In now z-stack, trust-key is send to Nod like this. When a new Nod join(associate or rejoin-unsecured),the Parent will apply the KEY for new nod from Trust-Center(coordinator itself) at 600-ms(ZDAPP_NEW_DEVICE_TIME) after.
But if this nod without correct Key is not expected to join into current network,and Parent will keep its information still in AssociatedDevList and AddrMgr. So when there are many-many nods without correct-key Join in to network,the network will go breakdown.
I suggest changing like this. Paren apply the Key from Trust Center once receive join-request(associate or rejoin-unsecured).Once the Nod gets Correct Key,it can be considered Join-Success and will broadcast ZDO_DEVICE_ANNCE. At 600-ms after,when the Paren trigger ZDO_NEW_DEVICE evetn,the Parent verify that if it have received the Nod's ZDO_DEVICE_ANNCE. If Parent has never received Nod's ZDO_DEVICE_ANNCE,parent delete this NOD.