Ignore trust anchors using disabled algorithms

When having a security root with a disabled algorithm in managed-keys, BIND9 will still manage that key. However, when receiving a query for a domain that matches the disabled algorithm, the validation fails and results in a SERVFAIL response.

Desired behavior: Don't allow managing a security root with a disabled algorithm. If the zone rolls to a disabled algorithm, treat that zone as insecure.