Comment 82 for bug 1124250

I have given a look at the relevant sources for the fedora kernel (upstream it is just the same). It appears that nfsid keys should be created within the keyring

        keyring = key_alloc(&key_type_keyring, ".id_resolver", 0, 0, cred,
                             (KEY_POS_ALL & ~KEY_POS_SETATTR) |
                             KEY_USR_VIEW | KEY_USR_READ,
                             KEY_ALLOC_NOT_IN_QUOTA);

in idmap.c

However they do still count toward the quota of root (whence the problem).
This is quite surprising and, unless I am misrepresenting the situation, it could be a bug somewhere else.