If any trusted-keys entry is configured for the root zone and dnssec-validation auto; is in effect, the built-in root trust anchor enabled by the latter will be used for DNSSEC validation purposes, but it will not be maintained using the RFC 5011 process.