February 19, 2024 at 08:38AM
A serious vulnerability named KeyTrap in the DNSSEC feature could be exploited to deny internet access to applications for an extended period. Tracked as CVE-2023-50387, KeyTrap is a design issue in DNSSEC impacting DNS implementations. Researchers from ATHENE and partners discovered and addressed the issue, working with DNS service providers. DNS implementations from Google and Cloudflare have already incorporated fixes.
Based on the meeting notes you provided, it appears that a serious vulnerability named KeyTrap in the Domain Name System Security Extensions (DNSSEC) feature could potentially deny internet access to applications for an extended period. This vulnerability, tracked as CVE-2023-50387, is a design issue in DNSSEC that affects all popular Domain Name System (DNS) implementations or services.
KeyTrap allows a remote attacker to cause a long-lasting denial-of-service (DoS) condition in vulnerable resolvers by sending a single DNS packet. The impact of this vulnerability is significant, with a single attack request potentially delaying DNS resolver responses for anywhere from 56 seconds to as much as 16 hours. This could have severe consequences for any application using the internet, including unavailability of technologies such as web-browsing, e-mail, and instant messaging.
The researchers from the National Research Center for Applied Cybersecurity ATHENE, alongside experts from Goethe University Frankfurt, Fraunhofer SIT, and the Technical University of Darmstadt, have identified this vulnerability, which has been present in the DNSSEC standard for well over two decades. It seems that the complexity of the DNSSEC validation requirements contributed to this long-standing issue going unnoticed for nearly 25 years.
Akamai has developed and deployed mitigations for its DNS recursive resolvers, including CacheServe and AnswerX, as well as its cloud and managed solutions, between December 2023 and February 2024. Additionally, other DNS services from Google and Cloudflare already have fixes in place to address this vulnerability.
The impact of KeyTrap is substantial, potentially exposing one-third of DNS servers worldwide to a highly efficient denial-of-service (DoS) attack and potentially impacting more than one billion users. ATHENE and Akamai have emphasized the need for fundamental reevaluation of the DNSSEC design philosophy to address this issue.
Overall, it seems that the efforts to mitigate the KeyTrap risk are ongoing and that major DNS service providers are actively working to protect against this vulnerability and minimize its impact.