Availability is a major concern in the design of DNSSEC. To ensure availability, DNSSEC follows Postel’s Law [RFC1123]: “Be liberal in what you accept, and conservative in what you send.” Hence, nameservers should send not just one matching key for a record set, but all the relevant cryptographic material, e.g., all the keys for all the ciphers that they support and all the corresponding signatures. This ensures that validation succeeds, and hence availability, even if some of the DNSSEC keys are misconfigured, incorrect or correspond to unsupported ciphers.
We show that this design of DNSSEC is flawed. Exploiting vulnerable recommendations in the DNSSEC standards, we develop a new class of DNSSEC-based algorithmic complexity attacks on DNS, we dub KeyTrap attacks. All popular DNS implementations and services are vulnerable. With just a single DNS packet, the KeyTrap attacks lead to a 2.000.000x spike in CPU instruction count in vulnerable DNS resolvers, stalling some for as long as 16 hours. This devastating effect prompted major DNS vendors to refer to KeyTrap as the worst attack on DNS ever discovered. Exploiting KeyTrap, an attacker could effectively disable Internet access in any system utilizing a DNSSEC-validating resolver.
We disclosed KeyTrap to vendors and operators on November 2, 2023, confidentially reporting the vulnerabilities to a closed group of DNS experts, operators and developers from the industry. Since then we have been working with all major vendors to mitigate KeyTrap, repeatedly discovering and assisting in closing weaknesses in proposed patches. Following our disclosure, the industry-wide umbrella CVE-2023-50387 has been assigned, covering the DNSSEC protocol vulnerabilities we present in this work.
The Harder You Try, The Harder You Fail: The KeyTrap Denial-of-Service Algorithmic Complexity Attacks on DNSSEC
Share:
London, GB
8:27 pm,
Jun 16, 2025
24°C
L: 22° |
H: 25°
Feels like 24°C°
broken clouds
Daily ForecastHourly Forecast
Today
10:00 pm
22° | 25°°C
0 mm
0%
5 mph
56 %
1026 mb
0 mm/h
Tomorrow
10:00 pm
14° | 27°°C
0 mm
0%
10 mph
68 %
1027 mb
0 mm/h
Wed Jun 18
10:00 pm
15° | 27°°C
0 mm
0%
9 mph
75 %
1026 mb
0 mm/h
Thu Jun 19
10:00 pm
17° | 28°°C
0 mm
0%
11 mph
69 %
1027 mb
0 mm/h
Fri Jun 20
10:00 pm
16° | 25°°C
0 mm
0%
10 mph
70 %
1027 mb
0 mm/h
Today
10:00 pm
20° | 23°°C
0 mm
0%
5 mph
56 %
1026 mb
0 mm/h
Tomorrow
1:00 am
17° | 19°°C
0 mm
0%
5 mph
63 %
1027 mb
0 mm/h
Tomorrow
4:00 am
14° | 14°°C
0 mm
0%
4 mph
68 %
1026 mb
0 mm/h
Tomorrow
7:00 am
16° | 16°°C
0 mm
0%
6 mph
63 %
1026 mb
0 mm/h
Tomorrow
10:00 am
21° | 21°°C
0 mm
0%
7 mph
50 %
1026 mb
0 mm/h
Tomorrow
1:00 pm
26° | 26°°C
0 mm
0%
7 mph
32 %
1025 mb
0 mm/h
Tomorrow
4:00 pm
27° | 27°°C
0 mm
0%
8 mph
31 %
1024 mb
0 mm/h
Tomorrow
7:00 pm
25° | 25°°C
0 mm
0%
10 mph
38 %
1024 mb
0 mm/h
| Name | Price | 24H (%) |
|---|---|---|
 Bitcoin(BTC) | €93,910.15 | 3.01% |
 Ethereum(ETH) | €2,293.12 | 4.16% |
 Tether(USDT) | €0.86 | 0.01% |
 XRP(XRP) | €2.00 | 7.12% |
 Solana(SOL) | €136.95 | 3.75% |
 USDC(USDC) | €0.86 | 0.00% |
 Dogecoin(DOGE) | €0.155965 | 3.18% |
 Shiba Inu(SHIB) | €0.000010 | 2.52% |
 Pepe(PEPE) | €0.000010 | 2.56% |
