Are the DigiNotar certificates supposed to be present in Firefox in a clean install?

Yes, these certificates are supposed to be there, exactly because DigiNotar isn't trustworthy. Let me explain.

The story is a bit convoluted: DigiNotar was a Dutch certification authority. In 2011, people ran across fraudulent certificates that had been issued by DigiNotar. Further examination showed that the company's systems had been cracked and compromised. It's assumed that the attacker's intention was to run a MitM attack on some GMail users in Iran with the fraudulent certificates.

After the breach was detected, the Dutch government took over DigiNotar's operations. A short time later, the company went under. DigiNotar's root certificates were revoked and blocked by Mozilla, Google and so forth.

So, why is Firefox still shipped with DigiNotar certificates? Those are what you might call "blocking certificates". They don't have any trust themselves, so they can't hand down any trust to any other certificates down the chain of trust. Because of that, Firefox won't trust any certificates that say, "Trust me, because DigiNotar signed me". And because the "blocking certificates" are there, no new root certificates for DigiNotar (which would be obviously fraudulent) can be installed, too.