Hi, I've been wondering, why the OpenDNSSEC signer produces NSEC3 records for every unsigned delegation, although my denial policy has the <OptOut/> option set. Currently, it generates NSEC3 records without the Opt-Out flag set for each and every delegation. Is the signer working as intended or am I probably missing something...? Cheers, Antti