deprecate auto-dnssec feature in favor of dnssec-policy

As discussed in person in Porto, I think it's high time to deprecate auto-dnssec in v9.18 branch. Doing so now would give users 3 years of warning before v9.18 is out of support.

IMHO in v9.19 we should remove it altogether ASAP.

There is a question what to do with zones which use auto-dnssec on upgrade. I think it would be wrong to just skip over the config statement and pretend it is not configured because it would be major break in user's expectation. I think in this case it should be hard error (from v9.19 onwards, of course.)