Set the DS state after issuing 'rndc dnssec -checkds'. If the DS was published, it should go in RUMOURED state, regardless whether it is already safe to do so according to the state machine.
Leaving it in HIDDEN (or if it was magically already in OMNIPRESENT or UNRETENTIVE) would allow for easy shoot in the foot situations.
Similar, if the DS was withdrawn, the state should be set to UNRETENTIVE. Leaving it in OMNIPRESENT (or RUMOURED/HIDDEN) would also allow for easy shoot in the foot situations.
Closes #3822 (closed)