The 'sign_apex()' function has special processing for signing the
DNSKEY RRset such that it will always be signed with the active
KSK.  Since CDS and CDNSKEY are also signed with the KSK, it
should have the same special processing.  The special processing is
moved into a new function 'tickle_apex_rrset()' and is applied to
all three RR types (DNSKEY, CDS, CDNSKEY).

In addition, when kasp is involved, update the DNSKEY TTL accordingly
to what is in the policy.