Availability is a major concern in the design of DNSSEC. To ensure availability, DNSSEC follows Postel’s Law [RFC1123]: “Be liberal in what you accept, and conservative in what you send.” Hence, nameservers should send not just one matching key for a record set, but all the relevant cryptographic material, e.g., all the keys for all the ciphers that they support and all the corresponding signatures. This ensures that validation succeeds, and hence availability, even if some of the DNSSEC keys are misconfigured, incorrect or correspond to unsupported ciphers.
We show that this design of DNSSEC is flawed. Exploiting vulnerable recommendations in the DNSSEC standards, we develop a new class of DNSSEC-based algorithmic complexity attacks on DNS, we dub KeyTrap attacks. All popular DNS implementations and services are vulnerable. With just a single DNS packet, the KeyTrap attacks lead to a 2.000.000x spike in CPU instruction count in vulnerable DNS resolvers, stalling some for as long as 16 hours. This devastating effect prompted major DNS vendors to refer to KeyTrap as the worst attack on DNS ever discovered. Exploiting KeyTrap, an attacker could effectively disable Internet access in any system utilizing a DNSSEC-validating resolver.
We disclosed KeyTrap to vendors and operators on November 2, 2023, confidentially reporting the vulnerabilities to a closed group of DNS experts, operators and developers from the industry. Since then we have been working with all major vendors to mitigate KeyTrap, repeatedly discovering and assisting in closing weaknesses in proposed patches. Following our disclosure, the industry-wide umbrella CVE-2023-50387 has been assigned, covering the DNSSEC protocol vulnerabilities we present in this work.

Je mehr man sich anstrengt, desto mehr scheitert man: Die Denial-of-Service-Angriffe auf DNSSEC durch die algorithmische Komplexität von KeyTrap
Teilen:
London, GB
8:44 am,
Feb. 11, 2025
L: 3° |
H: 4°
Fühlt sich an wie 1°C°
overcast clouds
Luftfeuchtigkeit:
93 %
Druck:
1018 mb
Wind:
5 mph
NW
Windböe:
0 mph
UV-Index:
0
Niederschlag:
0 mm
Wolken:
100%
Regen Chance:
0%
Sichtbarkeit:
6 km
Sonnenaufgang:
7:21 am
Sonnenuntergang:
5:07 pm
TäglichStündlich
Tägliche VorhersageStündliche Vorhersage
Today
9:00 pm
3° | 4°°C
0.2 mm
20%
4 mph
95 %
1018 mb
0 mm/h
Tomorrow
9:00 pm
2° | 7°°C
0 mm
0%
5 mph
96 %
1021 mb
0 mm/h
Do. Feb. 13
9:00 pm
3° | 7°°C
0 mm
0%
9 mph
77 %
1025 mb
0 mm/h
Fr. Feb. 14
9:00 pm
2° | 6°°C
0 mm
0%
8 mph
78 %
1026 mb
0 mm/h
Sa. Feb. 15
9:00 pm
1° | 5°°C
0 mm
0%
9 mph
75 %
1026 mb
0 mm/h
Today
9:00 am
3° | 3°°C
0.2 mm
20%
4 mph
93 %
1018 mb
0 mm/h
Today
12:00 pm
3° | 3°°C
0 mm
0%
4 mph
95 %
1018 mb
0 mm/h
Today
3:00 pm
4° | 4°°C
0 mm
0%
4 mph
88 %
1017 mb
0 mm/h
Today
6:00 pm
4° | 4°°C
0 mm
0%
3 mph
86 %
1018 mb
0 mm/h
Today
9:00 pm
4° | 4°°C
0 mm
0%
3 mph
84 %
1018 mb
0 mm/h
Tomorrow
12:00 am
4° | 4°°C
0 mm
0%
2 mph
88 %
1019 mb
0 mm/h
Tomorrow
3:00 am
3° | 3°°C
0 mm
0%
3 mph
92 %
1018 mb
0 mm/h
Tomorrow
6:00 am
2° | 2°°C
0 mm
0%
3 mph
96 %
1018 mb
0 mm/h
Wetter von OpenWeatherMap
Name | Preis | 24H (%) |
---|---|---|
Bitcoin(BTC) | €95,362.80 | 0.48% |
Ethereum(ETH) | €2,636.02 | 2.70% |
XRP(XRP) | €2.44 | 3.25% |
Fesseln(USDT) | €0.97 | -0.01% |
Solana(SOL) | €199.42 | 0.57% |
USDC(USDC) | €0.97 | 0.00% |
Dogecoin(DOGE) | €0.258930 | 5.69% |
Shiba Inu(SHIB) | €0.000016 | 2.52% |
![]() Pepe(PEPE) | €0.000010 | 9.25% |