Delay trust anchor management until all zones are loaded

If you have a trust anchor that requires a zone to be loaded for the DNSKEY to be fetched you can get spurious Failed to create fetch for DNSKEY update. logged if the timing is wrong.

Using !7049 (merged) and logging why dns_resolver_createfetch fails we see:

11-Nov-2022 12:38:26.400 fetch: sub.foo/DNSKEY
11-Nov-2022 12:38:26.400 zone 78.100.IN-ADDR.ARPA/IN: loaded; checking validity
11-Nov-2022 12:38:26.400 fctx 0x121eb3010(sub.foo/DNSKEY): create
11-Nov-2022 12:38:26.400 dns_zone_verifydb: zone 74.100.IN-ADDR.ARPA/IN: enter
dns_resolver_createfetch(sub.foo, DNSKEY) -> zone not loaded
11-Nov-2022 12:38:26.400 managed-keys-zone: Failed to create fetch for sub.foo DNSKEY update
22 12:38:26.400 managed-keys-zone: Failed to create fetch for DNSKEY update

The serve is authoritative for foo but it has not loaded at this point in the start up so named can't determine where to send the DNSKEY request.

this should self correct but is not optimal. Waiting for all the zones to load then initiating trust anchor management should avoid errors like this.