Only DNSKEY records should be signed with a revoked key. (cherry picked from commit 30ef6dde05)
30ef6dde05