DNS Key Trap

The DNS Key Trap

According to the National Vulnerability Database

Certain aspects of DNSSEC in the DNS protocol, outlined in RFCs 4033, 4034, 4035, 6840, and related documents, enable remote attackers to initiate a denial of service (CPU consumption) through multiple DNSSEC responses, known as the “KeyTrap” issue. One significant concern is that when a zone contains numerous DNSKEY and RRSIG records, the protocol specification necessitates evaluating all possible combinations of these records.

Discovery

13.02.2024. The National Research Center for Applied Cybersecurity ATHENE has uncovered a critical flaw in the design of DNSSEC, the Security Extensions of DNS (Domain Name System). DNS is one of the fundamental building blocks of the Internet. The design flaw has devastating consequences for essentially all DNSSEC-validating DNS implementations and public DNS providers, such as Google and Cloudflare. The ATHENE team, led by Prof. Dr. Haya Schulmann from Goethe University Frankfurt, developed “KeyTrap”, a new class of attacks: with just a single DNS packet hackers could stall all widely used DNS implementations and public DNS providers. Exploitation of this attack would have severe consequences for any application using the Internet including unavailability of technologies such as web-browsing, e-mail, and instant messaging.

References:

https://www.athene-center.de/en/news/press/key-trap

https://www.athene-center.de/fileadmin/content/PDF/Keytrap_2401.pdf

Author

admin

View all posts

High Level Program Schedule for the Workshop

Timing	Description
9.30 AM -10 AM	Opening Remarks by IEEE, IIFON & Host Institution
10.00 AM-11.15 AM	Internet Measurement & About AIORI
11.15 AM -11.45 AM	Tea Break
11.45 AM -1.00 PM	Internet Engineering & Standards
1.00 PM-2.00 PM	Lunch
2.00 PM-3.15 PM	AIORI practical & Industry Talk
3.15 PM-3.45 PM	Tea Break
3.45 PM 5.00 PM	Wrap Up- Next Steps, Standards Hackathon, Call for teams