diff --git a/NEWS b/NEWS
index b13fc13d97ebb3550d4783f81458d2b0dbb3da5c..68b0cd2ee45ed05c8af27b83208167cb04372a97 100644
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,7 @@ Incompatible changes
 Bugfixes
 --------
 - fix multi-process race condition in trust anchor maintenance (!643)
+- ta_sentinel: also consider static trust anchors not managed via RFC 5011
 
 Improvements
 ------------
diff --git a/modules/ta_sentinel/ta_sentinel.lua b/modules/ta_sentinel/ta_sentinel.lua
index e7500ea95e573c590dc916b15942079344d4aaa9..8a1f7ed33d2e8f186d9dd8a84aa9188679b49a0d 100644
--- a/modules/ta_sentinel/ta_sentinel.lua
+++ b/modules/ta_sentinel/ta_sentinel.lua
@@ -51,12 +51,27 @@ function M.layer.finish(state, req, pkt)
 	end
 
 	local found = false
-	for keyidx = 1, #trust_anchors.keysets['\0'] do
-		local key = trust_anchors.keysets['\0'][keyidx]
-		if keytag == key.key_tag then
-			found = (key.state == "Valid")
-			if verbose() then
-				log('[ta_sentinel] found keytag ' .. keytag .. ', key state ' .. key.state)
+	local ds_set = ffi.C.kr_ta_get(kres.context().trust_anchors, '\0')
+	if ds_set ~= nil then
+		for i = 0, ds_set:rdcount() - 1 do
+			-- Find the key tag in rdata and compare
+			-- https://tools.ietf.org/html/rfc4034#section-5.1
+			local rdata = ds_set:rdata_pt(i)
+			local tag = rdata.data[0] * 256 + rdata.data[1]
+			if tag == keytag then
+				found = true
+			end
+		end
+	end
+	if verbose() then
+		log('[ta_sentinel] matching trusted TA found: ' .. tostring(found))
+		if not found then -- print matching TAs in *other* states than Valid
+			for i = 1, #(trust_anchors.keysets['\0'] or {}) do
+				local key = trust_anchors.keysets['\0'][i]
+				if key.key_tag == keytag and key.state ~= 'Valid' then
+					log('[ta_sentinel] matching UNtrusted TA found in state: '
+						.. key.state)
+				end
 			end
 		end
 	end