different RRSIG expiry for DNSKEY

As reported by @cathya, a customer has a use case in which they keep the KSK offline most of the time, but bring it online periodically so that the zone's DNSKEY RRSIGs can be refreshed. They'd like to have a longer signature validity period for the DNSKEY only. This is similar to what's done by dnssec-signzone -X, but done by the automatic signing process in named.