==
+1icm6a4efjbivalabs3rvfck0oncrsk4.example.	3600	IN	NSEC3	1 0 0 - 3MSEV9USMD4BR9S97V51R2TDVMR9IQO1 TXT RRSIG
+1icm6a4efjbivalabs3rvfck0oncrsk4.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. RSbkXZr3N96gnsRwRfGlaKitMNYH2swVMLtaiuxDwbonwAQSfM6vtTUTtQbOkKL5XiZB2utEfcABRepOJVlVBw==
+3msev9usmd4br9s97v51r2tdvmr9iqo1.example.	3600	IN	NSEC3	1 0 0 - 5FS5CIQJCTH0TJA38UV0ALJQK6RCGR9E SOA RRSIG DNSKEY NSEC3PARAM
+3msev9usmd4br9s97v51r2tdvmr9iqo1.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. kvtFJQLY45V2qzUw8eCJFm7ncg2UkmWvHi3V0qplEy13vinf2lnF2vF+3zBm58YVwyG3n6XPvG/F7YmvLSv2BA==
+3msev9usmd4br9s97v51r2tdvmr9iqo1.example.	3600	IN	RRSIG	TXT 15 2 3600 20231114221320 20200913122640 2835 example. uwQV+V+4An/FmhvLnmpAilSJrdfRiuXxq4QsQduhGwA6kn+F1zdP0U2iyh24Z7w2na5YIqFhHHx+CXCXNl1uBg==
+3msev9usmd4br9s97v51r2tdvmr9iqo1.example.	3600	IN	TXT	"At NSEC3 name"
+5fs5ciqjcth0tja38uv0aljqk6rcgr9e.example.	3600	IN	NSEC3	1 0 0 - 5GSGIGBJTE630TE7FTAONRHCJ2NPQEN3
+5fs5ciqjcth0tja38uv0aljqk6rcgr9e.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. gQlliRns/Oyuoaj0288Qbmpm9dmfEfgHa+ysUnkXhyBZWZ0Y7fBabcTvRlpJe6TN5ba81gmgMTiVWyfGZPIIDw==
+5gsgigbjte630te7ftaonrhcj2npqen3.example.	3600	IN	NSEC3	1 0 0 - 6USSDCGQE23TQD0I1AP0OEETV4U0U5MR NS
+5gsgigbjte630te7ftaonrhcj2npqen3.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. 8pk8w1ITyZus0f9/UVMaj3AK6OZcTViMkUR/i6Bk5/nkzVwjcSQwLli5oDwu7jjYmGIoOtTIJmbsBRhMe9pfBw==
+6ussdcgqe23tqd0i1ap0oeetv4u0u5mr.example.	3600	IN	NSEC3	1 0 0 - 9LD84QTATMM054KFKS4DKCHTJPBCV0GU NS
+6ussdcgqe23tqd0i1ap0oeetv4u0u5mr.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. g4JGDma+6n0xz5Gv01xU2HSFe5nlEaQonZ2XD8bysYCeslt8b2gcUw4xIpWfl8sG8xne4BA6uXph69RshgiyCQ==
+9ld84qtatmm054kfks4dkchtjpbcv0gu.example.	3600	IN	NSEC3	1 0 0 - CBHSLDD1T27N54NJE8SI3VM378NKR151
+9ld84qtatmm054kfks4dkchtjpbcv0gu.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. Twv0JpUKBHqOFc3TT8LFreRD1pZz4gqO8qQvznnaYnAm2cPhslBFDiywgeRG+qgmcc8G6Qixbh6iZ4m92UA2Cw==
+aaaa.delegation.ent.example.	3600	IN	AAAA	2001:db8::1
+aaaa.delegation.example.	3600	IN	AAAA	2001:db8::
+aaaa.ds-delegation.example.	3600	IN	AAAA	2001:db8::1
+aaaa.ds-delegation.example.	3600	IN	RRSIG	AAAA 15 3 3600 20231114221320 20200913122640 2835 example. Zbwm2ubJLrWdbWBbEEYF0OYEG6q6N12mZ304TT2l/18abaQuly7oKvy3GJDIQK952bGzGlwxC9a6D/8wZ1yoCA==
+a.delegation.ent.example.	3600	IN	A	192.0.2.1
+a.delegation.example.	3600	IN	A	192.0.2.0
+a.ds-delegation.example.	3600	IN	A	192.0.2.1
+a.ds-delegation.example.	3600	IN	RRSIG	A 15 3 3600 20231114221320 20200913122640 2835 example. zdw5dDNTd+HqxcIlXaLR2IAa2+VIjg0e+AIF9O01ux9VZ5dlbayWab2Ccnk+ZmcvjpaOcRw9AdTgv2Ae6h+qCA==
+cbhsldd1t27n54nje8si3vm378nkr151.example.	3600	IN	NSEC3	1 0 0 - CDVM5167K7H0DLEVVDMR9N1NI9MM1PFS NS
+cbhsldd1t27n54nje8si3vm378nkr151.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. f/Pvoqo1e1p01S39BpbHXxe0ghYYfcARFxg2F5vIJxx+RumCTs6yO1+/8r+2/mPCXpmtFML2fz01e1L/puUmCQ==
+cdvm5167k7h0dlevvdmr9n1ni9mm1pfs.example.	3600	IN	NSEC3	1 0 0 - E8R6DJDM0DOJ852N8R6453RRS2FPR32L A RRSIG
+cdvm5167k7h0dlevvdmr9n1ni9mm1pfs.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. u/gWvx/DTC/pNKZl3bp76K4icr2gEl/8x73T/afWFlvnNOaatrOJudBiR6M/1wNna9VZnvN5t3QnfOcsBJEeBg==
+cname.delegation.example.	3600	IN	CNAME	cname-target.example.
+delegation-ds.example.	3600	IN	DS	12345 13 253 03
+delegation-ds.example.	3600	IN	NS	ns2.example.
+delegation-ds.example.	3600	IN	RRSIG	DS 15 2 3600 20231114221320 20200913122640 2835 example. QWGIa9mTCi8qeu2hBgLxZSNI9/BOSJNN1SQ/WdjxaMNLJJB0J2USEr6NqtPwXY79LyhRB6TUTjJiZUd+/MzlAQ==
+delegation.ent.example.	3600	IN	NS	ns3.example.
+delegation.example.	3600	IN	NS	ns1.example.
+dname.delegation.example.	3600	IN	DNAME	dname-target.example.
+e8r6djdm0doj852n8r6453rrs2fpr32l.example.	3600	IN	NSEC3	1 0 0 - FOMV2BK1GF4G9UGEAVBBM8FKQN0NCPK1 NS
+e8r6djdm0doj852n8r6453rrs2fpr32l.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. SNgH28ipO1ZsRKGqizlq1Wlvn/0jS5xwC7e2xniP5+8bWvDbqoNgG2I1ao4110oHwh+DByEo8V7CQ1jvb7isCg==
+example.	3600	IN	DNSKEY	256 3 15 BnnbKMXdvQp2v+tzyvO/HxQGY8iYcJsWD4MN6fnr84Q=
+example.	3600	IN	NSEC3PARAM	1 0 0 -
+example.	3600	IN	RRSIG	DNSKEY 15 1 3600 20231114221320 20200913122640 2835 example. RMn96put9kteW8DjunEY3o0J7+MZlrC/zXVBU0h0gpFwjz9mrqo/1EvQUSO6faKaNLD2uhiJ9mg91Z1AQSq4AQ==
+example.	3600	IN	RRSIG	NSEC3PARAM 15 1 3600 20231114221320 20200913122640 2835 example. P2RB351zNKtTPLwcLl7L5JQQavx0p+EouCys04F9AVFfJS4VK2ddPLINAQIa5P7medk1bbcrHtWQEj9w41uiAg==
+example.	3600	IN	RRSIG	SOA 15 1 3600 20231114221320 20200913122640 2835 example. bBmNKlKLUZIRG8VveJE3bONbEq7DWywLm2wG2bRxLTTWXvX7IfLbb1RFogxT7fH0BIeyBde1azsA+/nAjUBiDg==
+example.	3600	IN	SOA	ns.example. hostmaster.example. 23456 3600 3600 86400 3600
+existing-delegation.example.	3600	IN	NS	ns1.example.
+fomv2bk1gf4g9ugeavbbm8fkqn0ncpk1.example.	3600	IN	NSEC3	1 0 0 - KF1RHNB70EVBRF0851AE7GAA6FKVKDBJ AAAA RRSIG
+fomv2bk1gf4g9ugeavbbm8fkqn0ncpk1.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. GJFMtlnJgtiVk9LFJ4HlqPxJnNUxnbfB+si8Umnc3iUmVi667FMTdcEQ8bCUlJL9vyNPvursUrHZjOHvHijFBA==
+kf1rhnb70evbrf0851ae7gaa6fkvkdbj.example.	3600	IN	NSEC3	1 0 0 - LCUVQLGRIAFC39QPRHC5GMTBLDCU7TK3 NS DS RRSIG
+kf1rhnb70evbrf0851ae7gaa6fkvkdbj.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. FqNUMDNvj3/LIn2SNgH4fWSJ4bWSq2aJgaMQH46pSGI2SR1NvsSzfbhsdMzReKnWRfbACbjmPxJbKX0tRcQLAg==
+lcuvqlgriafc39qprhc5gmtbldcu7tk3.example.	3600	IN	NSEC3	1 0 0 - N3MIVJM8DKLOBH7R7F4RD46CG6F4STOM TXT RRSIG
+lcuvqlgriafc39qprhc5gmtbldcu7tk3.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. b7J169WNmEo+VRop2aO2oyEqodSXDCNAPz7/xCJvkAjR5gyeoQ7la09vH2BLVIlLeD9t0zNeKQ9mhJUKL0gmCQ==
+n3mivjm8dklobh7r7f4rd46cg6f4stom.example.	3600	IN	NSEC3	1 0 0 - NB22B13GH9L3RNER49Q4QTRBAU21CG8D
+n3mivjm8dklobh7r7f4rd46cg6f4stom.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. G+tWU5pduE+Svo7jNJhUVIDVG1+DOClZtIBTEhDwXKVq1cWIWcMtdq1V8dV8LV/VY6mOHV1p+jyFxgQhAC3vDA==
+nb22b13gh9l3rner49q4qtrbau21cg8d.example.	3600	IN	NSEC3	1 0 0 - NLI1QRN7KP2HF49T6LQ4M5SULQQ9PG9C TXT RRSIG
+nb22b13gh9l3rner49q4qtrbau21cg8d.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. GMFBzJRMktBYw7x5+KkQ/+9MJ31Bz96dWp/Qu/ef4wLFIO2gVq7ho44QGbVqm1SpZtfYL0+rIFRILOTDNeLxAA==
+new-delegation.example.	3600	IN	NS	ns3.example.
+nli1qrn7kp2hf49t6lq4m5sulqq9pg9c.example.	3600	IN	NSEC3	1 0 0 - NPDC8R738P9834GTDPT4P9I26KGQUSBI
+nli1qrn7kp2hf49t6lq4m5sulqq9pg9c.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. sGx3/5oxAZj1mEJxYopiv/Pv+HWlf8gEImv0QvFEAWNlmASyUljb+GuXiHxhzX/b80pMCkB1gqCv73bIGb15Dg==
+npdc8r738p9834gtdpt4p9i26kgqusbi.example.	3600	IN	NSEC3	1 0 0 - REQ6PEC2CGGF6K9IVFB3NPNJVHEH89TG
+npdc8r738p9834gtdpt4p9i26kgqusbi.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. atrERudGbRHFfmbZ+G5ItgR8GE2PSLzhfB8XUZXuVCNfLRNiJ6udCY6+1IIMCCLDzA8zB53r9oysfXex6vavAQ==
+occluded.existing-delegation.example.	3600	IN	DS	12345 13 253 04
+occluded.existing-delegation.example.	3600	IN	NS	ns2.example.
+qitpxpm.example.	3600	IN	RRSIG	TXT 15 2 3600 20231114221320 20200913122640 2835 example. km6M81Y4PDdQoicv7nMO1KDHcCrNhPEMNq25EZ3PGjGtwj9M86ziNSVXcHj788K85HJQidHkKQMbqxEJYxTqBA==
+qitpxpm.example.	3600	IN	TXT	"new first NSEC3 hash"
+req6pec2cggf6k9ivfb3npnjvheh89tg.example.	3600	IN	NSEC3	1 0 0 - RMG74O51HREJ2V8S5QE1Q5KKALUKR2IS TXT RRSIG
+req6pec2cggf6k9ivfb3npnjvheh89tg.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. n2tH4tfJ+jFG8h9eLSU4+hngUGw6cG7d0+OKG7ZsbhQiB5Nm+8BYUi6iH1rqI4qov9UAfK+WZGjB9y8jxH+2CA==
+rmg74o51hrej2v8s5qe1q5kkalukr2is.example.	3600	IN	NSEC3	1 0 0 - U3RFK5PN7E74K2EGQKSJ22EVJNK4U3IC TXT RRSIG
+rmg74o51hrej2v8s5qe1q5kkalukr2is.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. uTAsZ2mkspQ6NkUFSztOvDfJR8lpfXWBdmnaKWsXTZwGd0biKj4sX9FOMqx7fM5aZwmnXfvq+GrWXAIj1Ki1Cg==
+syogkgc.example.	3600	IN	RRSIG	TXT 15 2 3600 20231114221320 20200913122640 2835 example. kvEEC1BFJ4sfp3jlAwzrqRlehU/OxLCru123mBojcY47Jy0bzclUWqVUOEXowLtPyPISlc6GYbgRbLndlJUjCQ==
+syogkgc.example.	3600	IN	TXT	"new last NSEC3 hash"
+to-be-occluded.new-delegation.example.	3600	IN	DS	12345 13 253 05
+to-be-occluded.new-delegation.example.	3600	IN	NS	ns4.example.
