Zones marked with 'DNSSEC' attribute in zonetool will get their records
signed with DNSSEC. If the signing key cannot be found it'll be
generated by zonetool.

Note NSEC3 salt is in passwords.yml so that it is the same on all hosts,
however the salt itself is public (i.e. published in the zone) and
should be rotated periodically.

See also ai3/testbed#160