Add a test case for a dynamically added CDS DELETE record and make sure it is not removed when signing the zone. This happens because BIND maintains CDS and CDNSKEY publishing and it will only allow CDS DELETE records if the zone is transitioning to insecure. This is a state that can be identified when using KASP through 'dnssec-policy', but not when using 'auto-dnssec'.
(cherry picked from commit f08277f9)
Closes #2931 (closed)