+txt.add.example.	3600	IN	RRSIG	TXT 15 3 3600 20231114221320 20200913122640 2835 example. IMXtwJrrNyIwGJsdYyKkRXF4IwdZlT/Azc8jnmaKoG/dOqfzmCtbbVTgiZTxuLmXzVDSRZX4PWTDGXPXWmn4BQ==
+txt.add.example.	3600	IN	TXT	"New name and RRset"
+txt.delegation.ent.example.	3600	IN	TXT	"TXT not-below/below delegation"
+txt.delegation.example.	3600	IN	TXT	"TXT not-below/below delegation"
+txt.ds-delegation.example.	3600	IN	RRSIG	TXT 15 3 3600 20231114221320 20200913122640 2835 example. sB4znen/9vniVltQ/45rCZxUCNQ2VuVONM582yaU+VTCHqBxcYWBhOZ9jPv3pgV93kuLcUIRS8DVNDIFESJGAA==
+txt.ds-delegation.example.	3600	IN	TXT	"TXT not-below/below delegation"
+txt.ent.add.example.	3600	IN	RRSIG	TXT 15 4 3600 20231114221320 20200913122640 2835 example. BPfdNFmSA0wb++38mNQtjmaXumHS5Fx+9hmUa7RywPbfU1uu7nCfFAdeGOlmgrUL5WtmeTvNNbR7UzZMoSJWBQ==
+txt.ent.add.example.	3600	IN	TXT	"New name and RRset with ENT"
+txt.ent.delegation.ent.example.	3600	IN	TXT	"TXT not-below/below delegation with ENT"
+txt.ent.delegation.example.	3600	IN	TXT	"TXT not-below/below delegation with ENT"
+txt.ent.ds-delegation.example.	3600	IN	RRSIG	TXT 15 4 3600 20231114221320 20200913122640 2835 example. Vh4XGQIU6puRdejkYTfmJOuJ2DBFdlxEGMjHoDNykw5yW0UEB1MBQM/yExwOmUOCupsfUcPzYjiLaq9sDguAAQ==
+txt.ent.ds-delegation.example.	3600	IN	TXT	"TXT not-below/below delegation with ENT"
+u3rfk5pn7e74k2egqksj22evjnk4u3ic.example.	3600	IN	NSEC3	1 0 0 - VVVVVV7JIBEHNDFRSTRR0NQ4TCS5N69S TXT RRSIG
+u3rfk5pn7e74k2egqksj22evjnk4u3ic.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. QytFTETvV5uvV62SvfLkNtx2fjMW5rtOK2n9+4gnjho8H4TGY9n2toMOWiuCKvt+3Fs9lnyvX1BYW6wWLdTQDw==
+vvvvvv7jibehndfrstrr0nq4tcs5n69s.example.	3600	IN	NSEC3	1 0 0 - 000000KQRTTUSHP6Q101DUR3OD76SJL5 TXT RRSIG
+vvvvvv7jibehndfrstrr0nq4tcs5n69s.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. 77I4zx92/w8GMQzJCj/U19RqvK8KshA8JWnyyGTVlAyRpABN1sOxIQX5K3r6/OHZLec+bfdm0IQk/MZm8RHPDw==
+zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.example.	3600	IN	RRSIG	TXT 15 2 3600 20231114221320 20200913122640 2835 example. ZZ3iuui2JD8U9BF1AkUyJMxRkdnyi079sPuyQYcVJ/kLaXBfGffp7JzEHz0FXadC4OdKAv9tQ7I4rS45k9d3CQ==
+zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.example.	3600	IN	TXT	"Last"
diff --git a/integration-tests/incremental-signing/reference-output/incremental-signing-test3-input2.zone.nsec.signed.sorted b/integration-tests/incremental-signing/reference-output/incremental-signing-test3-input2.zone.nsec.signed.sorted
new file mode 100644
index 00000000..f408f0cc
--- /dev/null
+++ b/integration-tests/incremental-signing/reference-output/incremental-signing-test3-input2.zone.nsec.signed.sorted
@@ -0,0 +1,118 @@
+aaaa.delegation.ent.example.	3600	IN	AAAA	2001:db8::1
+aaaa.delegation.example.	3600	IN	AAAA	2001:db8::
+aaaa.no-delegation.example.	3600	IN	AAAA	2001:db8::
+aaaa.no-delegation.example.	3600	IN	NSEC	cname.no-delegation.example. AAAA RRSIG NSEC
+aaaa.no-delegation.example.	3600	IN	RRSIG	AAAA 15 3 3600 20231114221320 20200913122640 2835 example. qD9hkrOliY5o3BQ5k64kdS/9ViGJiEuQ6EFOlVZkYxrbIstuZXB7PbeA+5BNX5eqHjl9Wy+bZqztDXbGkoizAA==
+aaaa.no-delegation.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. UUyVf/C3qkWD/EoVjUHGNZsOJAa61mtVV6BjQ4MOodVq6zaKphFj3EC+bCvpg5JULcxjvN31xl6vAc8FRPZiDA==
+aaaa.occluded.existing-delegation2.example.	3600	IN	AAAA	2001:db8::
+aaaa.occluded.existing-delegation.example.	3600	IN	AAAA	2001:db8::
+a.delegation.ent.example.	3600	IN	A	192.0.2.1
+a.delegation.example.	3600	IN	A	192.0.2.0
+a.no-delegation.example.	3600	IN	A	192.0.2.0
+a.no-delegation.example.	3600	IN	NSEC	aaaa.no-delegation.example. A RRSIG NSEC
+a.no-delegation.example.	3600	IN	RRSIG	A 15 3 3600 20231114221320 20200913122640 2835 example. 0lGi+qu1Si1rEVkL2nIHmNsDzceXgjQnjerV5Gn/Rc8sd5aIBfnYq8zi1+d4LsaWhcmCjvXQwj0ntUP/oumsAQ==
+a.no-delegation.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. zbGSTp1x2ZYozhwgSlQEXDZ+t8be1DrdkEsN5TAboRbiUTSzNrj3LBdxJ9lNVNxf923v2+cs6eG7/ll1jsJxAw==
+a.occluded.existing-delegation2.example.	3600	IN	A	192.0.2.0
+a.occluded.existing-delegation.example.	3600	IN	A	192.0.2.0
+cname.delegation.example.	3600	IN	CNAME	cname-target.example.
+cname.no-delegation.example.	3600	IN	CNAME	cname-target.example.
+cname.no-delegation.example.	3600	IN	NSEC	dname.no-delegation.example. CNAME RRSIG NSEC
+cname.no-delegation.example.	3600	IN	RRSIG	CNAME 15 3 3600 20231114221320 20200913122640 2835 example. iawIaRG1fs3S12yQvwt8o3fgcltdI1qQ2IO5JvuEA8TRDMWP85HAVtd1F6/qI7zL+tonox9lRLCFKWC0dhe4Cg==
+cname.no-delegation.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. Afvz2zl2HDkU2agst/reBziX8e2x2Igf3vlGkcWAkS4ODJy3SMCSVyrWOyw3IAWHiFjALG390DAoMLy67RIbCQ==
+cname.occluded.existing-delegation2.example.	3600	IN	CNAME	cname-target.example.
+cname.occluded.existing-delegation.example.	3600	IN	CNAME	cname-target.example.
+delegation.ent.example.	3600	IN	A	192.0.2.0
+delegation.ent.example.	3600	IN	AAAA	2001:db8::
+delegation.ent.example.	3600	IN	DS	12345 13 253 05
+delegation.ent.example.	3600	IN	NSEC	existing-delegation.example. NS DS RRSIG NSEC
+delegation.ent.example.	3600	IN	NS	ns2.example.
+delegation.ent.example.	3600	IN	RRSIG	DS 15 3 3600 20231114221320 20200913122640 2835 example. 2DGUB+2suHgLG+SfOUYCVgNTKqZ3NW5DL7KpIfhWGXOXiEx3PXkakx8tw79qOyFg8WGmppxg3Dt6MOBkzeCoAg==
+delegation.ent.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. h8+Z5yexHN5UTI7s8he9IHuMlvv4YNWvbjqzOXEgfGzMeyrvFHw46UA6BopJ4F2QUpJoM3AXeyklYFmH+/HUDg==
+delegation.ent.example.	3600	IN	TXT	"TXT not-at/at delegation"
+delegation.example.	3600	IN	A	192.0.2.0
+delegation.example.	3600	IN	AAAA	2001:db8::
+delegation.example.	3600	IN	DS	12345 13 253 03
+delegation.example.	3600	IN	NSEC	ds-delegation.example. NS DS RRSIG NSEC
+delegation.example.	3600	IN	NS	ns1.example.
+delegation.example.	3600	IN	RRSIG	DS 15 2 3600 20231114221320 20200913122640 2835 example. 1oK/3Qk+TU5Dcp1RQcJSr6+BfAGb6vbJ/BNCUM4JG+8M4LaicORrpq8nIA8H6e6nD6cXzK5280+ZaSTrnsgRAg==
+delegation.example.	3600	IN	RRSIG	NSEC 15 2 3600 20231114221320 20200913122640 2835 example. TR4LjfS77LX2MRQn1WSV+iDmJJdJxuEN2LW9/VUh+nQlpXgrCph12OwWU+TkBFK5e5KOpRsMnKcnNOxIj/HXBw==
+delegation.example.	3600	IN	TXT	"TXT not-at/at delegation"
+dname.delegation.example.	3600	IN	DNAME	dname-target.example.
+dname.no-delegation.example.	3600	IN	DNAME	dname-target.example.
+dname.no-delegation.example.	3600	IN	NSEC	ds.no-delegation.example. DNAME RRSIG NSEC
+dname.no-delegation.example.	3600	IN	RRSIG	DNAME 15 3 3600 20231114221320 20200913122640 2835 example. 8z7CrqiKTqkZ1fInzHR6rOM92HUtGzaN7SothyAxKaO1BMjN9sQq9fnLrX38+dcziNko0Ol+qxVRWsGHpC+NAA==
+dname.no-delegation.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. P5s6k9Jy1coLvnI0CkBkQbdAmw1nDHlsqHbobqRrLIKeAMxjO/OfAqmUzu4B8fm1imJ0HHmFy9XK39nands2CA==
+dname.occluded.existing-delegation2.example.	3600	IN	DNAME	dname-target.example.
+dname.occluded.existing-delegation.example.	3600	IN	DNAME	dname-target.example.
+ds.delegation.example.	3600	IN	DS	12345 13 253 04
+ds-delegation.example.	3600	IN	NSEC	ds-no-delegation.example. NS RRSIG NSEC
+ds-delegation.example.	3600	IN	NS	ns4.example.
+ds-delegation.example.	3600	IN	RRSIG	NSEC 15 2 3600 20231114221320 20200913122640 2835 example. ATy6f6GY2+pgENW7kMPpoWzuFcJf6LIwfPX4daSJQvIjbm8L9ae8o2C3in8OjVKGAmg9nw007SkD2K+lZVgIBQ==
+ds-no-delegation.example.	3600	IN	A	192.0.2.0
+ds-no-delegation.example.	3600	IN	AAAA	2001:db8::
+ds-no-delegation.example.	3600	IN	DS	12345 13 253 03
+ds.no-delegation.example.	3600	IN	DS	12345 13 253 04
+ds-no-delegation.example.	3600	IN	NSEC	delegation.ent.example. A TXT AAAA DS RRSIG NSEC
+ds.no-delegation.example.	3600	IN	NSEC	txt.ent.no-delegation.example. DS RRSIG NSEC
+ds-no-delegation.example.	3600	IN	RRSIG	A 15 2 3600 20231114221320 20200913122640 2835 example. 8YQ2XoOJIZZlX3xrCv6JyL1tQb0jYOmEdLMsBfL4wFb7fIQnXTInJ1d9K7GWZl88Au8vx701NQebdM3cf3akCw==
+ds-no-delegation.example.	3600	IN	RRSIG	AAAA 15 2 3600 20231114221320 20200913122640 2835 example. BaYd3ohr5Sb0++v2H23BNQ9bbzWNipdkz9uSRv0A0cf2os4Z65bWpuEclebGtOavW7/di/8vrd9hVSWIa8NODw==
+ds-no-delegation.example.	3600	IN	RRSIG	DS 15 2 3600 20231114221320 20200913122640 2835 example. jLhnHDk06kbcr8wz+kEcrkk2F6epIb4sYVUMpqSJKCwXqSPXrwSG7pzlQVgW36Gj7TavnXfZcP1E7WVHTixjAQ==
+ds.no-delegation.example.	3600	IN	RRSIG	DS 15 3 3600 20231114221320 20200913122640 2835 example. mh8GWAVViXfTbDbUrPYqvIy7oNL0Y+5p52OalhAuWZpi92I6SkptWE5IGKpb8T1YET+kfr/xQ5UE3D9YddRCAA==
+ds-no-delegation.example.	3600	IN	RRSIG	NSEC 15 2 3600 20231114221320 20200913122640 2835 example. n8K58izkSdKO+Yz3YNOfs131dfdApnmgrnyIB75Zd5TNOSPeN2JDAf0aShZs1v8U7zhULLZf+foQXL29m9c1Bw==
+ds.no-delegation.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. ttEgJx2N3gtC+DxIHZ7qv2ElYRd7URG/q69qHgOboB3UYuLRz301eCMaINCUSLIGY5WolDFWTk3vJBtjDLOHCA==
+ds-no-delegation.example.	3600	IN	RRSIG	TXT 15 2 3600 20231114221320 20200913122640 2835 example. ExqMm6PtWvEa1JP8TaduVe62v/aGb7rLzeiAa9E1KZwQfL1G6iy83AhpaGLwIuZ5Jb2cmFAkOFMy5AQsNiFBDA==
+ds-no-delegation.example.	3600	IN	TXT	"TXT not-at/at delegation"
+ds.occluded.existing-delegation2.example.	3600	IN	DS	12345 13 253 04
+ds.occluded.existing-delegation.example.	3600	IN	DS	12345 13 253 04
+example.	3600	IN	DNSKEY	256 3 15 BnnbKMXdvQp2v+tzyvO/HxQGY8iYcJsWD4MN6fnr84Q=
+example.	3600	IN	NSEC	delegation.example. SOA RRSIG NSEC DNSKEY
+example.	3600	IN	RRSIG	DNSKEY 15 1 3600 20231114221320 20200913122640 2835 example. RMn96put9kteW8DjunEY3o0J7+MZlrC/zXVBU0h0gpFwjz9mrqo/1EvQUSO6faKaNLD2uhiJ9mg91Z1AQSq4AQ==
+example.	3600	IN	RRSIG	NSEC 15 1 3600 20231114221320 20200913122640 2835 example. wNt8Yl2IytqYU6c+SY1dwICNVdoSk0rEkU9cvrk/D+MLbAtfWkjAa0UcWbqNR00oaIaaOY1NACJh0ImUErreAA==
+example.	3600	IN	RRSIG	SOA 15 1 3600 20231114221320 20200913122640 2835 example. bBmNKlKLUZIRG8VveJE3bONbEq7DWywLm2wG2bRxLTTWXvX7IfLbb1RFogxT7fH0BIeyBde1azsA+/nAjUBiDg==
+example.	3600	IN	SOA	ns.example. hostmaster.example. 23456 3600 3600 86400 3600
+existing-delegation.example.	3600	IN	NSEC	occluded.existing-delegation2.example. NS RRSIG NSEC
+existing-delegation.example.	3600	IN	NS	ns1.example.
