It didn't work properly due to negative trust anchor being outside a
zone cut, so I move the tested names to an unsigned zone.
root.db: the only real change was addition of "unsigned." delegation,
causing root-key-sentinel-not-ta-48409.test. NSEC to get modified.
The other changes are just reordering and drops of "resign=" lines;
I'm not sure why dnssec-signzone decided to do such changes.
(I didn't put the unsigned. zone into any zone file.)