While technically a secondary can have a "dnssec-policy" statement
(acting as a bump-in-the-wire signer), signing a zone is mainly a
primary server responsibility and a policy configuration does not need
to be transferred to its secondaries.
For now I would suggest just add the zone with `rndc addzone` to the
primary or update the primary name server configuration and add the