According to the  National Vulnerability Database

Certain aspects of DNSSEC in the DNS protocol, outlined in RFCs 4033, 4034, 4035, 6840, and related documents, enable remote attackers to initiate a denial of service (CPU consumption) through multiple DNSSEC responses, known as the “KeyTrap” issue. One significant concern is that when a zone contains numerous DNSKEY and RRSIG records, the protocol specification necessitates evaluating all possible combinations of these records.

Discovery

13.02.2024. The National Research Center for Applied Cybersecurity ATHENE has uncovered a critical flaw in the design of DNSSEC, the Security Extensions of DNS (Domain Name System). DNS is one of the fundamental building blocks of the Internet. The design flaw has devastating consequences for essentially all DNSSEC-validating DNS implementations and public DNS providers, such as Google and Cloudflare. The ATHENE team, led by Prof. Dr. Haya Schulmann from Goethe University Frankfurt, developed “KeyTrap”, a new class of attacks: with just a single DNS packet hackers could stall all widely used DNS implementations and public DNS providers. Exploitation of this attack would have severe consequences for any application using the Internet including unavailability of technologies such as web-browsing, e-mail, and instant messaging.

References:

https://www.athene-center.de/en/news/press/key-trap

https://www.athene-center.de/fileadmin/content/PDF/Keytrap_2401.pdf

The post DNS Key Trap appeared first on AIORI.