handle conflicting trust anchor & negative trust anchor definitions

People could reasonably expect that adding a root negative trust anchors would disable validation (everywhere)

trust_anchors.set_insecure({'.'})

but that is not so, at least if built with -Dkeyfile_default=foo (usual in distros; maybe in some other configs as well).

Our documented way to completely disable validation seems to work

trust_anchors.remove('.')

and we certainly discourage such things, so I don't expect this to be an important issue. In particular, using NTAs below root seems to work fine. I suspect the issue is having both TA and NTA on the same name.