The Internet Protocol Journal has just published an article about Rolling Over DNSSEC Keys, authored by George Michaelson and Geoff Huston of APNIC; Patrick Wallström of .SE; and Roy Arends of Nominet.  The editor notes that the article examines “what happens in two widely used DNS resolver implementations when DNS clients lag behind in synchronizing their local copy of trust keys with the master keys used by the zone administrators to sign their DNS data.”  Here’s what the authors conclude: 

….in this situation of slippage of synchronized key state between client and server, the effect is both local failure and the generation of excess load on external servers—and if this situation is allowed to become a common state, it has the potential to broaden the failure state to a more general DNS service failure through load saturation of critical DNS servers.

This aspect of a qualitative change of the DNS is unavoidable, and it places a strong imperative on DNS operations and the community of the 5 million current and uncountable future DNS resolvers to understand that “set and forget” is not the intended mode of operation of DNSSEC-equipped clients.