"max-zone-ttl" is inconsistent, and incorrectly documented
max-zone-ttl means "if a zone has a TTL higher than this value, refuse to load it".
max-zone-ttl is advisory but is not enforced: "this is the highest value in the zone, set key rollover timings accordingly".
In the documentation for
max-zone-ttl is described as being enforced by capping TTLs at the maximum value when loading the zone.
We should pick one. I suggest making it work in
dnssec-policy the way it does in
zone, and fixing the documentation accordingly.