A new-ish type of Denial-of-Service attack called KeyTrap has been discovered, affecting the security feature called DNSSEC in the Domain Name System (DNS). This attack, identified as CVE-2023-50387, is a flaw in DNSSEC that impacts various DNS services.
In simple terms, DNS is the system that helps us access websites by using domain names instead of complicated IP addresses. DNSSEC adds a layer of security by using cryptographic signatures to verify the authenticity of DNS responses.
KeyTrap exploits a design flaw in DNSSEC, allowing a remote attacker to cause a long-lasting denial-of-service (DoS) condition by sending a single DNS packet. This flaw has been present for over two decades, and researchers have found that it can significantly delay the response time of DNS resolvers.
The attack works by taking advantage of DNSSEC's requirement to send all relevant cryptographic keys and signatures for validation, even if they are misconfigured or belong to unsupported ciphers. This vulnerability enables a new class of attacks that can dramatically increase the CPU instruction count in a DNS resolver, causing delays ranging from 56 seconds to 16 hours.
The researchers who discovered KeyTrap warn that it could potentially disable large parts of the global Internet. While affected vendors like Google and Cloudflare have already implemented fixes or are working on mitigations, addressing the issue at a fundamental level may require a reevaluation of the DNSSEC design philosophy.
Fortunately, fixes are already in place for popular DNS services like Google (8.8.8.8 and/or 8.8.4.4) and Cloudflare (1.1.1.1 and/or 1.0.0.1). The researchers have been working with these providers since November 2023 to develop solutions and ensure the security of DNS services.