+existing-delegation.example.	3600	IN	RRSIG	NSEC 15 2 3600 20231114221320 20200913122640 2835 example. JCw9oKKWvXDlJ5pHISuMOnslOJpfJCBX12zVdMd3kB3y3e/kvY9lZIrLg0ahD0/C8Yo112+pNq7UdQFSBFR2AA==
+no-delegation.example.	3600	IN	A	192.0.2.0
+no-delegation.example.	3600	IN	AAAA	2001:db8::
+no-delegation.example.	3600	IN	DS	12345 13 253 03
+no-delegation.example.	3600	IN	NSEC	a.no-delegation.example. A TXT AAAA DS RRSIG NSEC
+no-delegation.example.	3600	IN	RRSIG	A 15 2 3600 20231114221320 20200913122640 2835 example. wWo9FrNknF99/VRPvbxa2qJN//xA3LfzTHDQnSWroU488xjLJkm4W1yVs2x3cuI44sHVy/qyk2OhwxJ3GqK6BQ==
+no-delegation.example.	3600	IN	RRSIG	AAAA 15 2 3600 20231114221320 20200913122640 2835 example. VDnKSuiuWPDHsd+xVx3wkw4RUn6haKESMUWvmjTWvey1UKJMoNxspTti4uAiIt3l6J4sSXw9ReZS35yDukPlBQ==
+no-delegation.example.	3600	IN	RRSIG	DS 15 2 3600 20231114221320 20200913122640 2835 example. 798mm2DAHdBZX/Wb+ZChWKjJwKWkgBdPXi0n6vKJ4yjE5H5jYh6Z1t46z1qWoEgpvwvyj2238dQC/ExbvLVzCA==
+no-delegation.example.	3600	IN	RRSIG	NSEC 15 2 3600 20231114221320 20200913122640 2835 example. NlnAotCaxwLxUzSR4hlV5iIkNyTyv/1oWzE0ybBDeVb4d6J8kjQXDPaV2FhUnUb3SNdN5+tdztON8xcr2F45Bg==
+no-delegation.example.	3600	IN	RRSIG	TXT 15 2 3600 20231114221320 20200913122640 2835 example. GJTHznE/4iZa9HOhakHo3f2Sc9/SAziv7xLX9+8zaE/ijYYfS2LwA6dOCBfDKYo7bIoQYpx+Ii50okkq6KbuCw==
+no-delegation.example.	3600	IN	TXT	"TXT not-at/at delegation"
+no-ds-delegation.example.	3600	IN	DS	12345 13 253 06
+no-ds-delegation.example.	3600	IN	NSEC	example. NS DS RRSIG NSEC
+no-ds-delegation.example.	3600	IN	NS	ns3.example.
+no-ds-delegation.example.	3600	IN	RRSIG	DS 15 2 3600 20231114221320 20200913122640 2835 example. pAlR5tvcLC2xQev3UkkFAJDfbjT2HlT58rEenl2Np+zmcvfIrVkVm7aw7zlQ3dpKHVj983hK0OujKnM4cwwqCg==
+no-ds-delegation.example.	3600	IN	RRSIG	NSEC 15 2 3600 20231114221320 20200913122640 2835 example. lotw7miFVSyjysSPprlctJRqgdD/SvFZGawh+j62q50EiekEK/6cyoH+T0koX1CypYAWV9+DvMkNucFxih2GAw==
+occluded.existing-delegation2.example.	3600	IN	A	192.0.2.0
+occluded.existing-delegation2.example.	3600	IN	AAAA	2001:db8::
+occluded.existing-delegation2.example.	3600	IN	DS	12345 13 253 04
+occluded.existing-delegation2.example.	3600	IN	NSEC	no-delegation.example. NS DS RRSIG NSEC
+occluded.existing-delegation2.example.	3600	IN	NS	ns2.example.
+occluded.existing-delegation2.example.	3600	IN	RRSIG	DS 15 3 3600 20231114221320 20200913122640 2835 example. EgsRiaTA3ldlcYp0HYGau66/4zY5PDtPL1qQdSnXRw4DJlJr87JoX/kHeGBe4nVAvJ9zyGskCLQ6njji1stWDg==
+occluded.existing-delegation2.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. tbssnC92qbTiPV18KvZIdkjRVYANnJEhX1iHC0lwMbRzypfdr5S7BoVfgkU6/5W0Z3fEcC9LRTZgHlrbLre5BA==
+occluded.existing-delegation2.example.	3600	IN	TXT	"TXT not-at/at delegation"
+occluded.existing-delegation.example.	3600	IN	A	192.0.2.0
+occluded.existing-delegation.example.	3600	IN	AAAA	2001:db8::
+occluded.existing-delegation.example.	3600	IN	DS	12345 13 253 04
+occluded.existing-delegation.example.	3600	IN	TXT	"TXT not-at/at delegation"
+txt.delegation.ent.example.	3600	IN	TXT	"TXT not-below/below delegation"
+txt.delegation.example.	3600	IN	TXT	"TXT not-below/below delegation"
+txt.ent.delegation.ent.example.	3600	IN	TXT	"TXT not-below/below delegation with ENT"
+txt.ent.delegation.example.	3600	IN	TXT	"TXT not-below/below delegation iwth ENT"
+txt.ent.no-delegation.example.	3600	IN	NSEC	txt.no-delegation.example. TXT RRSIG NSEC
+txt.ent.no-delegation.example.	3600	IN	RRSIG	NSEC 15 4 3600 20231114221320 20200913122640 2835 example. TNp6fCZQYxSuB5oF+1JfsNCOucu7T2/Wfelj2TwddX6xq2lkXJUyyaMd04iVvSukdio9jw43OIAeHc9C380yDw==
+txt.ent.no-delegation.example.	3600	IN	RRSIG	TXT 15 4 3600 20231114221320 20200913122640 2835 example. NuaY3ZSeqM/WkRotfhV8MA5W4sOU+ZG4ld7+HgKc2Etb9KqSV6I7RuMO2PmJmMDNFlg4oyaoZyqmnITL+uKeBg==
+txt.ent.no-delegation.example.	3600	IN	TXT	"TXT not-below/below delegation iwth ENT"
+txt.ent.occluded.existing-delegation2.example.	3600	IN	TXT	"TXT not-below/below delegation iwth ENT"
+txt.ent.occluded.existing-delegation.example.	3600	IN	TXT	"TXT not-below/below delegation iwth ENT"
+txt.no-delegation.example.	3600	IN	NSEC	no-ds-delegation.example. TXT RRSIG NSEC
+txt.no-delegation.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. 6YnCX8bEG6XIHu+dL7UHplx2V1r7nKCAVI/A+jv1MvqbUKsBQ6BXhph/NIDHSp7ig8gV5Vky8zl4owbbgWVvAg==
+txt.no-delegation.example.	3600	IN	RRSIG	TXT 15 3 3600 20231114221320 20200913122640 2835 example. AQsSVR9J9pGeVNFGq7TDomMd3f05i2eDcJAoTWkI2OlVD5Aqz9JPJf39YyHEuxBOBTzHQBh25oU75QE2CJcpCQ==
+txt.no-delegation.example.	3600	IN	TXT	"TXT not-below/below delegation"
+txt.occluded.existing-delegation2.example.	3600	IN	TXT	"TXT not-below/below delegation"
+txt.occluded.existing-delegation.example.	3600	IN	TXT	"TXT not-below/below delegation"
diff --git a/integration-tests/incremental-signing/reference-output/incremental-signing-test3-input2.zone.nsec3-opt-out.signed.sorted b/integration-tests/incremental-signing/reference-output/incremental-signing-test3-input2.zone.nsec3-opt-out.signed.sorted
new file mode 100644
index 00000000..69fd3d27
--- /dev/null
+++ b/integration-tests/incremental-signing/reference-output/incremental-signing-test3-input2.zone.nsec3-opt-out.signed.sorted
@@ -0,0 +1,122 @@
+1chvonhfan96laj6iq4spkbifgasnfqu.example.	3600	IN	NSEC3	1 1 0 - 2CCS29VGBTEFCQTAPGLC804NPEGF3MNG AAAA RRSIG
+1chvonhfan96laj6iq4spkbifgasnfqu.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. ZvLaPExc0H4wHNcyfPvOLRlsqBTBp14Gr0iDwxOOb0FA/yL37bk3IafCo/Bi04sPCcrXVOf5aZ3DnSmA2bZMBw==
+2ccs29vgbtefcqtapglc804npegf3mng.example.	3600	IN	NSEC3	1 1 0 - 3MSEV9USMD4BR9S97V51R2TDVMR9IQO1
+2ccs29vgbtefcqtapglc804npegf3mng.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. iz9s44FpDwuHu7Ktmin5dUGa4o9r6qVKxp5KmmYfNhUWRNZXe4aVoLJkjCQnd27fHVKtxfyVGNDIZWTdEJkpBw==
+3msev9usmd4br9s97v51r2tdvmr9iqo1.example.	3600	IN	NSEC3	1 1 0 - 6DA3FE1GRLV7G901PJSLGE161PVFTBU8 SOA RRSIG DNSKEY NSEC3PARAM
+3msev9usmd4br9s97v51r2tdvmr9iqo1.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. mQy9Y59XrGfBWfjWS2CHyK6yDqpr7CuyfYsPNml7E+LO2uwEh6Faa73d/tcgMCUPd/VHWjGeVPrWPGvNPU0cAw==
+6da3fe1grlv7g901pjslge161pvftbu8.example.	3600	IN	NSEC3	1 1 0 - BE0FOFC9NMJH1KD68OFAN3LAMHSOF2CT NS DS RRSIG
+6da3fe1grlv7g901pjslge161pvftbu8.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. X7jC/dUMe2SgG8IyHHxLBBdtBZ8mBZ6Bt2tjmPzZviUmKYPUqKk3pgJIsVp5wkJQmwKRD9Mh0xaG5S4mDFLUAg==
+aaaa.delegation.ent.example.	3600	IN	AAAA	2001:db8::1
+aaaa.delegation.example.	3600	IN	AAAA	2001:db8::
+aaaa.no-delegation.example.	3600	IN	AAAA	2001:db8::
+aaaa.no-delegation.example.	3600	IN	RRSIG	AAAA 15 3 3600 20231114221320 20200913122640 2835 example. qD9hkrOliY5o3BQ5k64kdS/9ViGJiEuQ6EFOlVZkYxrbIstuZXB7PbeA+5BNX5eqHjl9Wy+bZqztDXbGkoizAA==
+aaaa.occluded.existing-delegation2.example.	3600	IN	AAAA	2001:db8::
+aaaa.occluded.existing-delegation.example.	3600	IN	AAAA	2001:db8::
+a.delegation.ent.example.	3600	IN	A	192.0.2.1
+a.delegation.example.	3600	IN	A	192.0.2.0
+a.no-delegation.example.	3600	IN	A	192.0.2.0
+a.no-delegation.example.	3600	IN	RRSIG	A 15 3 3600 20231114221320 20200913122640 2835 example. 0lGi+qu1Si1rEVkL2nIHmNsDzceXgjQnjerV5Gn/Rc8sd5aIBfnYq8zi1+d4LsaWhcmCjvXQwj0ntUP/oumsAQ==
+a.occluded.existing-delegation2.example.	3600	IN	A	192.0.2.0
+a.occluded.existing-delegation.example.	3600	IN	A	192.0.2.0
+be0fofc9nmjh1kd68ofan3lamhsof2ct.example.	3600	IN	NSEC3	1 1 0 - CBHSLDD1T27N54NJE8SI3VM378NKR151 DNAME RRSIG
+be0fofc9nmjh1kd68ofan3lamhsof2ct.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. GBS8jsZdFwSwIOHj4cEdBWGDtFdEAAtLvptYxIBF0T1qTxbZl7jMXnrrPpWmygUQNzjYcqZfNgUXK0zVhKT5AQ==
+cbhsldd1t27n54nje8si3vm378nkr151.example.	3600	IN	NSEC3	1 1 0 - CFSQBMPK0MAS6PGQMFDBBQK6FM25I7AQ NS DS RRSIG
+cbhsldd1t27n54nje8si3vm378nkr151.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. PW/WOR7IVODBRdBOqnSgvVbG4qnvEJKXE4927Q+tJrAm32iFtd4aRfTBiCe7KuNFvNTA97jydlojQeLOpVBeBg==
+cfsqbmpk0mas6pgqmfdbbqk6fm25i7aq.example.	3600	IN	NSEC3	1 1 0 - DJQ6I8ONNVI00AKFJV64CI1OIOFEL9NU A TXT AAAA DS RRSIG
+cfsqbmpk0mas6pgqmfdbbqk6fm25i7aq.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. dLH3NEAcTKc9D2AIXe3n6PSsIs+MHTpZfbeOekTz2WUo7K+oapgEsUmX1hjOxNN4be8JFPxZgSSbPMCNlD8UBg==
+cname.delegation.example.	3600	IN	CNAME	cname-target.example.
+cname.no-delegation.example.	3600	IN	CNAME	cname-target.example.
