Availability is a major concern in the design of DNSSEC. To ensure availability, DNSSEC follows Postel’s Law [RFC1123]: “Be liberal in what you accept, and conservative in what you send.” Hence, nameservers should send not just one matching key for a record set, but all the relevant cryptographic material, e.g., all the keys for all the ciphers that they support and all the corresponding signatures. This ensures that validation succeeds, and hence availability, even if some of the DNSSEC keys are misconfigured, incorrect or correspond to unsupported ciphers.
We show that this design of DNSSEC is flawed. Exploiting vulnerable recommendations in the DNSSEC standards, we develop a new class of DNSSEC-based algorithmic complexity attacks on DNS, we dub KeyTrap attacks. All popular DNS implementations and services are vulnerable. With just a single DNS packet, the KeyTrap attacks lead to a 2.000.000x spike in CPU instruction count in vulnerable DNS resolvers, stalling some for as long as 16 hours. This devastating effect prompted major DNS vendors to refer to KeyTrap as the worst attack on DNS ever discovered. Exploiting KeyTrap, an attacker could effectively disable Internet access in any system utilizing a DNSSEC-validating resolver.
We disclosed KeyTrap to vendors and operators on November 2, 2023, confidentially reporting the vulnerabilities to a closed group of DNS experts, operators and developers from the industry. Since then we have been working with all major vendors to mitigate KeyTrap, repeatedly discovering and assisting in closing weaknesses in proposed patches. Following our disclosure, the industry-wide umbrella CVE-2023-50387 has been assigned, covering the DNSSEC protocol vulnerabilities we present in this work.
The Harder You Try, The Harder You Fail: The KeyTrap Denial-of-Service Algorithmic Complexity Attacks on DNSSEC
Share:
London, GB
4:49 pm,
Apr 22, 2025
17°C
L: 16° |
H: 17°
Feels like 16°C°
overcast clouds
Daily ForecastHourly Forecast
Today
10:00 pm
16° | 17°°C
0 mm
0%
11 mph
67 %
1016 mb
0 mm/h
Tomorrow
10:00 pm
8° | 11°°C
1 mm
100%
13 mph
95 %
1018 mb
0 mm/h
Thu Apr 24
10:00 pm
9° | 15°°C
0.2 mm
20%
6 mph
86 %
1024 mb
0 mm/h
Fri Apr 25
10:00 pm
8° | 16°°C
0 mm
0%
8 mph
87 %
1024 mb
0 mm/h
Sat Apr 26
10:00 pm
9° | 13°°C
0.6 mm
60%
4 mph
96 %
1024 mb
0 mm/h
Today
7:00 pm
14° | 16°°C
0 mm
0%
11 mph
49 %
1016 mb
0 mm/h
Today
10:00 pm
10° | 12°°C
0 mm
0%
7 mph
67 %
1015 mb
0 mm/h
Tomorrow
1:00 am
10° | 10°°C
0 mm
0%
7 mph
76 %
1013 mb
0 mm/h
Tomorrow
4:00 am
8° | 8°°C
1 mm
100%
10 mph
95 %
1010 mb
0 mm/h
Tomorrow
7:00 am
9° | 9°°C
1 mm
100%
12 mph
94 %
1009 mb
0 mm/h
Tomorrow
10:00 am
8° | 8°°C
1 mm
100%
13 mph
93 %
1010 mb
0 mm/h
Tomorrow
1:00 pm
8° | 8°°C
0.8 mm
80%
10 mph
91 %
1012 mb
0 mm/h
Tomorrow
4:00 pm
11° | 11°°C
0 mm
0%
10 mph
73 %
1014 mb
0 mm/h
| Name | Price | 24H (%) |
|---|---|---|
 Bitcoin(BTC) | €79,072.29 | 3.00% |
 Ethereum(ETH) | €1,479.10 | 4.42% |
 Tether(USDT) | €0.87 | 0.02% |
 XRP(XRP) | €1.88 | 1.79% |
 Solana(SOL) | €125.88 | 4.34% |
 USDC(USDC) | €0.87 | 0.01% |
 Dogecoin(DOGE) | €0.149358 | 6.52% |
 Shiba Inu(SHIB) | €0.000011 | 3.25% |
 Pepe(PEPE) | €0.000007 | 5.92% |
