diff --git a/daemon/lua/kres.lua b/daemon/lua/kres.lua
index ee2e34abd2267e85441760172a6c8f4d94946e9d..e0d199487c39b9e79ca89aee37ca489022b3ebf1 100644
--- a/daemon/lua/kres.lua
+++ b/daemon/lua/kres.lua
@@ -285,23 +285,48 @@ local kres = {
 	context = function () return kres_context end,
 }
 
--- Return DS/DNSKEY parser that adds keys to TA store
-local function ta_parser(store)
-	local parser = require('zonefile').parser(function (p)
-		C.kr_ta_add(store, p.r_owner, p.r_type, p.r_ttl, p.r_data, p.r_data_length)
-	end)
-	return parser
+-- Evaluate TA status according to RFC5011
+local function evaluate_ta(keyset, ta)
+	-- @todo: check if KSK
+	-- @todo: get TA id
+	-- @todo: check key flags for revoked
+	-- @todo: build a state table
+	table.insert(keyset, ta)
 end
 
 -- TA store management
 kres.trust_anchors = {
+	keyset = {},
+	-- Update existing keyset
+	update = function (new_keys)
+		-- Evaluate new TAs
+		local keyset = kres.trust_anchors.keyset
+		for i = 1, #new_keys do
+			local rr = new_keys[i]
+			if rr.type == kres.type.DS or rr.type == kres.type.DNSKEY then
+				evaluate_ta(keyset, rr)
+			end
+		end
+		-- Publish active TAs
+		local store = kres_context.trust_anchors
+		C.kr_ta_clear(store)
+		for id, key in pairs(keyset) do
+			C.kr_ta_add(store, key.owner, key.type, key.ttl, key.rdata, #key.rdata)
+		end
+	end,
 	-- Load keys from a file
 	config = function (path)
-		ta_parser(kres_context.trust_anchors):parse_file(path)
-		kres.trust_anchors.current_file = path
+		local new_keys = require('zonefile').parse_file(path)
+		kres.trust_anchors.update(new_keys)
 	end,
 	-- Add DS/DNSKEY record(s)
-	add = function (ds) ta_parser(kres_context.trust_anchors):read(ds..'\n') end,
+	add = function (rr)
+		local new_keys = {}
+		require('zonefile').parser(function (p)
+			table.insert(new_keys, p:current_rr())
+		end):read(rr..'\n')
+		kres.trust_anchors.update(new_keys)
+	end,
 	-- Negative TA management
 	set_insecure = function (list)
 		C.kr_ta_clear(kres_context.negative_anchors)
@@ -310,10 +335,6 @@ kres.trust_anchors = {
 			C.kr_ta_add(kres_context.negative_anchors, dname, kres.type.DS, 0, nil, 0)
 		end
 	end,
-	-- Set/disable RFC5011 TA management
-	set_auto = function (enable)
-		error("not supported")
-	end,
 }
 
 return kres
\ No newline at end of file
diff --git a/daemon/lua/sandbox.lua b/daemon/lua/sandbox.lua
index e36a7366ca3774353ec80250375e80c7107bea16..e32c0762b8f3ae55729ad13ac4caddd7078e9433 100644
--- a/daemon/lua/sandbox.lua
+++ b/daemon/lua/sandbox.lua
@@ -68,11 +68,10 @@ setmetatable(cache, {
 })
 
 -- Syntactic sugar for TA store
-trust_anchors = require('kres').trust_anchors
+trust_anchors = kres.trust_anchors
 setmetatable(trust_anchors, {
 	__newindex = function (t,k,v)
 	if     k == 'file' then t.config(v)
-	elseif k == 'auto' then t.set_auto(v)
 	elseif k == 'negative' then t.set_insecure(v)
 	else   rawset(t, k, v) end
 	end,
@@ -167,4 +166,4 @@ function table_print (tt, indent, done)
 		result = result .. tostring(tt) .. "\n"
 	end
 	return result
-end
+end
\ No newline at end of file