Add CDS digest type configuration option

Currently, dnssec-policy will publish a CDS record with digest algorithm "SHA-256 (2)" when it is ready to submit the DS to the parent. But there are other possible digest algorithms to construct the DS/CDS: https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml

BIND currently supports algorithms 1, 2 and 4. Allow them to be configured in the dnssec-policy, and publish the desired CDS record when it is appropriate. The default should be 2 (current behavior).