Signing code takes whole DNSKEY RDATA and use them as a public key, which is wrong.
RFC 4034, section 2.1