diff --git a/daemon/lua/kres.lua b/daemon/lua/kres.lua
index dd9dc07e0ae202b8d0f2a0369f41cba0fba74789..f9049931f5b768b7053030ce12beab8676723f68 100644
--- a/daemon/lua/kres.lua
+++ b/daemon/lua/kres.lua
@@ -316,10 +316,10 @@ ffi.metatype( knot_pkt_t, {
 		section = function (pkt, section_id)
 			local records = {}
 			local section = C.knot_pkt_section(pkt, section_id)
-			for i = 0, section.count - 1 do
-				local rrset = knot.knot_pkt_rr(section, i)
-				for k = 0, rrset.rr.count - 1 do
-					table.insert(records, rrset:get(k))
+			for i = 1, section.count do
+				local rrset = knot.knot_pkt_rr(section, i - 1)
+				for k = 1, rrset.rr.count do
+					table.insert(records, rrset:get(k - 1))
 				end
 			end
 			return records
diff --git a/daemon/lua/trust_anchors.lua b/daemon/lua/trust_anchors.lua
index aa5a9919c01f0c4cea5e859af9976ed31e04aa9b..7e04957307f6c9bc7d43ab1d54586d5273e865b8 100644
--- a/daemon/lua/trust_anchors.lua
+++ b/daemon/lua/trust_anchors.lua
@@ -9,8 +9,7 @@ local key_state = {
 
 -- Find key in current keyset
 local function ta_find(keyset, rr)
-	for i = 1, #keyset do
-		local ta = keyset[i]
+	for i, ta in ipairs(keyset) do
 		-- Match key owner and content
 		if ta.owner == rr.owner and
 		   C.kr_dnssec_key_match(ta.rdata, #ta.rdata, rr.rdata, #rr.rdata) == 0 then
@@ -113,8 +112,7 @@ local function active_refresh(trust_anchors, pkt)
 	if pkt:rcode() == kres.rcode.NOERROR then
 		local records = pkt:section(kres.section.ANSWER)
 		local keyset = {}
-		for i = 1, #records do
-			local rr = records[i]
+		for i, rr in ipairs(records) do
 			if rr.type == kres.type.DNSKEY then
 				table.insert(keyset, rr)
 			end
@@ -155,32 +153,27 @@ local trust_anchors = {
 		if not new_keys then return false end
 		-- Filter TAs to be purged from the keyset (KeyRem)
 		local hold_down = trust_anchors.hold_down_time / 1000
-		local keyset_keep = {}
-		local keyset = trust_anchors.keyset
-		for i = 1, #keyset do
-			local ta = keyset[i]
+		local keyset = {}
+		for i, ta in ipairs(trust_anchors.keyset) do
 			local keep = true
 			if not ta_find(new_keys, ta) then
-				keep = ta_missing(trust_anchors, keyset, ta, hold_down)
+				keep = ta_missing(trust_anchors, trust_anchors.keyset, ta, hold_down)
 			end
 			if keep then
-				table.insert(keyset_keep, ta)
+				table.insert(keyset, ta)
 			end
 		end
-		keyset = keyset_keep
 		-- Evaluate new TAs
-		for i = 1, #new_keys do
-			local rr = new_keys[i]
-			if rr.type == kres.type.DNSKEY then
+		for i, rr in ipairs(new_keys) do
+			if rr.type == kres.type.DNSKEY and rr.rdata ~= nil then
 				ta_present(keyset, rr, hold_down, initial)
 			end
 		end
 		-- Publish active TAs
 		local store = kres.context().trust_anchors
 		C.kr_ta_clear(store)
-		if #keyset == 0 then return false end
-		for i = 1, #keyset do
-			local ta = keyset[i]
+		if next(keyset) == nil then return false end
+		for i, ta in ipairs(keyset) do
 			-- Key MAY be used as a TA only in these two states (RFC5011, 4.2)
 			if ta.state == key_state.Valid or ta.state == key_state.Missing then
 				C.kr_ta_add(store, ta.owner, ta.type, ta.ttl, ta.rdata, #ta.rdata)