"max-zone-ttl" is inconsistent, and incorrectly documented

In options or zone, max-zone-ttl means "if a zone has a TTL higher than this value, refuse to load it".

In dnssec-poilcy, max-zone-ttl is advisory but is not enforced: "this is the highest value in the zone, set key rollover timings accordingly".

In the documentation for dnssec-policy, max-zone-ttl is described as being enforced by capping TTLs at the maximum value when loading the zone.

We should pick one. I suggest making it work in dnssec-policy the way it does in zone, and fixing the documentation accordingly.