Huston: KeyTrap!

So basically, the answer to "A malicious DNS zone could tie up naive resolvers" is that zone operators should just... be respectful of the resources of resolvers, and /not/ generate zones with lots of keys, especially not with lots of keys with KeyTag collisions. And where a zone operator is just taking the piss, resolvers should put a sensible cap on how far they'll check.

Ok, this will break name resolution in zones made by evil operators, but... so what? :)

"Don't break your back to accommodate malicious data crafted by evil operators" should be a new networking principle I guess.