A Protocol-Flaw has been detected in DNSSEC that would allow a malicious actor to execute a Single-Request-DOS against DNS-Servers who have been configured as DNSSEC-Validators .

This is a short analysis, updates might follow as new information becomes available

Affected DNS-Servers

  • any DNS - Server or resolver using DNSSEC-Validation, following the RFCs (Protocol-Flaw)

Requirements to trigger the Vuln when running Authoritative DNS-Servers

  • DNSSEC enabled
  • allowing anonymous clients to create malicious DNSSEC-zones
  • mostly affected: Hosting-Providers
  • mostly not affected: Providers who have full control on their zones or operate zones for trusted clients only

Requirements to trigger the Vuln when running local resolvers/forwarders

  • DNSSEC-validation on local resolvers enabled, thats it
  • an attacker might be able to trigger dns-requests from the outside by simply sending an email to an organisation

POCs and Checktools

  • currently no public POCs (2024-02-14)
  • if you need to check, whether your DNS-Servers have DNSSEc-Validation enabled, please refer to your server-documentation, there is no easy way to tell from the outside
  • Internet.nl -> check if your domain has DNSSEC enabled

Statements by Vendors Unbound/PowerDNS

The KeyTrap vulnerability works by using a combination of Keys (also colliding Keys), Signatures and number of RRSETs on a malicious zone. Answers from that zone can force a DNSSEC validator down a very CPU intensive and time costly validation path.
Unbound, Source

An attacker can publish a zone that contains crafted DNSSEC related records. While validating results from queries to that zone using the RFC mandated algorithms, the Recursor’s resource usage can become so high that processing of other queries is impacted, resulting in a denial of service
PowerDNS, Source