DNS KeyTrap vulnerability is a critical flaw in the design of DNSSEC (DNS Security Extensions). A single DNS packet can exhaust the CPU, causing a Denial of Service in a DNSSEC validating recursive resolver.
Security researchers at the German National Research Center for Applied Cybersecurity ATHENE uncovered the critical flaw, which has been assigned and listed as CVE-2023-50387 and CVE-2023-50868
What are the risks and impacts of DNS KeyTrap vulnerability?
For an enterprise or an ISP operating a validating DNSSEC recursive resolver, the impact of the vulnerability will be catastrophic.
Since the exploit would result in a spike and exhaustion of CPU, the recursive resolver will be non-functional, resulting in operational and business downtime.
An attacker can craft and send a single packet(DNS query) to a DNSSEC validating recursive resolver, resulting in all systems using only that recursive resolver offline.
The impact of the DNS KeyTrap vulnerability on the Internet
The impact of DNS KeyTrap vulnerability to the Internet could have been fatal. With approximately 60% of the Internet users in India and 30% of the Internet users in the world relying on DNSSEC validating recursive resolvers, the magnitude of the vulnerability would have been severe were it not for coordinated efforts and responsible disclosure.
Credit to the folks at the German National Research Center for Applied Cybersecurity ATHENE for the responsible disclosure and working with the stakeholders in the DNS ecosystem – resolver operators, resolver software vendors and others.
CVE-2023-50387
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. CVE-2023-50868
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.Shreshta engineering team have swiftly patched all customer DNS Shield (DNS Firewall/Protective DNS) cloud and on-premise instances.
Safety Recommendations
If you operate a DNSSEC validating recursive resolver, please find our safety recommendations below,
- The ideal option is to update the recursive resolver software
- If that’s not an option, major recursive resolver software vendors have made a patch available
- We strongly recommend against disabling DNSSEC to eliminate the risk of exposure to the vulnerability
The link to the full report is available here
