Support DNSSEC single type signing scheme without ZSK

[pecharmin]

Add option to sign DNSSEC zones initially without a zone signing key as a single type signing scheme. The DNSSEC RFC allows to sign all records of a zone only with a single key signing key.

References:

• https://tools.ietf.org/html/rfc6840#section-6.2
• https://tools.ietf.org/id/draft-ietf-dnsop-rfc4641bis-03.html#SEP-practicalites