+cname.no-delegation.example.	3600	IN	RRSIG	CNAME 15 3 3600 20231114221320 20200913122640 2835 example. iawIaRG1fs3S12yQvwt8o3fgcltdI1qQ2IO5JvuEA8TRDMWP85HAVtd1F6/qI7zL+tonox9lRLCFKWC0dhe4Cg==
+cname.occluded.existing-delegation2.example.	3600	IN	CNAME	cname-target.example.
+cname.occluded.existing-delegation.example.	3600	IN	CNAME	cname-target.example.
+delegation.ent.example.	3600	IN	A	192.0.2.0
+delegation.ent.example.	3600	IN	AAAA	2001:db8::
+delegation.ent.example.	3600	IN	DS	12345 13 253 05
+delegation.ent.example.	3600	IN	NS	ns2.example.
+delegation.ent.example.	3600	IN	RRSIG	DS 15 3 3600 20231114221320 20200913122640 2835 example. 2DGUB+2suHgLG+SfOUYCVgNTKqZ3NW5DL7KpIfhWGXOXiEx3PXkakx8tw79qOyFg8WGmppxg3Dt6MOBkzeCoAg==
+delegation.ent.example.	3600	IN	TXT	"TXT not-at/at delegation"
+delegation.example.	3600	IN	A	192.0.2.0
+delegation.example.	3600	IN	AAAA	2001:db8::
+delegation.example.	3600	IN	DS	12345 13 253 03
+delegation.example.	3600	IN	NS	ns1.example.
+delegation.example.	3600	IN	RRSIG	DS 15 2 3600 20231114221320 20200913122640 2835 example. 1oK/3Qk+TU5Dcp1RQcJSr6+BfAGb6vbJ/BNCUM4JG+8M4LaicORrpq8nIA8H6e6nD6cXzK5280+ZaSTrnsgRAg==
+delegation.example.	3600	IN	TXT	"TXT not-at/at delegation"
+djq6i8onnvi00akfjv64ci1oiofel9nu.example.	3600	IN	NSEC3	1 1 0 - E8R6DJDM0DOJ852N8R6453RRS2FPR32L
+djq6i8onnvi00akfjv64ci1oiofel9nu.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. SwYGOBnCnCioEBrFQKEKYWKe5tacRPHMTBId8DSQmtQ3jAkizgwiJLj3qvhOftC6joJcd5tpaKCu865+5FWbCQ==
+dname.delegation.example.	3600	IN	DNAME	dname-target.example.
+dname.no-delegation.example.	3600	IN	DNAME	dname-target.example.
+dname.no-delegation.example.	3600	IN	RRSIG	DNAME 15 3 3600 20231114221320 20200913122640 2835 example. 8z7CrqiKTqkZ1fInzHR6rOM92HUtGzaN7SothyAxKaO1BMjN9sQq9fnLrX38+dcziNko0Ol+qxVRWsGHpC+NAA==
+dname.occluded.existing-delegation2.example.	3600	IN	DNAME	dname-target.example.
+dname.occluded.existing-delegation.example.	3600	IN	DNAME	dname-target.example.
+ds.delegation.example.	3600	IN	DS	12345 13 253 04
+ds-delegation.example.	3600	IN	NS	ns4.example.
+ds-no-delegation.example.	3600	IN	A	192.0.2.0
+ds-no-delegation.example.	3600	IN	AAAA	2001:db8::
+ds-no-delegation.example.	3600	IN	DS	12345 13 253 03
+ds.no-delegation.example.	3600	IN	DS	12345 13 253 04
+ds-no-delegation.example.	3600	IN	RRSIG	A 15 2 3600 20231114221320 20200913122640 2835 example. 8YQ2XoOJIZZlX3xrCv6JyL1tQb0jYOmEdLMsBfL4wFb7fIQnXTInJ1d9K7GWZl88Au8vx701NQebdM3cf3akCw==
+ds-no-delegation.example.	3600	IN	RRSIG	AAAA 15 2 3600 20231114221320 20200913122640 2835 example. BaYd3ohr5Sb0++v2H23BNQ9bbzWNipdkz9uSRv0A0cf2os4Z65bWpuEclebGtOavW7/di/8vrd9hVSWIa8NODw==
+ds-no-delegation.example.	3600	IN	RRSIG	DS 15 2 3600 20231114221320 20200913122640 2835 example. jLhnHDk06kbcr8wz+kEcrkk2F6epIb4sYVUMpqSJKCwXqSPXrwSG7pzlQVgW36Gj7TavnXfZcP1E7WVHTixjAQ==
+ds.no-delegation.example.	3600	IN	RRSIG	DS 15 3 3600 20231114221320 20200913122640 2835 example. mh8GWAVViXfTbDbUrPYqvIy7oNL0Y+5p52OalhAuWZpi92I6SkptWE5IGKpb8T1YET+kfr/xQ5UE3D9YddRCAA==
+ds-no-delegation.example.	3600	IN	RRSIG	TXT 15 2 3600 20231114221320 20200913122640 2835 example. ExqMm6PtWvEa1JP8TaduVe62v/aGb7rLzeiAa9E1KZwQfL1G6iy83AhpaGLwIuZ5Jb2cmFAkOFMy5AQsNiFBDA==
+ds-no-delegation.example.	3600	IN	TXT	"TXT not-at/at delegation"
+ds.occluded.existing-delegation2.example.	3600	IN	DS	12345 13 253 04
+ds.occluded.existing-delegation.example.	3600	IN	DS	12345 13 253 04
+e8r6djdm0doj852n8r6453rrs2fpr32l.example.	3600	IN	NSEC3	1 1 0 - ECUSFB2CQ2FLU9S3KSTEKTU2RKQ7J02I NS DS RRSIG
+e8r6djdm0doj852n8r6453rrs2fpr32l.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. HDOrdJMfBahqOurozyq5VObL7yrWKMiR1tCS7Y6FMzI7RBJXf2L5kM/+HirilhlRo6MPP5n75i53qZHiHcazBQ==
+ecusfb2cq2flu9s3kstektu2rkq7j02i.example.	3600	IN	NSEC3	1 1 0 - JUR6DKS5JSEVI4KOF749OPGC8O568ED2 NS DS RRSIG
+ecusfb2cq2flu9s3kstektu2rkq7j02i.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. UKr5zxEU3y97/BBeS4BQo9KzweIpewq5bF6eh3uXGqLzawYPSeJ2sEdMcjEsx6lO+UgFaJgahLxCMP8TwW/yAw==
+example.	3600	IN	DNSKEY	256 3 15 BnnbKMXdvQp2v+tzyvO/HxQGY8iYcJsWD4MN6fnr84Q=
+example.	3600	IN	NSEC3PARAM	1 1 0 -
+example.	3600	IN	RRSIG	DNSKEY 15 1 3600 20231114221320 20200913122640 2835 example. RMn96put9kteW8DjunEY3o0J7+MZlrC/zXVBU0h0gpFwjz9mrqo/1EvQUSO6faKaNLD2uhiJ9mg91Z1AQSq4AQ==
+example.	3600	IN	RRSIG	NSEC3PARAM 15 1 3600 20231114221320 20200913122640 2835 example. Ladx6ZxxaehBhStbVOWTLQIsX0nrQmRyi6IHL4ClapIJfHMG0/w9xxE2/8kp5JRHhYNHBwFQ5g6djBBdVELvCA==
+example.	3600	IN	RRSIG	SOA 15 1 3600 20231114221320 20200913122640 2835 example. bBmNKlKLUZIRG8VveJE3bONbEq7DWywLm2wG2bRxLTTWXvX7IfLbb1RFogxT7fH0BIeyBde1azsA+/nAjUBiDg==
+example.	3600	IN	SOA	ns.example. hostmaster.example. 23456 3600 3600 86400 3600
+existing-delegation.example.	3600	IN	NS	ns1.example.
+jur6dks5jsevi4kof749opgc8o568ed2.example.	3600	IN	NSEC3	1 1 0 - N3MIVJM8DKLOBH7R7F4RD46CG6F4STOM CNAME RRSIG
+jur6dks5jsevi4kof749opgc8o568ed2.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. 5lSb0qv7wEGZCdJi7Gq/TDB0d4CHDkb4DX8d0cneCLSG6zd5eCA5Ek2X4dpMCKyDARMCXIQu0HPR7QaBm82gCw==
+n3mivjm8dklobh7r7f4rd46cg6f4stom.example.	3600	IN	NSEC3	1 1 0 - NK3JQ1UR0NQ9AA77LBUGIB68PK87V5E6
+n3mivjm8dklobh7r7f4rd46cg6f4stom.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. bsdrozNhUgkC0KRcSTMDUHleDc39CbHzkpIIk2Zd48gDpZDAgTFNbhiCgQtANAkAFsGkUghrDbZOUex9Pu8eDA==
+nk3jq1ur0nq9aa77lbugib68pk87v5e6.example.	3600	IN	NSEC3	1 1 0 - OT1SVRDFK85BGA7SEEPDGMT12283DNKG A RRSIG
+nk3jq1ur0nq9aa77lbugib68pk87v5e6.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. LfaG5YaiI/rh8DI6/+CaM8gmoTATaZ4oKDkjmgmHX+6p+Dngttf9uOVB8nP6BqnbimaN4R4gmmIJQFVVOJ9dBA==
+no-delegation.example.	3600	IN	A	192.0.2.0
+no-delegation.example.	3600	IN	AAAA	2001:db8::
+no-delegation.example.	3600	IN	DS	12345 13 253 03
+no-delegation.example.	3600	IN	RRSIG	A 15 2 3600 20231114221320 20200913122640 2835 example. wWo9FrNknF99/VRPvbxa2qJN//xA3LfzTHDQnSWroU488xjLJkm4W1yVs2x3cuI44sHVy/qyk2OhwxJ3GqK6BQ==
+no-delegation.example.	3600	IN	RRSIG	AAAA 15 2 3600 20231114221320 20200913122640 2835 example. VDnKSuiuWPDHsd+xVx3wkw4RUn6haKESMUWvmjTWvey1UKJMoNxspTti4uAiIt3l6J4sSXw9ReZS35yDukPlBQ==
+no-delegation.example.	3600	IN	RRSIG	DS 15 2 3600 20231114221320 20200913122640 2835 example. 798mm2DAHdBZX/Wb+ZChWKjJwKWkgBdPXi0n6vKJ4yjE5H5jYh6Z1t46z1qWoEgpvwvyj2238dQC/ExbvLVzCA==
+no-delegation.example.	3600	IN	RRSIG	TXT 15 2 3600 20231114221320 20200913122640 2835 example. GJTHznE/4iZa9HOhakHo3f2Sc9/SAziv7xLX9+8zaE/ijYYfS2LwA6dOCBfDKYo7bIoQYpx+Ii50okkq6KbuCw==
+no-delegation.example.	3600	IN	TXT	"TXT not-at/at delegation"
+no-ds-delegation.example.	3600	IN	DS	12345 13 253 06
+no-ds-delegation.example.	3600	IN	NS	ns3.example.
+no-ds-delegation.example.	3600	IN	RRSIG	DS 15 2 3600 20231114221320 20200913122640 2835 example. pAlR5tvcLC2xQev3UkkFAJDfbjT2HlT58rEenl2Np+zmcvfIrVkVm7aw7zlQ3dpKHVj983hK0OujKnM4cwwqCg==
+occluded.existing-delegation2.example.	3600	IN	A	192.0.2.0
+occluded.existing-delegation2.example.	3600	IN	AAAA	2001:db8::
+occluded.existing-delegation2.example.	3600	IN	DS	12345 13 253 04
+occluded.existing-delegation2.example.	3600	IN	NS	ns2.example.
