The NSEC3PARAM is left in memory and records here and there after switching from NSEC3 to NSEC. It will also corrupt the backup file since NSEC3PARAM is invalid for NSEC.
replicate:
switch to nsec3
sign
switch to nsec
sign
grep NSEC3PARAM signed-file
RRSIG for the NSEC3PARAM is left in the backup zone and makes it corrupt
se. 7200 IN RRSIG NSEC3PARAM 5 1 7200 20111017135854 20111005090501 31590 se. TenDonxODs2Vybw9WUJe3tL1kQAOxkXsPxpXtykUwVWZ+IO+SXDz1yLHwU5ITWSHKkjJPpxZlHF9lF0t6PMmXp9jn4KKowEfOZCmv/Rl6TZJYej9mm9tvErIs9r56XxNkvbpfa6fDqTZlvRO/xscv4ks7ulItKlGDVpJH5/z+KU= ;
{id = 31590}NSEC3PARAM is left in the NSEC
se. 7200 IN NSEC 0-0-0.se. NS SOA TXT RRSIG NSEC DNSKEY NSEC3PARAM