A malicious packet can trigger a denial-of-service (DoS) state on a DNS server that performs DNSSEC validation. German scientists have developed a PoC attack that allows you to suspend the resolver and close clients access to sites for 16 hours.
The threat, named KeyTrap, is also relevant for public DNS services like those provided by Google and Cloudflare, and was registered as a vulnerability under the identifier CVE-2023-50387 (7.5 CVSS points).
It all started with the fact that specialists of the Darmstadt research center, which deals with applied aspects of information security, found a flaw in the 1999 DNSSEC specifications (RFC 2535), which migrated to later versions in the form of requirements for implementing a security protocol. It says:
"The name server must hand over all available cryptographic materials, and the resolver must use everything that is sent until the compliance check is successful."
From this, we can conclude that a resolver that uses DNSSEC can be provoked to contact the server that sends a malicious response — a set of resource records( RRS), the validation of which creates CPU overloads. Thus, an attacker can temporarily disable the resolver; tests have shown that the failure period can range from three minutes to 16 hours, depending on the software used by the target.
As a result, not only users who lose access to web content will suffer, but also services such as spam protection, PKI, and routing security (RPKI). According to researchers, currently DNSSEC-resolving is used by 31% of web clients on the Internet, and a KeyTrap attack can turn into a big problem for them (the inhabitants of the Runet now know this firsthand).
All affected vendors of specialized software and operators of popular public DNS services have already been notified and are trying to mitigate the situation with patches, but they can only support the resolvers performance when the CPU is fully loaded. Complete elimination of the identified vulnerability, according to the researchers, will require a revision of the DNSSEC standard.
The threat, named KeyTrap, is also relevant for public DNS services like those provided by Google and Cloudflare, and was registered as a vulnerability under the identifier CVE-2023-50387 (7.5 CVSS points).
It all started with the fact that specialists of the Darmstadt research center, which deals with applied aspects of information security, found a flaw in the 1999 DNSSEC specifications (RFC 2535), which migrated to later versions in the form of requirements for implementing a security protocol. It says:
"The name server must hand over all available cryptographic materials, and the resolver must use everything that is sent until the compliance check is successful."
From this, we can conclude that a resolver that uses DNSSEC can be provoked to contact the server that sends a malicious response — a set of resource records( RRS), the validation of which creates CPU overloads. Thus, an attacker can temporarily disable the resolver; tests have shown that the failure period can range from three minutes to 16 hours, depending on the software used by the target.
As a result, not only users who lose access to web content will suffer, but also services such as spam protection, PKI, and routing security (RPKI). According to researchers, currently DNSSEC-resolving is used by 31% of web clients on the Internet, and a KeyTrap attack can turn into a big problem for them (the inhabitants of the Runet now know this firsthand).
All affected vendors of specialized software and operators of popular public DNS services have already been notified and are trying to mitigate the situation with patches, but they can only support the resolvers performance when the CPU is fully loaded. Complete elimination of the identified vulnerability, according to the researchers, will require a revision of the DNSSEC standard.
