Do not sign non DNSKEY RRset with revoked keys

It does not make sense to sign RRsets other than DNSKEY with revoked
keys.

(cherry picked from commit 23775c6006)

bin/dnssec/dnssec-signzone.c

@@ -678,6 +678,10 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
 	for (key = ISC_LIST_HEAD(keylist); key != NULL;
 	     key = ISC_LIST_NEXT(key, link))
 	{
+		if (REVOKE(key->key) && set->type != dns_rdatatype_dnskey) {
+			continue;
+		}
+
 		if (nowsignedby[key->index]) {
 			continue;
 		}