There is ambiguity (or at least implicit ambiguity) in the doc about which of the DS or DNSKEY trigger resolvers to treat a zone as delegation-only and what to do with mixed sets.
Take this paragraph from the end of section 3:
However, malicious parent zones are still capable of creating two (or
more) DNSKEYs, one with the DELEGATION_ONLY flag and one without.
However, they would also have to publish those DS records as well,
which is detectable by DNSSEC monitoring platforms,
There is ambiguity (or at least implicit ambiguity) in the doc about which of the DS or DNSKEY trigger resolvers to treat a zone as delegation-only and what to do with mixed sets.
Take this paragraph from the end of section 3:
https://github.com/hardaker/draft-pwouters-powerbind/issues/6 might include the fix. But, in any case, the current structure is a mess.