Researchers from ATHENE (National Research Center for Applied Cybersecurity) have recently discovered a critical flaw in the design of DNSSEC, the security extension for the Domain Name System (DNS). The flaw introduces a vulnerability that impacts all DNS implementations. To tackle this issue, the research team has been actively engaged in collaborating with vendors and DNS providers to develop dedicated patches to address this vulnerability. If left unaddressed, the flaw could have severe repercussions for DNSSEC-validating implementations and public DNS providers, including major players like Google.

A new class of attack called "KeyTrap" has been developed, showcasing how perpetrators can exploit this design flaw. Shockingly, with just a single DNS packet, attackers can render common DNS implementations and public DNS providers completely paralyzed. The exploitation of this attack can have far-reaching consequences for any Internet-dependent application, leading to the unavailability of technologies such as web browsers, email services, and instant messaging.

To categorize the attack vectors utilized in the KeyTrap class of attacks, they have been duly registered in the Common Vulnerabilities and Exposures (CVE) database under the umbrella identifier CVE-2023-50387. 

‍

Understanding KeyTrap Attacks

KeyTrap attacks leverage a vulnerability within the DNSSEC protocol, which is intended to bolster the security of the DNS. DNSSEC outlines various requirements that mandate resolvers to verify all available cryptographic material, including attempting to validate all DNSSEC keys against corresponding signatures. 

In a KeyTrap attack, the attacker cleverly crafts a DNS zone with an excessive number of DNSKEY and RRSIG records. These records, which are essential for DNSSEC validation, are deliberately designed to confuse and overwhelm a standards-compliant DNSSEC resolver. The objective is to force the resolver to exhaustively try all possible combinations of DNSKEY and RRSIG records in a futile attempt to find a matching and validating combination.

‍

By adhering to the standard, the resolver unwittingly becomes trapped in an exhaustive validation process that involves multiple DNSKEY and RRSIG records. This intricate journey leads the resolver through a labyrinth of deceptive paths and unproductive endpoints, placing a heavy burden on its CPU resources. As a consequence, this prolonged validation procedure creates an opportunity for attackers to exploit the vulnerability, initiating a Denial-of-Service (DoS) attack that overwhelms the resolver's CPU and incapacitates its normal operations.

‍

Mitigation and Defense

KeyTrap was successfully mitigated through the deployment of patches that introduced various measures to limit the impact of the attack. These patches effectively restricted the number of validations the resolver is willing to perform in response to a user's resolution request. By doing so, the amount of CPU resources that attackers can exhaust during the attack is significantly reduced.

In addition to these limitations, the patches incorporated additional mitigations, including the de-prioritization of busy validation threads and enabling the resolver to prioritize other critical tasks during the attack. The patches also introduced separate threads for answering cached entries, thereby optimizing the resolver's performance under heavy load.

Furthermore, the patches addressed the issue of colliding DNS keys by limiting their number, ensuring smoother operation and reducing the potential impact of the attack. Additionally, they impose a maximum threshold on the number of failed validations, preventing excessive resource consumption caused by repeated failed attempts.

‍

Implications and Recommended Steps

To address the vulnerability, different actions can be taken based on your role:

(1) End-Users

As an end-user, there is no immediate action needed on your part. If your provider is actively under attack and unable to resolve the vulnerability promptly, you have the option to switch to open resolvers that have already deployed patches. Consider using reputable open resolvers such as Quad9 and Google, which have implemented the necessary updates to mitigate the vulnerability.
‍

(2) DNS Service Providers

If you provide DNS services as an open resolver or an Internet service provider (ISP), it is crucial to update your DNS resolution software to the latest version immediately. Patches for all major vendors have already been released, and applying them helps reduce the attack surface.

Disabling DNSSEC validation should only be done under careful consideration and when actively under attack. Downgrading protection by disabling DNSSEC opens up the resolver to other potential DNS attacks, so it should be approached with caution.
‍

(3) Authoritative DNS Server Operators

If you run an authoritative DNS server and allow users to upload zones, it is essential to update the tools used for zone checking. This ensures that the tools themselves are not vulnerable to the KeyTrap attack. Keeping your tools up-to-date helps maintain the security of your authoritative DNS server.

‍

Nexusguard and Customers Unaffected by Vulnerability

Nexusguard's DNS Protection (DP) hosting service assumes a crucial function within the DNS infrastructure as an Authoritative Name Server. While resolvers handle the task of mapping domain names to IP addresses, an authoritative name server is responsible for delivering authoritative DNS information specific to designated domains.

In its capacity as an authoritative name server, Nexusguard's DP hosting service efficiently manages DNS queries pertaining to the domains under its authority. It maintains accurate and current DNS records, including A records, MX records, CNAME records, and more, for these domains. Whenever a DNS query is directed towards a domain hosted on Nexusguard's DP hosting service, it promptly responds with the authoritative DNS information associated with that domain.

Importantly, the vulnerability under discussion pertains to resolvers, which represent distinct components within the broader DNS ecosystem. Due to the focused architecture and design of Nexusguard's DP hosting service, prioritizing its role as an authoritative name server, it remains unaffected by the mentioned vulnerability. As a result, the service ensures dependable and secure DNS resolution for the domains it hosts, maintaining the integrity of the overall DNS infrastructure.

For customers with any additional questions, we encourage you to engage our team of specialists who are well-versed in providing tailored and expert assistance, as well as addressing any concerns specific to your unique circumstances. 

For more information, please read about Nexusguard’s DNS Protection or reach out to us via our contact form.

Mitigation measures have been implemented to reduce the impact of KeyTrap attacks. Nexusguard's DP hosting service, designed as an authoritative name server, remains unaffected by the KeyTrap vulnerability. This ensures reliable and secure DNS resolution for hosted domains, preserving the integrity of the DNS infrastructure.