+occluded.existing-delegation2.example.	3600	IN	RRSIG	DS 15 3 3600 20231114221320 20200913122640 2835 example. EgsRiaTA3ldlcYp0HYGau66/4zY5PDtPL1qQdSnXRw4DJlJr87JoX/kHeGBe4nVAvJ9zyGskCLQ6njji1stWDg==
+occluded.existing-delegation2.example.	3600	IN	TXT	"TXT not-at/at delegation"
+occluded.existing-delegation.example.	3600	IN	A	192.0.2.0
+occluded.existing-delegation.example.	3600	IN	AAAA	2001:db8::
+occluded.existing-delegation.example.	3600	IN	DS	12345 13 253 04
+occluded.existing-delegation.example.	3600	IN	TXT	"TXT not-at/at delegation"
+ot1svrdfk85bga7seepdgmt12283dnkg.example.	3600	IN	NSEC3	1 1 0 - P5QI3GOVN4PKTGO5U4JIC3M7877SD2QH A TXT AAAA DS RRSIG
+ot1svrdfk85bga7seepdgmt12283dnkg.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. miVY5hHQFvCvSL1JaIrm4Sri9bjiIgXgU24pdL0+NhNElYugRmk+QWFApbmUdvRRSQgLxTwp/UMN06u6zy3tAA==
+p5qi3govn4pktgo5u4jic3m7877sd2qh.example.	3600	IN	NSEC3	1 1 0 - TD3GCP8Q47O18HTN3HQ26JJ9QONK7912 DS RRSIG
+p5qi3govn4pktgo5u4jic3m7877sd2qh.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. ONuxrisKH5u/XK/a6r0aGabRCUh/FPPsVcFrv7K+2VpXj19SVw2p/jfFbi7tF4ej+msXa01wFO7y2k4rnp3SDA==
+td3gcp8q47o18htn3hq26jj9qonk7912.example.	3600	IN	NSEC3	1 1 0 - VT4UA5HC3LVTIHL2FJDF45RQOPUSN9C4 TXT RRSIG
+td3gcp8q47o18htn3hq26jj9qonk7912.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. JhcZWfirjXuU6AR4kCPr5OuVJsEhEelXBRowa/kyK3xOLe+Zlq8ks6z8ZbfEidAKdgGPctfASOm/fGRiLt8RBg==
+txt.delegation.ent.example.	3600	IN	TXT	"TXT not-below/below delegation"
+txt.delegation.example.	3600	IN	TXT	"TXT not-below/below delegation"
+txt.ent.delegation.ent.example.	3600	IN	TXT	"TXT not-below/below delegation with ENT"
+txt.ent.delegation.example.	3600	IN	TXT	"TXT not-below/below delegation iwth ENT"
+txt.ent.no-delegation.example.	3600	IN	RRSIG	TXT 15 4 3600 20231114221320 20200913122640 2835 example. NuaY3ZSeqM/WkRotfhV8MA5W4sOU+ZG4ld7+HgKc2Etb9KqSV6I7RuMO2PmJmMDNFlg4oyaoZyqmnITL+uKeBg==
+txt.ent.no-delegation.example.	3600	IN	TXT	"TXT not-below/below delegation iwth ENT"
+txt.ent.occluded.existing-delegation2.example.	3600	IN	TXT	"TXT not-below/below delegation iwth ENT"
+txt.ent.occluded.existing-delegation.example.	3600	IN	TXT	"TXT not-below/below delegation iwth ENT"
+txt.no-delegation.example.	3600	IN	RRSIG	TXT 15 3 3600 20231114221320 20200913122640 2835 example. AQsSVR9J9pGeVNFGq7TDomMd3f05i2eDcJAoTWkI2OlVD5Aqz9JPJf39YyHEuxBOBTzHQBh25oU75QE2CJcpCQ==
+txt.no-delegation.example.	3600	IN	TXT	"TXT not-below/below delegation"
+txt.occluded.existing-delegation2.example.	3600	IN	TXT	"TXT not-below/below delegation"
+txt.occluded.existing-delegation.example.	3600	IN	TXT	"TXT not-below/below delegation"
+vt4ua5hc3lvtihl2fjdf45rqopusn9c4.example.	3600	IN	NSEC3	1 1 0 - 1CHVONHFAN96LAJ6IQ4SPKBIFGASNFQU TXT RRSIG
+vt4ua5hc3lvtihl2fjdf45rqopusn9c4.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. rNAF2dCta3EemPpEYJ5QBhdfhK2DIXFTagFU2sd8ACLjL3hmmREqjH2APj8ySCZL7bLPZoN4U2xzIoFLx5hKAw==
diff --git a/integration-tests/incremental-signing/reference-output/incremental-signing-test3-input2.zone.nsec3.signed.sorted b/integration-tests/incremental-signing/reference-output/incremental-signing-test3-input2.zone.nsec3.signed.sorted
new file mode 100644
index 00000000..00b40ff0
--- /dev/null
+++ b/integration-tests/incremental-signing/reference-output/incremental-signing-test3-input2.zone.nsec3.signed.sorted
@@ -0,0 +1,126 @@
+1chvonhfan96laj6iq4spkbifgasnfqu.example.	3600	IN	NSEC3	1 0 0 - 2CCS29VGBTEFCQTAPGLC804NPEGF3MNG AAAA RRSIG
+1chvonhfan96laj6iq4spkbifgasnfqu.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. yUQIGp59RuMDQJKc1jDPfO3mbMJk1GtG+7fcpz/ADrC6cYU+j7w6LtSZ10dO9X8l/4buZ6M/jP1ayCvtN/r0Bg==
+2ccs29vgbtefcqtapglc804npegf3mng.example.	3600	IN	NSEC3	1 0 0 - 3MSEV9USMD4BR9S97V51R2TDVMR9IQO1
+2ccs29vgbtefcqtapglc804npegf3mng.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. rHb3bK6WkfBotVC6Bix1yGj+p/1WuTKNSpzkiwFbtkLAlIi6lKLFk7delFFw6HnbKq2YmG1R4bN0BGNRidXIAg==
+3msev9usmd4br9s97v51r2tdvmr9iqo1.example.	3600	IN	NSEC3	1 0 0 - 5FS5CIQJCTH0TJA38UV0ALJQK6RCGR9E SOA RRSIG DNSKEY NSEC3PARAM
+3msev9usmd4br9s97v51r2tdvmr9iqo1.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. kvtFJQLY45V2qzUw8eCJFm7ncg2UkmWvHi3V0qplEy13vinf2lnF2vF+3zBm58YVwyG3n6XPvG/F7YmvLSv2BA==
+5fs5ciqjcth0tja38uv0aljqk6rcgr9e.example.	3600	IN	NSEC3	1 0 0 - 5GSGIGBJTE630TE7FTAONRHCJ2NPQEN3 NS
+5fs5ciqjcth0tja38uv0aljqk6rcgr9e.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. MjnKf6eYERaYyTHKMCKCNtxf0+dmqui868/CFtvkGYh9SFCstpRnwm+RxO5lMf+H34+UNYBAeiyEaj1Zw9YGAA==
+5gsgigbjte630te7ftaonrhcj2npqen3.example.	3600	IN	NSEC3	1 0 0 - 6DA3FE1GRLV7G901PJSLGE161PVFTBU8 NS
+5gsgigbjte630te7ftaonrhcj2npqen3.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. YxLTZJPKjx3j+TuYw6guLuQ0m+H0dmsSYWWCnbE5spLvEKuFaY8TjNl2+Lk6aAN0Kzk9+Ek/q0t2gWDvhHdNBA==
+6da3fe1grlv7g901pjslge161pvftbu8.example.	3600	IN	NSEC3	1 0 0 - BE0FOFC9NMJH1KD68OFAN3LAMHSOF2CT NS DS RRSIG
+6da3fe1grlv7g901pjslge161pvftbu8.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. SRmw39EmTSixMjcZV08NidJsVVYCktMkBjNYn0Vc6bOAFT/PJ4Qf9fxw0ZZ6x21Bd+6UBJ6vH2IpNRJsMVgbAA==
+aaaa.delegation.ent.example.	3600	IN	AAAA	2001:db8::1
+aaaa.delegation.example.	3600	IN	AAAA	2001:db8::
+aaaa.no-delegation.example.	3600	IN	AAAA	2001:db8::
+aaaa.no-delegation.example.	3600	IN	RRSIG	AAAA 15 3 3600 20231114221320 20200913122640 2835 example. qD9hkrOliY5o3BQ5k64kdS/9ViGJiEuQ6EFOlVZkYxrbIstuZXB7PbeA+5BNX5eqHjl9Wy+bZqztDXbGkoizAA==
+aaaa.occluded.existing-delegation2.example.	3600	IN	AAAA	2001:db8::
+aaaa.occluded.existing-delegation.example.	3600	IN	AAAA	2001:db8::
+a.delegation.ent.example.	3600	IN	A	192.0.2.1
+a.delegation.example.	3600	IN	A	192.0.2.0
+a.no-delegation.example.	3600	IN	A	192.0.2.0
+a.no-delegation.example.	3600	IN	RRSIG	A 15 3 3600 20231114221320 20200913122640 2835 example. 0lGi+qu1Si1rEVkL2nIHmNsDzceXgjQnjerV5Gn/Rc8sd5aIBfnYq8zi1+d4LsaWhcmCjvXQwj0ntUP/oumsAQ==
+a.occluded.existing-delegation2.example.	3600	IN	A	192.0.2.0
+a.occluded.existing-delegation.example.	3600	IN	A	192.0.2.0
+be0fofc9nmjh1kd68ofan3lamhsof2ct.example.	3600	IN	NSEC3	1 0 0 - CBHSLDD1T27N54NJE8SI3VM378NKR151 DNAME RRSIG
+be0fofc9nmjh1kd68ofan3lamhsof2ct.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. yrQFIdfaQZw2ZwJio3xZTeoCxp3G0NH51clzhzbMAOiNt1g2LcgtMsUjDu1KTehcfodp5RT9bySPY8Latg5pCQ==
+cbhsldd1t27n54nje8si3vm378nkr151.example.	3600	IN	NSEC3	1 0 0 - CFSQBMPK0MAS6PGQMFDBBQK6FM25I7AQ NS DS RRSIG
+cbhsldd1t27n54nje8si3vm378nkr151.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. 1hbVBPUIxOIvmBRRIU1Z0AMgwdx7Q4WW3mx8IE9y6qKpSl8zpxPzHp1tEElIvG7z5133+IwxI9nG8laVDWFuDA==
+cfsqbmpk0mas6pgqmfdbbqk6fm25i7aq.example.	3600	IN	NSEC3	1 0 0 - DJQ6I8ONNVI00AKFJV64CI1OIOFEL9NU A TXT AAAA DS RRSIG
+cfsqbmpk0mas6pgqmfdbbqk6fm25i7aq.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. Pr8XPal5yJ9FQ9aAzUW4rwMo6VIzsWvuHyoYKQJY2LeegJBUbFDyl0gksVlPVwzWSoOGa+X0h42cq43GmWxDBw==
+cname.delegation.example.	3600	IN	CNAME	cname-target.example.
+cname.no-delegation.example.	3600	IN	CNAME	cname-target.example.
+cname.no-delegation.example.	3600	IN	RRSIG	CNAME 15 3 3600 20231114221320 20200913122640 2835 example. iawIaRG1fs3S12yQvwt8o3fgcltdI1qQ2IO5JvuEA8TRDMWP85HAVtd1F6/qI7zL+tonox9lRLCFKWC0dhe4Cg==
+cname.occluded.existing-delegation2.example.	3600	IN	CNAME	cname-target.example.
+cname.occluded.existing-delegation.example.	3600	IN	CNAME	cname-target.example.
+delegation.ent.example.	3600	IN	A	192.0.2.0
+delegation.ent.example.	3600	IN	AAAA	2001:db8::
+delegation.ent.example.	3600	IN	DS	12345 13 253 05
+delegation.ent.example.	3600	IN	NS	ns2.example.
+delegation.ent.example.	3600	IN	RRSIG	DS 15 3 3600 20231114221320 20200913122640 2835 example. 2DGUB+2suHgLG+SfOUYCVgNTKqZ3NW5DL7KpIfhWGXOXiEx3PXkakx8tw79qOyFg8WGmppxg3Dt6MOBkzeCoAg==
+delegation.ent.example.	3600	IN	TXT	"TXT not-at/at delegation"
+delegation.example.	3600	IN	A	192.0.2.0
+delegation.example.	3600	IN	AAAA	2001:db8::
+delegation.example.	3600	IN	DS	12345 13 253 03
+delegation.example.	3600	IN	NS	ns1.example.
+delegation.example.	3600	IN	RRSIG	DS 15 2 3600 20231114221320 20200913122640 2835 example. 1oK/3Qk+TU5Dcp1RQcJSr6+BfAGb6vbJ/BNCUM4JG+8M4LaicORrpq8nIA8H6e6nD6cXzK5280+ZaSTrnsgRAg==
+delegation.example.	3600	IN	TXT	"TXT not-at/at delegation"
+djq6i8onnvi00akfjv64ci1oiofel9nu.example.	3600	IN	NSEC3	1 0 0 - E8R6DJDM0DOJ852N8R6453RRS2FPR32L
+djq6i8onnvi00akfjv64ci1oiofel9nu.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. K36tZZGoK3YBRKEmaZf1lLPUVJzUqBx4XENw/+ZK3UUrrKAW4mORcvvK9Qzv2ZV15A4bo3MixCEv17KUBQ6oCQ==
+dname.delegation.example.	3600	IN	DNAME	dname-target.example.
+dname.no-delegation.example.	3600	IN	DNAME	dname-target.example.
+dname.no-delegation.example.	3600	IN	RRSIG	DNAME 15 3 3600 20231114221320 20200913122640 2835 example. 8z7CrqiKTqkZ1fInzHR6rOM92HUtGzaN7SothyAxKaO1BMjN9sQq9fnLrX38+dcziNko0Ol+qxVRWsGHpC+NAA==
+dname.occluded.existing-delegation2.example.	3600	IN	DNAME	dname-target.example.
+dname.occluded.existing-delegation.example.	3600	IN	DNAME	dname-target.example.
+ds.delegation.example.	3600	IN	DS	12345 13 253 04
+ds-delegation.example.	3600	IN	NS	ns4.example.
+ds-no-delegation.example.	3600	IN	A	192.0.2.0
+ds-no-delegation.example.	3600	IN	AAAA	2001:db8::
+ds-no-delegation.example.	3600	IN	DS	12345 13 253 03
+ds.no-delegation.example.	3600	IN	DS	12345 13 253 04
+ds-no-delegation.example.	3600	IN	RRSIG	A 15 2 3600 20231114221320 20200913122640 2835 example. 8YQ2XoOJIZZlX3xrCv6JyL1tQb0jYOmEdLMsBfL4wFb7fIQnXTInJ1d9K7GWZl88Au8vx701NQebdM3cf3akCw==
+ds-no-delegation.example.	3600	IN	RRSIG	AAAA 15 2 3600 20231114221320 20200913122640 2835 example. BaYd3ohr5Sb0++v2H23BNQ9bbzWNipdkz9uSRv0A0cf2os4Z65bWpuEclebGtOavW7/di/8vrd9hVSWIa8NODw==
+ds-no-delegation.example.	3600	IN	RRSIG	DS 15 2 3600 20231114221320 20200913122640 2835 example. jLhnHDk06kbcr8wz+kEcrkk2F6epIb4sYVUMpqSJKCwXqSPXrwSG7pzlQVgW36Gj7TavnXfZcP1E7WVHTixjAQ==
+ds.no-delegation.example.	3600	IN	RRSIG	DS 15 3 3600 20231114221320 20200913122640 2835 example. mh8GWAVViXfTbDbUrPYqvIy7oNL0Y+5p52OalhAuWZpi92I6SkptWE5IGKpb8T1YET+kfr/xQ5UE3D9YddRCAA==
+ds-no-delegation.example.	3600	IN	RRSIG	TXT 15 2 3600 20231114221320 20200913122640 2835 example. ExqMm6PtWvEa1JP8TaduVe62v/aGb7rLzeiAa9E1KZwQfL1G6iy83AhpaGLwIuZ5Jb2cmFAkOFMy5AQsNiFBDA==
+ds-no-delegation.example.	3600	IN	TXT	"TXT not-at/at delegation"
+ds.occluded.existing-delegation2.example.	3600	IN	DS	12345 13 253 04
+ds.occluded.existing-delegation.example.	3600	IN	DS	12345 13 253 04
+e8r6djdm0doj852n8r6453rrs2fpr32l.example.	3600	IN	NSEC3	1 0 0 - ECUSFB2CQ2FLU9S3KSTEKTU2RKQ7J02I NS DS RRSIG
+e8r6djdm0doj852n8r6453rrs2fpr32l.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. VNlZiMsjCeKJv5pLnOL2Kf/DuqpDhK+n+mSqu/ARoxxE+EJTXez+R194rI1AQ6he1Gf3M0OhlI2/bEv2z2yaBQ==
+ecusfb2cq2flu9s3kstektu2rkq7j02i.example.	3600	IN	NSEC3	1 0 0 - JUR6DKS5JSEVI4KOF749OPGC8O568ED2 NS DS RRSIG
+ecusfb2cq2flu9s3kstektu2rkq7j02i.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. CgnFZgvLDwVfQg65qYhlmeYdLS6I7Ohv5yEExTMlS1i6jEuKE2VWd8R3y/8TM+NtIlpJskvJNGPREDdXqPPpBg==
+example.	3600	IN	DNSKEY	256 3 15 BnnbKMXdvQp2v+tzyvO/HxQGY8iYcJsWD4MN6fnr84Q=
+example.	3600	IN	NSEC3PARAM	1 0 0 -
+example.	3600	IN	RRSIG	DNSKEY 15 1 3600 20231114221320 20200913122640 2835 example. RMn96put9kteW8DjunEY3o0J7+MZlrC/zXVBU0h0gpFwjz9mrqo/1EvQUSO6faKaNLD2uhiJ9mg91Z1AQSq4AQ==
+example.	3600	IN	RRSIG	NSEC3PARAM 15 1 3600 20231114221320 20200913122640 2835 example. P2RB351zNKtTPLwcLl7L5JQQavx0p+EouCys04F9AVFfJS4VK2ddPLINAQIa5P7medk1bbcrHtWQEj9w41uiAg==
+example.	3600	IN	RRSIG	SOA 15 1 3600 20231114221320 20200913122640 2835 example. bBmNKlKLUZIRG8VveJE3bONbEq7DWywLm2wG2bRxLTTWXvX7IfLbb1RFogxT7fH0BIeyBde1azsA+/nAjUBiDg==
+example.	3600	IN	SOA	ns.example. hostmaster.example. 23456 3600 3600 86400 3600
+existing-delegation.example.	3600	IN	NS	ns1.example.
