There is a bug related to the issues in LDNS 1.6.14 and LDNS 1.6.15 (relates to
OPENDNSSEC-361 reported and closed earlier today).
If nsecify fails, the zone gets published nevertheless. In the case reported in
OPENDNSSEC-361 this meant that a zone was published with a new NSEC3 salt value but with the old NSEC3 chain in it, resulting in validation failures.
The fix is easy: zone publication should not progress if nsecify fails and a failure condition should be reported.