ATHENE-researchers have uncovered a critical flaw in the design of DNSSEC, the security extension to the Domain Name System (DNS) (DNS Security Extensions) which introduces a vulnerability in all DNS (Domain Name System) implementations and are helping vendors and service providers to fix it. Without correction, the flaw could have serious implications for DNSSEC-validating implementations and public DNS providers such as Google and Cloudflare. Led by Prof. Dr. Haya Schulmann of Goethe University Frankfurt, the ATHENE team has developed a new class of attack called “KeyTrap” that shows how hackers could exploit the design flaw: With just a single DNS packet, hackers could paralyze all common DNS implementations and public DNS providers. Exploiting this attack would have serious consequences for any application that uses the internet, including the unavailability of technologies such as web browsers, email and instant messaging. This devastating effect prompted major DNS vendors to call KeyTrap “The worst attack on DNS ever discovered”. ATHENE-researchers have been working with vendors and DNS providers to develop specific patches to close the vulnerability. It is highly recommended for all providers of DNS services to apply these patches immediately to mitigate this critical vulnerability.
The attack vectors exploited in the KeyTrap class of attacks are registered in the Common Vulnerabilities and Exposures (CVE) database as an umbrella CVE-2023-50387.
Discovering and fixing of this design flaw in DNSSEC is a good example of the importance of cybersecurity research in helping to proactively prevent cyberattacks and improve security. ATHENE’s work has already uncovered several serious security vulnerabilities on the internet, helping to improve security for the benefit of millions of users in Germany and around the world.
Go to our press release
Technical Report
The technical background is summarized in this report: Report (PDF, 1,2 MB)
The final version of this report will be presented at the ACM Conference on Computer and Communications Security (ACM CCS), Salt Lake City, October 14-18, 2024, under the title “The Harder You Try, The Harder You Fail: The KeyTrap Denial-of-Service Algorithmic Complexity Attacks on DNSSEC”.
What is the KeyTrap vulnerability?
Who is affected?
What is the impact of KeyTrap?
What do I need to do?
What does this mean for the future of DNSSEC?
Does KeyTrap allow circumvention of DNSSEC cryptographic protection?
How was KeyTrap mitigated?
Who discovered the vulnerability?
