Option to make inclusion of CDS records optional
Description
Back when ISC decommissioned DLV, we committed to providing a signed, empty zone with no other deltas (short of NS records) "for the forseeable future". Now, with BIND 9.18 doing the inline-signing that was previously done by 9.11 and 9.16, the zone is changed: there is now a CDS option in place that was not there previously.
In a case where an organization (us, or someone else) is transitioning to new signing software, the ability to maintain the exact same signed setup without introducing new RRtypes should still be an option.
Note well that we still get occasional queries to dlv.isc.org -- and while the time may come to de-delegate it, we haven't made that decision yet.
No matter how much we announce that it's dead and that people should stop using it, they do, which indicates that they're using either very old or very misconfigured software that's still limping along. It's possible, albeit unlikely, that the presence of new records that were not defined when DLV was a thing could violate the principle of least astonishment. (I don't think a CDS record will crash anything, to be clear.)
Request
An option in dnssec-policy for inline-signing to not insert CDS records. I didn't find anything in the ARM for this.