diff --git a/ChangeLog b/ChangeLog
index 9090248..b39aec2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2006-08-31  David Blacka  <davidb@fury.blacka.com>
+
+	* Modified jdnssec-signzone to set the ttls of NSEC3 records (so
+	far) to the SOA minimum value.
+
+	* Add NSEC3PARAM support for compatibility with the -07 NSEC3
+	draft.
+
 2006-05-24  David Blacka  <davidb@verisignlabs.com>
 
 	* Add some error checking for the NSEC3 command line parameters
diff --git a/src/com/verisignlabs/dnssec/cl/SignZone.java b/src/com/verisignlabs/dnssec/cl/SignZone.java
index a9ec6f6..01ccdc5 100644
--- a/src/com/verisignlabs/dnssec/cl/SignZone.java
+++ b/src/com/verisignlabs/dnssec/cl/SignZone.java
@@ -811,7 +811,7 @@ public class SignZone
       List includedNames, byte[] salt, int iterations, int ds_digest_id)
       throws IOException, GeneralSecurityException
   {
-    // Remove any existing DNSSEC records (NSEC, NSEC3, RRSIG)
+    // Remove any existing DNSSEC records (NSEC, NSEC3, NSEC3PARAM, RRSIG)
     SignUtils.removeGeneratedRecords(zonename, records);
 
     // Sort the zone
diff --git a/src/com/verisignlabs/dnssec/security/SignUtils.java b/src/com/verisignlabs/dnssec/security/SignUtils.java
index 726a6bc..efc822e 100644
--- a/src/com/verisignlabs/dnssec/security/SignUtils.java
+++ b/src/com/verisignlabs/dnssec/security/SignUtils.java
@@ -517,7 +517,7 @@ public class SignUtils
       this.hasOptInSpan = false;
       addType(type);
     }
-
+    
     public void addType(int type)
     {
       this.typemap.add(new Integer(type));
@@ -653,6 +653,9 @@ public class SignUtils
     // For detecting glue.
     Name last_cut = null;
 
+    long nsec3_ttl = 0;
+    long nsec3param_ttl = 0;
+
     for (Iterator i = records.iterator(); i.hasNext();)
     {
       Record r = (Record) i.next();
@@ -668,6 +671,13 @@ public class SignUtils
       // note our last delegation point so we can recognize glue.
       if (r_sectype == RR_DELEGATION) last_cut = r_name;
 
+      if (r_type == Type.SOA)
+      {
+        SOARecord soa = (SOARecord) r;
+        nsec3_ttl = soa.getMinimum();
+        nsec3param_ttl = soa.getTTL();
+      }
+
       // For the first iteration, we create our current node.
       if (current_node == null)
       {
@@ -710,7 +720,7 @@ public class SignUtils
         false,
         proto_nsec3s);
 
-    List nsec3s = finishNSEC3s(proto_nsec3s);
+    List nsec3s = finishNSEC3s(proto_nsec3s, nsec3_ttl);
     // DEBUG
     // for (Iterator i = nsec3s.iterator(); i.hasNext();)
     // {
@@ -719,6 +729,11 @@ public class SignUtils
     // + base16.toString(nsec3.rdataToWireCanonical()));
     // }
     records.addAll(nsec3s);
+
+    NSEC3PARAMRecord nsec3param = new NSEC3PARAMRecord(zonename, DClass.IN,
+        nsec3param_ttl, NSEC3Record.SHA1_DIGEST_ID, iterations, salt);
+    records.add(nsec3param);
+
   }
 
   public static void generateOptOutNSEC3Records(Name zonename, List records,
@@ -731,6 +746,9 @@ public class SignUtils
     // For detecting glue.
     Name last_cut = null;
 
+    long nsec3_ttl = 0;
+    long nsec3param_ttl = 0;
+
     HashSet includeSet = null;
     if (includedNames != null)
     {
@@ -752,6 +770,13 @@ public class SignUtils
       // note our last delegation point so we can recognize glue.
       if (r_sectype == RR_DELEGATION) last_cut = r_name;
 
+      if (r_type == Type.SOA)
+      {
+        SOARecord soa = (SOARecord) r;
+        nsec3_ttl = soa.getMinimum();
+        nsec3param_ttl = soa.getTTL();
+      }
+
       // For the first iteration, we create our current node.
       if (current_node == null)
       {
@@ -807,8 +832,12 @@ public class SignUtils
         true,
         proto_nsec3s);
 
-    List nsec3s = finishNSEC3s(proto_nsec3s);
+    List nsec3s = finishNSEC3s(proto_nsec3s, nsec3_ttl);
     records.addAll(nsec3s);
+
+    NSEC3PARAMRecord nsec3param = new NSEC3PARAMRecord(zonename, DClass.IN,
+        nsec3param_ttl, NSEC3Record.SHA1_DIGEST_ID, iterations, salt);
+    records.add(nsec3param);
   }
 
   private static void generateNSEC3ForNode(NodeInfo node, Name zonename,
@@ -820,6 +849,7 @@ public class SignUtils
 
     // Add our default types.
     node.addType(Type.RRSIG);
+    if (node.name.equals(zonename)) node.addType(Type.NSEC3PARAM);
 
     // Check for ENTs -- note this will generate duplicate ENTs because it
     // doesn't use any context.
@@ -864,7 +894,7 @@ public class SignUtils
     return r;
   }
 
-  private static List finishNSEC3s(List nsec3s)
+  private static List finishNSEC3s(List nsec3s, long ttl)
   {
     if (nsec3s == null) return null;
     Collections.sort(nsec3s, new ProtoNSEC3.Comparator());
@@ -921,6 +951,7 @@ public class SignUtils
     for (Iterator i = nsec3s.iterator(); i.hasNext();)
     {
       ProtoNSEC3 p = (ProtoNSEC3) i.next();
+      p.setTTL(ttl);
       res.add(p.getNSEC3Record());
     }
 
@@ -1119,7 +1150,7 @@ public class SignUtils
       Record r = (Record) i.next();
 
       if (r.getType() == Type.RRSIG || r.getType() == Type.NSEC
-          || r.getType() == Type.NSEC3)
+          || r.getType() == Type.NSEC3 || r.getType() == Type.NSEC3PARAM)
       {
         i.remove();
       }