DNSSEC Key Roll-over Pitfalls
A few weeks ago the RIPE NCC was alerted to a rapid increase in DNSKEY queries for its signed reverse DNS zones. When we investigated the cause of this problem, we discovered that recent versions of the Fedora Linux distribution are shipped with a package called "dnssec-conf", which contains an outdated set of RIPE NCC's DNSSEC trust anchors (see more details in a mail by Anand Buddhdev, the DNS Services Manager of the RIPE NCC sent to the RIPE DNS WG mailing list on 5 February 2010).
Consequently Geoff Houston, George Michaelson, Patrik Wallström and Roy Arends did some more analysis and found that "the problem is shown to be an outcome of the interaction of the distribution of key material and the regular rollover of the Key Signing Key (KSK) that forms the trust anchor for the signed zone.
When these resolver implementations fall out of sync with the zone's keys then they do not quietly fail, but instead they enter a period of sustained query thrashing, sending the same query to all the name servers of a zone with up to a thousand repetitions from each single initial seed query."
The full details of the study can be found at http://www.potaroo.net/ispcol/2010-02/rollover.html .
In the meantime ISC (developer of BIND) and NLnetLabs (developer of UNBOUND) each published a statement describing their course of action: