I suggested this to the fella at OARC, but I wasn't sure at the time that
it would work, and now I've confirmed that it does: the inline signing code
will strip DNSSEC content and serve an un-signed zone, if you use it without
configuring a local key:

zone example.com {
        type slave;
        masters { <address>; };
        allow-transfer { <addresses>; };
        inline-signing yes;
};

Note the lack of "auto-dnssec maintain", and no signing keys have been
generated. This will set up a server as a bump-in-the-wire "unsigner"
for example.com.

Can someone get back to him with that information? And I'll resolve this
ticket, as there's no work needed.