dnssec_validation ignored when dnssec_enable is false

[dguettes]

As documented the setting of dnssec_validation is ignored when dnssec_enable is set to false.
This is not correct because the default setting in bind 9.5 is dnssec_validation yes, even if dnssec_enable is set to false.
Workaround is to add dnssec-validation 'no' to extra_options