For future reference:
When writing a about DNSSEC, I need to reference the RFC. But it's three RFCs (4033, 4034, and 4035), and possibly another (6840). It would be awfully nice to refer to "DNSSEC" with a single reference like "BCP 250".
Negative Trust Anchors - https://datatracker.ietf.org/doc/rfc7646/
In case of DNSSEC validation failures, don't switch resolvers - https://datatracker.ietf.org/doc/draft-livingood-dnsop-dont-switch-resolvers/
Added 2022/04/11
BIND 9.16 has dnssec-policy that makes algorithm rollover much easier. I recommend you start using that. Read more on migrating to dnssec-policy here: DNSSEC Key and Signing Policy
Additional links:
Added 2022/05/05 - DNSSEC algorithm rollover HOWTO - some notes on how to upgrade a zone's DNSSEC algorithm using BIND.