Warren Kumari asked today (IETF meeting) that we warn whenever we notice a trusted-keys option in config, that it is a fixed trust anchor and that users should ideally be using managed-keys.

I asked him (and Jim Martin who was sitting next to him) if he expected BIND to warn just for the root or for any trust point and he said it should be any.

From a previous discussion at ICANN with him, I think he fears that many BIND tutorials from history have described using trusted-keys, and so, many users have resolvers setup with  use trusted-keys in config.