Currently (version 6.3.2) the built-in root and sub CA certificate profiles we ship include the "Digital Signature" key usage by default (i.e. the option is enabled).
So far, beyond testing, I have never encountered a customer that required this key usage to be enabled for a CA. I.e. I have had to disable it every single time.
Unless there is some specific reason on why this key usage should be enabled by default in these profiles (backwards compatibility?), I would suggest to remove it so the template would resemble real-world situation more closely.