+jur6dks5jsevi4kof749opgc8o568ed2.example.	3600	IN	NSEC3	1 0 0 - N3MIVJM8DKLOBH7R7F4RD46CG6F4STOM CNAME RRSIG
+jur6dks5jsevi4kof749opgc8o568ed2.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. doLtgtIMeiQSGcwchrN9eBDG2aCMl3TYa5aGAmzmDnD82CbzAc+ZqUGM9qtlU0plIdDDMTpLATQDgXbzZi1GBw==
+n3mivjm8dklobh7r7f4rd46cg6f4stom.example.	3600	IN	NSEC3	1 0 0 - NK3JQ1UR0NQ9AA77LBUGIB68PK87V5E6
+n3mivjm8dklobh7r7f4rd46cg6f4stom.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. yIYvIYuD4da7lImEmHY1JmGcfzqdqEquen7PH05Zy3gVdMBKQn4WmfEN6qYNjQsJu8FbdKTgMzJNWnhTJuRJAg==
+nk3jq1ur0nq9aa77lbugib68pk87v5e6.example.	3600	IN	NSEC3	1 0 0 - OT1SVRDFK85BGA7SEEPDGMT12283DNKG A RRSIG
+nk3jq1ur0nq9aa77lbugib68pk87v5e6.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. PgoMozpVX5dx/MZnBmP3qmXa2rK5KkCGS7fAC9O8EEN2Kbne0yc7rejC6NfCIVQpo6R35QqAO3P3tBKP0EQ3Dw==
+no-delegation.example.	3600	IN	A	192.0.2.0
+no-delegation.example.	3600	IN	AAAA	2001:db8::
+no-delegation.example.	3600	IN	DS	12345 13 253 03
+no-delegation.example.	3600	IN	RRSIG	A 15 2 3600 20231114221320 20200913122640 2835 example. wWo9FrNknF99/VRPvbxa2qJN//xA3LfzTHDQnSWroU488xjLJkm4W1yVs2x3cuI44sHVy/qyk2OhwxJ3GqK6BQ==
+no-delegation.example.	3600	IN	RRSIG	AAAA 15 2 3600 20231114221320 20200913122640 2835 example. VDnKSuiuWPDHsd+xVx3wkw4RUn6haKESMUWvmjTWvey1UKJMoNxspTti4uAiIt3l6J4sSXw9ReZS35yDukPlBQ==
+no-delegation.example.	3600	IN	RRSIG	DS 15 2 3600 20231114221320 20200913122640 2835 example. 798mm2DAHdBZX/Wb+ZChWKjJwKWkgBdPXi0n6vKJ4yjE5H5jYh6Z1t46z1qWoEgpvwvyj2238dQC/ExbvLVzCA==
+no-delegation.example.	3600	IN	RRSIG	TXT 15 2 3600 20231114221320 20200913122640 2835 example. GJTHznE/4iZa9HOhakHo3f2Sc9/SAziv7xLX9+8zaE/ijYYfS2LwA6dOCBfDKYo7bIoQYpx+Ii50okkq6KbuCw==
+no-delegation.example.	3600	IN	TXT	"TXT not-at/at delegation"
+no-ds-delegation.example.	3600	IN	DS	12345 13 253 06
+no-ds-delegation.example.	3600	IN	NS	ns3.example.
+no-ds-delegation.example.	3600	IN	RRSIG	DS 15 2 3600 20231114221320 20200913122640 2835 example. pAlR5tvcLC2xQev3UkkFAJDfbjT2HlT58rEenl2Np+zmcvfIrVkVm7aw7zlQ3dpKHVj983hK0OujKnM4cwwqCg==
+occluded.existing-delegation2.example.	3600	IN	A	192.0.2.0
+occluded.existing-delegation2.example.	3600	IN	AAAA	2001:db8::
+occluded.existing-delegation2.example.	3600	IN	DS	12345 13 253 04
+occluded.existing-delegation2.example.	3600	IN	NS	ns2.example.
+occluded.existing-delegation2.example.	3600	IN	RRSIG	DS 15 3 3600 20231114221320 20200913122640 2835 example. EgsRiaTA3ldlcYp0HYGau66/4zY5PDtPL1qQdSnXRw4DJlJr87JoX/kHeGBe4nVAvJ9zyGskCLQ6njji1stWDg==
+occluded.existing-delegation2.example.	3600	IN	TXT	"TXT not-at/at delegation"
+occluded.existing-delegation.example.	3600	IN	A	192.0.2.0
+occluded.existing-delegation.example.	3600	IN	AAAA	2001:db8::
+occluded.existing-delegation.example.	3600	IN	DS	12345 13 253 04
+occluded.existing-delegation.example.	3600	IN	TXT	"TXT not-at/at delegation"
+ot1svrdfk85bga7seepdgmt12283dnkg.example.	3600	IN	NSEC3	1 0 0 - P5QI3GOVN4PKTGO5U4JIC3M7877SD2QH A TXT AAAA DS RRSIG
+ot1svrdfk85bga7seepdgmt12283dnkg.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. +5UAaqk+6nBxLlgBiAwWLNGsbs/3/iJr3F+du2hM1+MXzA11jBvKycISsf9ykM4olb3bWLpxc4cCMTdeuEBJBQ==
+p5qi3govn4pktgo5u4jic3m7877sd2qh.example.	3600	IN	NSEC3	1 0 0 - TD3GCP8Q47O18HTN3HQ26JJ9QONK7912 DS RRSIG
+p5qi3govn4pktgo5u4jic3m7877sd2qh.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. ZGQsDNtHP8NAq7bOEqdKH7mIQoo3gKBXiwUxRZDm+6rfX/WJCWscuRLIDLTglENwsiPU8KJtvFVDXRvuNrGIBQ==
+td3gcp8q47o18htn3hq26jj9qonk7912.example.	3600	IN	NSEC3	1 0 0 - VT4UA5HC3LVTIHL2FJDF45RQOPUSN9C4 TXT RRSIG
+td3gcp8q47o18htn3hq26jj9qonk7912.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. itGuMDuvjBHv7KpkFL1lISxuvcR68GbzmM+dRa3q/5XCIaTFfMR8Wh3Jko55zzg2R2uYE+UlHa/euP2nhCPsAQ==
+txt.delegation.ent.example.	3600	IN	TXT	"TXT not-below/below delegation"
+txt.delegation.example.	3600	IN	TXT	"TXT not-below/below delegation"
+txt.ent.delegation.ent.example.	3600	IN	TXT	"TXT not-below/below delegation with ENT"
+txt.ent.delegation.example.	3600	IN	TXT	"TXT not-below/below delegation iwth ENT"
+txt.ent.no-delegation.example.	3600	IN	RRSIG	TXT 15 4 3600 20231114221320 20200913122640 2835 example. NuaY3ZSeqM/WkRotfhV8MA5W4sOU+ZG4ld7+HgKc2Etb9KqSV6I7RuMO2PmJmMDNFlg4oyaoZyqmnITL+uKeBg==
+txt.ent.no-delegation.example.	3600	IN	TXT	"TXT not-below/below delegation iwth ENT"
+txt.ent.occluded.existing-delegation2.example.	3600	IN	TXT	"TXT not-below/below delegation iwth ENT"
+txt.ent.occluded.existing-delegation.example.	3600	IN	TXT	"TXT not-below/below delegation iwth ENT"
+txt.no-delegation.example.	3600	IN	RRSIG	TXT 15 3 3600 20231114221320 20200913122640 2835 example. AQsSVR9J9pGeVNFGq7TDomMd3f05i2eDcJAoTWkI2OlVD5Aqz9JPJf39YyHEuxBOBTzHQBh25oU75QE2CJcpCQ==
+txt.no-delegation.example.	3600	IN	TXT	"TXT not-below/below delegation"
+txt.occluded.existing-delegation2.example.	3600	IN	TXT	"TXT not-below/below delegation"
+txt.occluded.existing-delegation.example.	3600	IN	TXT	"TXT not-below/below delegation"
+vt4ua5hc3lvtihl2fjdf45rqopusn9c4.example.	3600	IN	NSEC3	1 0 0 - 1CHVONHFAN96LAJ6IQ4SPKBIFGASNFQU TXT RRSIG
+vt4ua5hc3lvtihl2fjdf45rqopusn9c4.example.	3600	IN	RRSIG	NSEC3 15 2 3600 20231114221320 20200913122640 2835 example. L/pZXXg3Fstz/6/s24q6fgtEMOEwB4fQrJQJIi7+kcZw6NxuNQl/hfqvlpcQSISdeZBahi61I52iONOSGO5tBw==
diff --git a/integration-tests/incremental-signing/scripts/gen-reference-output.sh b/integration-tests/incremental-signing/scripts/gen-reference-output.sh
new file mode 100755
index 00000000..bea6257f
--- /dev/null
+++ b/integration-tests/incremental-signing/scripts/gen-reference-output.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+INCEPTION=1600000000
+EXPIRATION=1700000000
+for m in nsec nsec3 nsec3-opt-out
+do
+	case "$m" in
+	nsec)
+		params=""
+	;;
+	nsec3)
+		params="-n"
+	;;
+	nsec3-opt-out)
+		params="-n -P"
+	;;
+	esac
+	for z in zones/*input2.zone
+	do
+		echo $z
+		dnst signzone -T -o example -f - -e $EXPIRATION -i $INCEPTION $params $z keys/Kexample.+015+02835 |
+			sort -u > reference-output/$(basename $z).$m.signed.sorted
+	done
+done
diff --git a/integration-tests/incremental-signing/scripts/tests.sh b/integration-tests/incremental-signing/scripts/tests.sh
new file mode 100755
index 00000000..ba4336cc
--- /dev/null
+++ b/integration-tests/incremental-signing/scripts/tests.sh
@@ -0,0 +1,53 @@
+#!/bin/sh
+set -e
+CASCADE="cargo run --bin cascade"
+KEY=$PWD/keys/Kexample.+015+02835.key
+for m in nsec3 nsec3-opt-out nsec 
+do
+	for test in 3 1 2 
+	do
+		cp zones/incremental-signing-test${test}-input1.zone example.in
+		$CASCADE zone add --source $PWD/example.in --policy $m example --import-csk-file $KEY
+		#$CASCADE zone add --source /dev/null --policy $m example --import-csk-file $KEY
+		# Wait for first version to be signed.
+		for i in 1 2 3 4 5 6 7 8 9 10
+		do
+		    dig @127.0.0.1 -p 8053 example soa |
+			grep 12345  && break
+		    echo first version is not signed yet, sleeping
+		    sleep 1
+		done
+		dig @127.0.0.1 -p 8053 example soa |
+		    grep 12345 ||
+			{
+			    echo first version is not signed yet, giving up
+			    exit 1
+			}
+		cp zones/incremental-signing-test${test}-input2.zone example.in
+		$CASCADE zone reload example
+		for i in 1 2 3 4 5 6 7 8 9 10
+		do
+		    dig @127.0.0.1 -p 8053 example soa |
+			grep 12345  && break
+		    echo second version is not signed yet, sleeping
+		    sleep 1
+		done
+		dig @127.0.0.1 -p 8053 example soa |
+		    grep 23456 ||
+			{
+			    echo second version is not signed yet, giving up
+			    exit 1
+			}
+
+		# XXX A bug in Cascade causes records that are not
+		# authorititative to fall out. For now, filter those from
+		# the reference output to be able to do more testing.
+		grep -v '^[^ 	]*.not-auth.example.' reference-output/incremental-signing-test${test}-input2.zone.${m}.signed.sorted >reference-output.filtered
+		dig @127.0.0.1 -p 8053 example axfr |
+		    egrep -v '^;|^$' | sort -u |
+		    diff -w -u - reference-output.filtered
+		echo "OK - XXX test was modifed to deal with bugs in Cascade!"
+		$CASCADE zone remove example
+		$CASCADE zone status example || true
+	done
+done
diff --git a/integration-tests/incremental-signing/zones/incremental-signing-test1-input1.zone b/integration-tests/incremental-signing/zones/incremental-signing-test1-input1.zone
new file mode 100644
index 00000000..556de035
--- /dev/null
+++ b/integration-tests/incremental-signing/zones/incremental-signing-test1-input1.zone
@@ -0,0 +1,48 @@
+; Test 1 -- Check diff creation
+
+; Set the serial number of the first version to 12345. Use the 'keep' serial
+; policy to make it easy to check when the first version has been signed.
