KeyTrap: A DNSSEC Vulnerability Affecting DNS Resolvers

Understanding the Issue

KeyTrap attacks exploit algorithmic complexity, for example, in validating signatures against DNSSEC keys, to tie up resources and stop resolvers from handling valid requests.

The Impact

A single 100-byte DNS request can cause a resolver to cease responding for between two minutes and 16 hours, depending on the implementation. Because the vulnerability exploited features of the DNSSEC standard designed to support functions such as key rollover and algorithm rollover, all implementations were vulnerable.

Resolving the Issue

Researchers Elias Heftrig and Niklas Vogel, part of the four-person ATHENE team, explained during their talk at Black Hat the roots of the problem and how it was resolved through a month-long confidential disclosure process. They worked with vendors and operators, including ISC (BIND), Google, Cloudflare, and Akamai, to develop mitigations and patches, which were rolled out in February 2024.

Mitigations and Patches

The researchers and vendors collaborated to develop and implement various mitigations and patches to address the issue. These measures included:

• Implementing rate limiting to prevent resource exhaustion
• Improving cache efficiency to reduce the load on resolvers
• Enhancing error handling to prevent resource exhaustion

Conclusion

The KeyTrap vulnerability highlights the importance of continued vigilance and collaboration in maintaining the security of critical infrastructure. The successful mitigation and patching of this issue demonstrate the effectiveness of responsible disclosure and the importance of working together to address complex technical challenges.

FAQs

• What is KeyTrap? KeyTrap is a DNSSEC vulnerability that exploits algorithmic complexity to tie up resources and stop resolvers from handling valid requests.
• How does KeyTrap work? KeyTrap attacks exploit features of the DNSSEC standard designed to support functions such as key rollover and algorithm rollover, causing resolvers to cease responding for extended periods.
• How was the issue resolved? The issue was resolved through a month-long confidential disclosure process, involving researchers, vendors, and operators, which led to the development and implementation of mitigations and patches.
• What was the impact of the issue? A single 100-byte DNS request could cause a resolver to cease responding for between two minutes and 16 hours, depending on the implementation.