Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote malicious users to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
redhat enterprise linux 7.0 |
||
redhat enterprise linux 6.0 |
||
redhat enterprise linux 8.0 |
||
redhat enterprise linux 9.0 |
||
microsoft windows server 2008 r2 |
||
microsoft windows server 2012 r2 |
||
microsoft windows server 2016 - |
||
microsoft windows server 2012 - |
||
microsoft windows server 2019 - |
||
microsoft windows server 2022 - |
||
microsoft windows server 2022 23h2 - |
||
fedoraproject fedora 39 |
||
thekelleys dnsmasq |
||
nic knot resolver |
||
powerdns recursor |
||
isc bind |
||
nlnetlabs unbound |
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Some of us would be happy being rated 7.5 out of 10, just sayin'
Two DNSSEC vulnerabilities were disclosed last month with similar descriptions and the same severity score, but they are not the same issue. One, named KeyTrap (CVE-2023-50387) by Germany’s National Research Centre for applied cybersecurity (ATHENE), was described as "one of the worst ever discovered," by Akamai exec Sven Dummer, because it could be used to disable large portions of the internet. KeyTrap allowed a single DNS packet to deny service by exhausting the CPU resources of machines ru...
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources 'You don't have to do more than that to disconnect an entire network' El Reg told as patches emerge
A 20-plus-year-old security vulnerability in the design of DNSSEC (Domain Name System Security Extensions) could allow a single DNS packet to exhaust the processing capacity of any server using the system for domain name resolution, effectively disabling the machine. Yes, a single DNS packet could take out a remote DNSSEC server. The researchers who found the flaw – from the German National Research Center for Applied Cybersecurity (ATHENE) in Darmstadt – said DNS vendors briefed about the v...