@fanf FWIW I migrated to using dnssec-policy with "v9.16.37-based version of BIND9 in Debian 11/bullseye" and so far I've not spotted anything in your write up of it that seems to differ from what I found.
I might review the internal docs I wrote for this and publish them, but don't hold your breath.