The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote malicious users to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Some of us would be happy being rated 7.5 out of 10, just sayin'
Two DNSSEC vulnerabilities were disclosed last month with similar descriptions and the same severity score, but they are not the same issue. One, named KeyTrap (CVE-2023-50387) by Germany’s National Research Centre for applied cybersecurity (ATHENE), was described as "one of the worst ever discovered," by Akamai exec Sven Dummer, because it could be used to disable large portions of the internet. KeyTrap allowed a single DNS packet to deny service by exhausting the CPU resources of machines ru...
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources 'You don't have to do more than that to disconnect an entire network' El Reg told as patches emerge
A 20-plus-year-old security vulnerability in the design of DNSSEC (Domain Name System Security Extensions) could allow a single DNS packet to exhaust the processing capacity of any server using the system for domain name resolution, effectively disabling the machine. Yes, a single DNS packet could take out a remote DNSSEC server. The researchers who found the flaw – from the German National Research Center for Applied Cybersecurity (ATHENE) in Darmstadt – said DNS vendors briefed about the v...