handle conflicting trust anchor & negative trust anchor definitions
People could reasonably expect that adding a root negative trust anchors would disable validation (everywhere)
trust_anchors.set_insecure({'.'})
but that is not so, at least if built with -Dkeyfile_default=foo
(usual in distros; maybe in some other configs as well).
Our documented way to completely disable validation seems to work
trust_anchors.remove('.')
and we certainly discourage such things, so I don't expect this to be an important issue. In particular, using NTAs below root seems to work fine. I suspect the issue is having both TA and NTA on the same name.
Edited by Petr Špaček