Update documentation wrt key algorithms (9.16)

Add a note to the DNSSEC guide and to the ARM reference that A ZSK/KSK pair used for signing your zone should have the same algorithm.

This commit also updates the 'dnssec-policy/keys' example to use the slightly more modern 'rsasha256' algorithm.

(cherry picked from commit 73654006)