If a trusted-key is configured but validation is disabled by
"dnssec-validation no" or "rndc validation off", we shouldn't send
TAT queries.