+@ IN SOA ns hostmaster 12345 3600 3600 86400 3600
+
+; Test for diff generation. This is not DNSSEC specific, it can also be used
+; to test IXFR.
+
+; A collection of RRsets that will be modified.
+cname.modify		CNAME	cname-target
+dname.modify		DNAME	dname-target
+a.modify		A	192.0.2.0
+aaaa.modify		AAAA	2001:db8::
+txt.modify		TXT	"Original zone"
+
+; A delegation to be able to create RRsets that are not authoritative in this
+; zone.
+not-auth		NS	ns
+
+; A collection of non-authoritative RRsets that will be modified.
+cname.modify.not-auth	CNAME	cname-target
+dname.modify.not-auth	DNAME	dname-target
+a.modify.not-auth	A	192.0.2.0
+aaaa.modify.not-auth	AAAA	2001:db8::
+txt.modify.not-auth	TXT	"Original zone"
+
+; A delegation that obtains a DS RRset.
+delegation1		NS	ns
+
+; Existing ENTs to be converted to NTs.
+txt.ent2nt		TXT	"ENT to become NT"
+txt.ent2nt.not-auth	TXT	"ENT to become NT"
+
+; Add just a DS record
+
+; Create a new ENTs
+
+; Names that get deleted.
+one.delete		A	192.0.2.1
+two.delete		A	192.0.2.2
+two.delete		AAAA	2001:db8::2
+one.delete.not-auth	A	192.0.2.1
+two.delete.not-auth	A	192.0.2.2
+two.delete.not-auth	AAAA	2001:db8::2
+delegation1.delete	NS	ns
+delegation2.delete	NS	ns
+non-auth.delegation2.delete A	192.0.2.3
diff --git a/integration-tests/incremental-signing/zones/incremental-signing-test1-input2.zone b/integration-tests/incremental-signing/zones/incremental-signing-test1-input2.zone
new file mode 100644
index 00000000..a56d52b0
--- /dev/null
+++ b/integration-tests/incremental-signing/zones/incremental-signing-test1-input2.zone
@@ -0,0 +1,53 @@
+; Test 1 -- Check diff creation
+
+; Set the serial number of the second version to 23456.
+@ IN SOA ns hostmaster 23456 3600 3600 86400 3600
+
+; Test for diff generation. This is not DNSSEC specific, it can also be used
+; to test IXFR.
+
+; A collection of RRsets that will be modified.
+cname.modify            CNAME   cname-target2
+dname.modify            DNAME   dname-target2
+a.modify                A       192.0.2.1
+aaaa.modify             AAAA    2001:db8::1
+txt.modify              TXT     "Modified zone"
+
+; A delegation to be able to create RRsets that are not authoritative in this
+; zone.
+not-auth		NS	ns
+
+; A collection of non-authoritative RRsets that will be modified.
+cname.modify.not-auth   CNAME   cname-target2
+dname.modify.not-auth   DNAME   dname-target2
+a.modify.not-auth       A       192.0.2.1
+aaaa.modify.not-auth    AAAA    2001:db8::1
+txt.modify.not-auth     TXT     "Modified zone"
+
+; Add a new record at APEX.
+@			TXT	"New apex record"
+
+; A delegation that obtains a DS RRset.
+delegation1		NS	ns
+
+; Add DS record to an existing delegation.
+delegation1		DS	12345 13 253 00
+
+; Existing ENTs to be converted to NTs.
+ent2nt			TXT     "was ENT, now NT"
+txt.ent2nt		TXT	"ENT to become NT"
+ent2nt.not-auth		TXT     "was ENT, now NT"
+txt.ent2nt.not-auth	TXT	"ENT to become NT"
+
+; XXX The following NS record need to be removed when Cascade gets support for
+; a standalone DS.
+ds.new-ent		NS	ns
+
+; Add just a DS record
+ds.new-ent		DS	12345 13 253 01
+
+; Create a new ENTs
+txt.new-ent		TXT	"New authoritative ENT"
+txt.new-ent.not-auth	TXT	"New not authoritative ENT"
+
+; Names that get deleted.
diff --git a/integration-tests/incremental-signing/zones/incremental-signing-test2-input1.zone b/integration-tests/incremental-signing/zones/incremental-signing-test2-input1.zone
new file mode 100644
index 00000000..49b35adf
--- /dev/null
+++ b/integration-tests/incremental-signing/zones/incremental-signing-test2-input1.zone
@@ -0,0 +1,54 @@
+; Test 2 -- Test adding new names.
+
+; Set the serial number of the first version to 12345. Use the 'keep' serial
+; policy to make it easy to check when the first version has been signed.
+@ IN SOA ns hostmaster 12345 3600 3600 86400 3600
+
+; Test incremental signing for new RRsets.
+
+; Add non-NS RRset
+
+; Delegation without DS.
+; A delegation will be added later.
+cname.delegation	CNAME	cname-target
+dname.delegation	DNAME	dname-target
+a.delegation		A	192.0.2.0
+aaaa.delegation		AAAA	2001:db8::
+txt.delegation		TXT	"TXT not-below/below delegation"
+; XXX Cascade cannot handle a DS without NS.
+; ds.delegation		DS	12345 13 253 02
+txt.ent.delegation	TXT	"TXT not-below/below delegation with ENT"
+
+; Delegation with DS.
+; A delegation with DS will be added later.
+a.ds-delegation		A	192.0.2.1
+aaaa.ds-delegation	AAAA	2001:db8::1
+txt.ds-delegation	TXT	"TXT not-below/below delegation"
+txt.ent.ds-delegation	TXT	"TXT not-below/below delegation with ENT"
+
+; A delegation below an ENT.
+; A delegation will be added later.
+a.delegation.ent	A	192.0.2.1
+aaaa.delegation.ent	AAAA	2001:db8::1
+txt.delegation.ent	TXT	"TXT not-below/below delegation"
+txt.ent.delegation.ent	TXT	"TXT not-below/below delegation with ENT"
+
+; Test adding an NS record that is occluded by another NS record.
+; Add DS as well. Do we need to test without DS?
+existing-delegation		NS	ns1
+
+; Test adding an NS record that now occludes an existing NS record.
+; Have a DS record with the to be occluded NS record as well.
+to-be-occluded.new-delegation	NS	ns4
+to-be-occluded.new-delegation	DS	12345 13 253 05
+
+; For NSEC add a new last entry in the NSEC chain.
+
+; Test adding a new first NSEC3 record.
+
+; Test adding a new last NSEC3 record.
+
+; Test adding a name with the same name as the NSEC3 record for apex.
+; The NSEC3 name that corresponds to example. is
+; 3msev9usmd4br9s97v51r2tdvmr9iqo1.example.
+
diff --git a/integration-tests/incremental-signing/zones/incremental-signing-test2-input2.zone b/integration-tests/incremental-signing/zones/incremental-signing-test2-input2.zone
new file mode 100644
index 00000000..4204522f
--- /dev/null
+++ b/integration-tests/incremental-signing/zones/incremental-signing-test2-input2.zone
@@ -0,0 +1,65 @@
+; Test 2 -- Test adding new names.
+
+; Set the serial number of the second version to 23456.
+@ IN SOA ns hostmaster 23456 3600 3600 86400 3600
+
+; Test incremental signing for new RRsets.
+
+; Add non-NS RRset
+txt.add		TXT	"New name and RRset"
+txt.ent.add	TXT	"New name and RRset with ENT"
+
+; Delegation without DS.
+delegation		NS	ns1
+cname.delegation	CNAME	cname-target
+dname.delegation	DNAME	dname-target
+a.delegation		A	192.0.2.0
+aaaa.delegation		AAAA	2001:db8::
+txt.delegation		TXT	"TXT not-below/below delegation"
+; XXX Cascade cannot handle a DS without NS.
+; ds.delegation		DS	12345 13 253 02
+txt.ent.delegation	TXT	"TXT not-below/below delegation with ENT"
+
+; Delegation with DS.
+delegation-ds		NS	ns2
+delegation-ds		DS	12345 13 253 03
+a.ds-delegation		A	192.0.2.1
+aaaa.ds-delegation	AAAA	2001:db8::1
+txt.ds-delegation	TXT	"TXT not-below/below delegation"
+txt.ent.ds-delegation	TXT	"TXT not-below/below delegation with ENT"
+
+; A delegation below an ENT.
+delegation.ent		NS	ns3
+a.delegation.ent	A	192.0.2.1
+aaaa.delegation.ent	AAAA	2001:db8::1
+txt.delegation.ent	TXT	"TXT not-below/below delegation"
+txt.ent.delegation.ent	TXT	"TXT not-below/below delegation with ENT"
+
+; Test adding an NS record that is occluded by another NS record.
+; Add DS as well. Do we need to test without DS?
+existing-delegation		NS	ns1
+occluded.existing-delegation	NS	ns2
+occluded.existing-delegation	DS	12345 13 253 04
+
+; Test adding an NS record that now occludes an existing NS record.
+; Have a DS record with the to be occluded NS record as well.
+new-delegation			NS	ns3
+to-be-occluded.new-delegation	NS	ns4
+to-be-occluded.new-delegation	DS	12345 13 253 05
+
+; For NSEC add a new last entry in the NSEC chain.
+zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz	TXT "Last"
+
+; Test adding a new first NSEC3 record.
+; hash 000000kqrttushp6q101dur3od76sjl5
+qitpxpm			TXT	"new first NSEC3 hash"
+
+; Test adding a new last NSEC3 record.
+; hash vvvvvv7jibehndfrstrr0nq4tcs5n69s
+syogkgc			TXT	"new last NSEC3 hash"
+
+; Test adding a name with the same name as the NSEC3 record for apex.
+; The NSEC3 name that corresponds to example. is
+; 3msev9usmd4br9s97v51r2tdvmr9iqo1.example.
+3msev9usmd4br9s97v51r2tdvmr9iqo1.example.	TXT "At NSEC3 name"
+
diff --git a/integration-tests/incremental-signing/zones/incremental-signing-test3-input1.zone b/integration-tests/incremental-signing/zones/incremental-signing-test3-input1.zone
new file mode 100644
index 00000000..ea34fdbb
--- /dev/null
+++ b/integration-tests/incremental-signing/zones/incremental-signing-test3-input1.zone
@@ -0,0 +1,111 @@
+; Test3 -- existing names.
+
+; Set the serial number of the first version to 12345. Use the 'keep' serial
+; policy to make it easy to check when the first version has been signed.
+@ IN SOA ns hostmaster 12345 3600 3600 86400 3600
+
+; Test incremental signing for new RRsets.
+
+; A delegation will be added later. Force the name to exist.
+delegation		A	192.0.2.0
+delegation		AAAA	2001:db8::
+delegation		TXT	"TXT not-at/at delegation"
+delegation		DS	12345 13 253 03
+cname.delegation	CNAME	cname-target
+dname.delegation	DNAME	dname-target
+a.delegation		A	192.0.2.0
+aaaa.delegation		AAAA	2001:db8::
+txt.delegation		TXT	"TXT not-below/below delegation"
+ds.delegation		DS	12345 13 253 04
+txt.ent.delegation	TXT	"TXT not-below/below delegation iwth ENT"
+
+; A delegation belown an ENT will be added later. Force the name to exist.
+delegation.ent		A	192.0.2.0
+delegation.ent		AAAA	2001:db8::
+delegation.ent		TXT	"TXT not-at/at delegation"
+delegation.ent		DS	12345 13 253 05
+a.delegation.ent	A	192.0.2.1
+aaaa.delegation.ent	AAAA	2001:db8::1
+txt.delegation.ent	TXT	"TXT not-below/below delegation"
+txt.ent.delegation.ent	TXT	"TXT not-below/below delegation with ENT"
+
+; A delegation. DS will be added later.
+no-ds-delegation	NS	ns3
+
+; A delegation with DS. DS will be removed later.
+ds-delegation		NS	ns4
+ds-delegation		DS      12345 13 253 07
+
+; The delegation will be removed later.
+no-delegation		NS	ns5
+no-delegation		A	192.0.2.0
+no-delegation		AAAA	2001:db8::
+no-delegation		TXT	"TXT not-at/at delegation"
+no-delegation		DS	12345 13 253 03
+cname.no-delegation	CNAME	cname-target
+dname.no-delegation	DNAME	dname-target
+a.no-delegation		A	192.0.2.0
+aaaa.no-delegation	AAAA	2001:db8::
+txt.no-delegation	TXT	"TXT not-below/below delegation"
+ds.no-delegation	DS	12345 13 253 04
+txt.ent.no-delegation	TXT	"TXT not-below/below delegation iwth ENT"
+
+; The delegation will be removed later. With DS
+ds-no-delegation	NS	ns5
+ds-no-delegation	A	192.0.2.0
+ds-no-delegation	AAAA	2001:db8::
+ds-no-delegation	TXT	"TXT not-at/at delegation"
+ds-no-delegation	DS	12345 13 253 03
+
+; Name to be removed.
+txt-remove		TXT	"Name to be removed"
+txt-remove.ent		TXT	"Name to be removed with ENT"
+
+; Test removing the first NSEC3 record.
+; hash 000000kqrttushp6q101dur3od76sjl5
+qitpxpm			TXT	"first NSEC3 hash"
+
+; Test removing the last NSEC3 record.
+; hash vvvvvv7jibehndfrstrr0nq4tcs5n69s
+syogkgc			TXT	"last NSEC3 hash"
+
+; Test removing a name with the same name as the NSEC3 record for apex.
+; The NSEC3 name that corresponds to example. is
+; 3msev9usmd4br9s97v51r2tdvmr9iqo1.example.
+3msev9usmd4br9s97v51r2tdvmr9iqo1.example.	TXT "At NSEC3 name"
+
+; Test removing an NS record that is occluded by another NS record.
+; Add DS as well. Add other records at the same name and below.
