don't create managed-keys zone unless dnssec-validation is "auto"

previously, a managed-keys zone was created for every view regardless of whether rfc5011 was in use; when it was not in use, the zone would be left empty. this made for some confusing log messages.

we now only set up the managed-keys zone if dnssec-validation is set to the default value of "auto".

certain system test servers have had their dnssec-validation settings changed to auto because the tests depended on the existence of the zone.

Closes #3349 (closed)