Both NSD4 and BIND9 running after fresh install

That’s correct. bind is bound to localhost and nsd is bound to the public interface, both on the same port. The hard separation between the local-only resolving/recursive nameserver and the public non-recursive nameserver is the right architecture to avoid configuration mistakes, I think.

I probably would not accept a PR that adds a user-controllable option somewhere, but what I would accept is that the zonefile generation would silently skip DNSSEC if you manually delete $STORAGE_ROOT/dns/dnssec (and manually modify setup/dns.sh so that it doesn’t regenerate it). That way you can easily disable DNSSEC by trashing the keys.

I would accept a change that reads a key from a new dns/options.yaml, which says per zone if external DNS is used. (That is, external DNS could be activated for each domain separately.) And if so, it can drop the NS records, and the status checks could be modified. But I would really want to see this properly documented in appropriate places. In general, I should really push contributors to make sure their contributions are documented.

I am happy to reply where the conversation is taking place. I don’t read everything everywhere so you can @-mention me to get my attention if I don’t chime in (though I don’t promise I’ll always respond, depending on how busy life is and how important the topic is).