Ignore trust anchors using disabled algorithms
When having a security root with a disabled algorithm in
managed-keys, BIND9 will still manage that key. However, when receiving a query for a domain that matches the disabled algorithm, the validation fails and results in a SERVFAIL response.
Desired behavior: Don't allow managing a security root with a disabled algorithm. If the zone rolls to a disabled algorithm, treat that zone as insecure.