Allgemein

KeyTrap – Assessment (DNSSEC-DOS, CVE-2023-50387)

A Protocol-Flaw has been detected in DNSSEC that would allow a malicious actor to execute a Single-Request-DOS against DNS-Servers who have been configured as DNSSEC-Validators .

This is a short analysis, updates might follow as new information becomes available

Affected DNS-Servers

any DNS – Server or resolver using DNSSEC-Validation, following the RFCs (Protocol-Flaw)

Requirements to trigger the Vuln when running Authoritative DNS-Servers

DNSSEC enabledallowing anonymous clients to create malicious DNSSEC-zones mostly affected: Hosting-Providersmostly not affected: Providers who have full control on their zones or operate zones for trusted clients only

Requirements to trigger the Vuln when running local resolvers/forwarders

DNSSEC-validation on local resolvers enabled, thats itan attacker might be able to trigger dns-requests from the outside by simply sending an email to an organisation

POCs and Checktools

currently no public POCs (2024-02-14)if you need to check, whether your DNS-Servers have DNSSEc-Validation enabled, please refer to your server-documentation, there is no easy way to tell from the outsideInternet.nl -> check if your domain has DNSSEC enabled

Statements by Vendors Unbound/PowerDNS

The KeyTrap vulnerability works by using a combination of Keys (also colliding Keys), Signatures and number of RRSETs on a malicious zone. Answers from that zone can force a DNSSEC validator down a very CPU intensive and time costly validation path.
Unbound, Source

An attacker can publish a zone that contains crafted DNSSEC related records. While validating results from queries to that zone using the RFC mandated algorithms, the Recursor’s resource usage can become so high that processing of other queries is impacted, resulting in a denial of service
PowerDNS, Source