+existing-delegation			NS	ns1
+occluded.existing-delegation		NS	ns2
+occluded.existing-delegation		DS	12345 13 253 04
+occluded.existing-delegation		A	192.0.2.0
+occluded.existing-delegation		AAAA	2001:db8::
+occluded.existing-delegation		TXT	"TXT not-at/at delegation"
+cname.occluded.existing-delegation	CNAME	cname-target
+dname.occluded.existing-delegation	DNAME	dname-target
+a.occluded.existing-delegation		A	192.0.2.0
+aaaa.occluded.existing-delegation	AAAA	2001:db8::
+txt.occluded.existing-delegation	TXT	"TXT not-below/below delegation"
+ds.occluded.existing-delegation		DS	12345 13 253 04
+txt.ent.occluded.existing-delegation	TXT	"TXT not-below/below delegation iwth ENT"
+
+; Test removing an NS record that occluded another NS record.
+; Have a DS record and other records the occluded NS record as well.
+; And other record below.
+existing-delegation2			NS	ns1
+occluded.existing-delegation2		NS	ns2
+occluded.existing-delegation2		DS	12345 13 253 04
+occluded.existing-delegation2		A	192.0.2.0
+occluded.existing-delegation2		AAAA	2001:db8::
+occluded.existing-delegation2		TXT	"TXT not-at/at delegation"
+cname.occluded.existing-delegation2	CNAME	cname-target
+dname.occluded.existing-delegation2	DNAME	dname-target
+a.occluded.existing-delegation2		A	192.0.2.0
+aaaa.occluded.existing-delegation2	AAAA	2001:db8::
+txt.occluded.existing-delegation2	TXT	"TXT not-below/below delegation"
+ds.occluded.existing-delegation2	DS	12345 13 253 04
+txt.ent.occluded.existing-delegation2	TXT	"TXT not-below/below delegation iwth ENT"
+
+; For NSEC remove the last entry in the NSEC chain.
+zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz	TXT "Last"
diff --git a/integration-tests/incremental-signing/zones/incremental-signing-test3-input2.zone b/integration-tests/incremental-signing/zones/incremental-signing-test3-input2.zone
new file mode 100644
index 00000000..ea43c374
--- /dev/null
+++ b/integration-tests/incremental-signing/zones/incremental-signing-test3-input2.zone
@@ -0,0 +1,103 @@
+; Test3 -- existing names.
+
+; Set the serial number of the second version to 23456.
+@ IN SOA ns hostmaster 23456 3600 3600 86400 3600
+
+; Test incremental signing for new RRsets.
+
+; A delegation will be added later. Force the name to exist.
+; Add NS to delegation.
+delegation		NS	ns1
+delegation		A	192.0.2.0
+delegation		AAAA	2001:db8::
+delegation		TXT	"TXT not-at/at delegation"
+delegation		DS	12345 13 253 03
+cname.delegation	CNAME	cname-target
+dname.delegation	DNAME	dname-target
+a.delegation		A	192.0.2.0
+aaaa.delegation		AAAA	2001:db8::
+txt.delegation		TXT	"TXT not-below/below delegation"
+ds.delegation		DS	12345 13 253 04
+txt.ent.delegation	TXT	"TXT not-below/below delegation iwth ENT"
+
+; A delegation belown an ENT will be added later. Force the name to exist.
+; Add NS to delegation.ent.
+delegation.ent		NS	ns2
+delegation.ent		A	192.0.2.0
+delegation.ent		AAAA	2001:db8::
+delegation.ent		TXT	"TXT not-at/at delegation"
+delegation.ent		DS	12345 13 253 05
+a.delegation.ent	A	192.0.2.1
+aaaa.delegation.ent	AAAA	2001:db8::1
+txt.delegation.ent	TXT	"TXT not-below/below delegation"
+txt.ent.delegation.ent	TXT	"TXT not-below/below delegation with ENT"
+
+; A delegation. DS will be added later.
+no-ds-delegation	NS	ns3
+; Add DS to delegation.
+no-ds-delegation	DS	12345 13 253 06
+
+; A delegation with DS. DS will be removed later.
+ds-delegation		NS	ns4
+; DS removed.
+
+; The delegation will be removed later.
+; The delegation is removed.
+no-delegation		A	192.0.2.0
+no-delegation		AAAA	2001:db8::
+no-delegation		TXT	"TXT not-at/at delegation"
+no-delegation		DS	12345 13 253 03
+cname.no-delegation	CNAME	cname-target
+dname.no-delegation	DNAME	dname-target
+a.no-delegation		A	192.0.2.0
+aaaa.no-delegation	AAAA	2001:db8::
+txt.no-delegation	TXT	"TXT not-below/below delegation"
+ds.no-delegation	DS	12345 13 253 04
+txt.ent.no-delegation	TXT	"TXT not-below/below delegation iwth ENT"
+
+; The delegation will be removed later. With DS
+; The delegation is removed.
+ds-no-delegation	A	192.0.2.0
+ds-no-delegation	AAAA	2001:db8::
+ds-no-delegation	TXT	"TXT not-at/at delegation"
+ds-no-delegation	DS	12345 13 253 03
+
+; Name to be removed.
+
+; Test removing the first NSEC3 record.
+
+; Test removing the last NSEC3 record.
+
+; Test removing a name with the same name as the NSEC3 record for apex.
+
+; Test removing an NS record that is occluded by another NS record.
+existing-delegation			NS	ns1
+; Occluded delegation removed.
+occluded.existing-delegation		DS	12345 13 253 04
+occluded.existing-delegation		A	192.0.2.0
+occluded.existing-delegation		AAAA	2001:db8::
+occluded.existing-delegation		TXT	"TXT not-at/at delegation"
+cname.occluded.existing-delegation	CNAME	cname-target
+dname.occluded.existing-delegation	DNAME	dname-target
+a.occluded.existing-delegation		A	192.0.2.0
+aaaa.occluded.existing-delegation	AAAA	2001:db8::
+txt.occluded.existing-delegation	TXT	"TXT not-below/below delegation"
+ds.occluded.existing-delegation		DS	12345 13 253 04
+txt.ent.occluded.existing-delegation	TXT	"TXT not-below/below delegation iwth ENT"
+
+; Test removing an NS record that occluded another NS record.
+; Delegation removed.
+occluded.existing-delegation2		NS	ns2
+occluded.existing-delegation2		DS	12345 13 253 04
+occluded.existing-delegation2		A	192.0.2.0
+occluded.existing-delegation2		AAAA	2001:db8::
+occluded.existing-delegation2		TXT	"TXT not-at/at delegation"
+cname.occluded.existing-delegation2	CNAME	cname-target
+dname.occluded.existing-delegation2	DNAME	dname-target
+a.occluded.existing-delegation2		A	192.0.2.0
+aaaa.occluded.existing-delegation2	AAAA	2001:db8::
+txt.occluded.existing-delegation2	TXT	"TXT not-below/below delegation"
+ds.occluded.existing-delegation2	DS	12345 13 253 04
+txt.ent.occluded.existing-delegation2	TXT	"TXT not-below/below delegation iwth ENT"
+
+; For NSEC remove the last entry in the NSEC chain.
diff --git a/scripts/manage-test-environment.sh b/scripts/manage-test-environment.sh
index c0170df7..3b2f1359 100755
--- a/scripts/manage-test-environment.sh
+++ b/scripts/manage-test-environment.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
 # Log every action taken or command run
-# set -x
+set -x
 # Exit the script if any command errors
 set -e
 # Return an error for a pipeline if any command of the pipeline fails and not
@@ -354,7 +354,7 @@ EOF
 
 function setup-services() {
   sudo apt update
-  sudo apt install bind9 nsd unbound
+  sudo apt install -y bind9 nsd unbound
 
   generate-configuration
 }
@@ -381,7 +381,7 @@ function start-services() {
     # logfile in the working directory. -L only changes the logging from syslog
     # to a logfile.
     cd "${_nameserver_base_dir}/bind"
-    named -c "${_nameserver_base_dir}/bind.conf" -d 1 -L "${_nameserver_base_dir}/bind.log"
+    #named -c "${_nameserver_base_dir}/bind.conf" -d 1 -L "${_nameserver_base_dir}/bind.log"
   )
   nsd -c "${_nameserver_base_dir}/nsd.conf"
   nsd -c "${_nameserver_base_dir}/nsd-primary.conf"
@@ -412,8 +412,8 @@ function test-services() {
     log-error ">> Unbound status:"
     sudo unbound-control -c "${_nameserver_base_dir}/unbound.conf" status
     log-error
-    log-error ">> dig test SOA:"
-    dig test SOA
+    #log-error ">> dig test SOA:"
+    #dig test SOA
   )
 }
 
diff --git a/src/units/key_manager.rs b/src/units/key_manager.rs
index f0ab7f00..f0d86af2 100644
--- a/src/units/key_manager.rs
+++ b/src/units/key_manager.rs
@@ -12,9 +12,11 @@ use core::time::Duration;
 use domain::base::iana::Class;
 use domain::base::Name;
 use domain::dnssec::sign::keys::keyset::{KeySet, UnixTime};
+use domain::rdata::dnssec::Timestamp;
 use domain::zonetree::StoredName;
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
+use std::env::{var, VarError};
 use std::ffi::OsStr;
 use std::fmt::Formatter;
 use std::fs::{metadata, File, OpenOptions};
@@ -42,6 +44,18 @@ impl KeyManager {
             ks_info: Default::default(),
         });
 
+        let faketime = match var("CASCADE_FAKETIME") {
+            Ok(val) => {
+                let timestamp = val
+                    .parse::<Timestamp>()
+                    .map_err(|e| panic!("cannot parse {e} as u32"))
+                    .expect("should not fail");
+                Some(timestamp.into())
+            }
+            Err(VarError::NotPresent) => None,
+            Err(e) => panic!("unable to look up CASCADE_FAKETIME: {e}"),
+        };
+
         // Perform periodic ticks in the background.
         tokio::task::spawn({
             let this = this.clone();
@@ -50,7 +64,7 @@ impl KeyManager {
                 interval.set_missed_tick_behavior(tokio::time::MissedTickBehavior::Skip);
                 loop {
                     interval.tick().await;
-                    this.tick().await;
+                    this.tick(faketime.clone()).await;
                 }
             }
         });
@@ -359,11 +373,25 @@ impl KeyManager {
 
         // Pass `set` and `import` commands to `dnst keyset`.
         let config_commands = imports_to_commands(key_imports).into_iter().chain(
-            policy_to_commands(&policy.latest).into_iter().map(|v| {
-                let mut final_cmd = vec!["set".into()];
-                final_cmd.extend(v);
-                final_cmd
-            }),
+            policy_to_commands(&policy.latest)
+                .into_iter()
+                .chain({
+                    let faketime_cmd = match var("CASCADE_FAKETIME") {
+                        Ok(val) => vec![vec!["fake-time".to_string(), val]],
+                        Err(VarError::NotPresent) => vec![],
+                        Err(e) => {
+                            return Err(ZoneAddError::Other(format!(
+                                "unable to lookup CASCADE_FAKETIME: {e}"
+                            )))
+                        }
+                    };
+                    faketime_cmd
+                })
+                .map(|v| {
+                    let mut final_cmd = vec!["set".into()];
+                    final_cmd.extend(v);
+                    final_cmd
+                }),
         );
 
         for c in config_commands {
@@ -402,7 +430,7 @@ impl KeyManager {
         )
     }
 
-    async fn tick(&self) {
+    async fn tick(&self, faketime: Option<UnixTime>) {
         let zone_tree = &self.center.unsigned_zones;
         let Ok(mut ks_info) = self.ks_info.try_lock() else {
             // An existing call to tick() is still busy, don't do anything.
@@ -463,7 +491,7 @@ impl KeyManager {
                 continue;
             };
 
-            if *cron_next < UnixTime::now() {
+            if *cron_next < faketime.clone().unwrap_or(UnixTime::now()) {
                 // Note: The call to keyset cron can take a long time if
                 // keyset times out trying to contact nameservers. This will
                 // block the loop so we won't check the keyset state for the
diff --git a/src/units/zone_signer.rs b/src/units/zone_signer.rs
index 01f38c2f..ee47151a 100644
--- a/src/units/zone_signer.rs
+++ b/src/units/zone_signer.rs
@@ -1,5 +1,6 @@
 use std::cmp::{min, Ordering};
 use std::collections::{HashMap, VecDeque};
+use std::env::{var, VarError};
 use std::ops::Range;
 use std::path::{Path, PathBuf};
 use std::sync::Arc;
@@ -540,7 +541,7 @@ impl ZoneSigner {
             let zone_state = zone.state.lock().unwrap();
             zone_state.policy.clone()
         };
-        let signing_config = self.signing_config(&policy.unwrap());
+        let signing_config = self.signing_config(&policy.unwrap())?;
         let rrsig_cfg =
             GenerateRrsigConfig::new(signing_config.inception, signing_config.expiration);
 
@@ -1095,7 +1096,10 @@ impl ZoneSigner {
             })
     }
 
-    fn signing_config(&self, policy: &PolicyVersion) -> SigningConfig<Bytes, MultiThreadedSorter> {
+    fn signing_config(
+        &self,
+        policy: &PolicyVersion,
+    ) -> Result<SigningConfig<Bytes, MultiThreadedSorter>, SignerError> {
         let denial = match &policy.signer.denial {
             SignerDenialPolicy::NSec => DenialConfig::Nsec(Default::default()),
             SignerDenialPolicy::NSec3 { opt_out } => {
@@ -1104,10 +1108,20 @@ impl ZoneSigner {
             }
         };
 
-        let now = Timestamp::now().into_int();
+        let now = match var("CASCADE_FAKETIME") {
+            Ok(val) => val
+                .parse::<u32>()
+                .map_err(|e| SignerError::InternalError(format!("cannot parse {e} as u32")))?,
+            Err(VarError::NotPresent) => Timestamp::now().into_int(),
+            Err(e) => return Err(SignerError::InternalError(e.to_string())),
+        };
         let inception = now.wrapping_sub(policy.signer.sig_inception_offset);
         let expiration = now.wrapping_add(policy.signer.sig_validity_time);
-        SigningConfig::new(denial, inception.into(), expiration.into())
+        Ok(SigningConfig::new(
+            denial,
+            inception.into(),
+            expiration.into(),
+        ))
     }
 
     fn next_resign_time(&self) -> Option<Instant> {