dnssec-dsfromkey should not convert revoked keys

it is pointless to convert revoked keys to DS or CDS records as
they cannot be used to provide a cryptographic link from the parent
zone.

bin/dnssec/dnssec-dsfromkey.c

@@ -260,6 +260,10 @@ emit(dns_dsdigest_t dt, bool showall, bool cds, dns_rdata_t *rdata) {
 		fatal("can't convert DNSKEY");
 	}
 
+	if ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0) {
+		return;
+	}
+
 	if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall) {
 		return;
 	}

bin/dnssec/dnssec-dsfromkey.rst

@@ -43,6 +43,10 @@ Description
 The ``dnssec-dsfromkey`` command outputs DS (Delegation Signer) resource records
 (RRs), or CDS (Child DS) RRs with the ``-C`` option.
 
+By default, only KSKs are converted (keys with flags = 257).  The
+``-A`` option includes ZSKs (flags = 256).  Revoked keys are never
+included.
+
 The input keys can be specified in a number of ways:
 
 By default, ``dnssec-dsfromkey`` reads a key file named in the format

doc/man/dnssec-dsfromkey.1in

@@ -44,6 +44,10 @@ dnssec-dsfromkey \- DNSSEC DS RR generation tool
 The \fBdnssec\-dsfromkey\fP command outputs DS (Delegation Signer) resource records
 (RRs), or CDS (Child DS) RRs with the \fB\-C\fP option.
 .sp
+By default, only KSKs are converted (keys with flags = 257).  The
+\fB\-A\fP option includes ZSKs (flags = 256).  Revoked keys are never
+included.
+.sp
 The input keys can be specified in a number of ways:
 .sp
 By default, \fBdnssec\-dsfromkey\fP reads a key file named in the format