handle conflicting trust anchor & negative trust anchor definitions
People could reasonably expect that adding a root negative trust anchors would disable validation (everywhere)
but that is not so, at least if built with
-Dkeyfile_default=foo (usual in distros; maybe in some other configs as well).
Our documented way to completely disable validation seems to work
and we certainly discourage such things, so I don't expect this to be an important issue. In particular, using NTAs below root seems to work fine. I suspect the issue is having both TA and NTA on the same name.