dnssec-cds uses SHA-1 CDS records when generating DS records

When dnssec-cds copies CDS records to make DS records, its -a algorithm option does not have any effect. This means that if the child zone is signed with older software that generates SHA-1 CDS records, dnssec-cds (by default) creates SHA-1 DS records, in violation of RFC 8624.

The implementation of the -a algorithm option should be changed so that it also affects the process of creating DS records from CDS records. dnssec-cds should also not create SHA-1 DS records by default.