[dns-operations] KeyTrap Algorithmic Complexity Attacks Exploit Fundamental Design Flaw in DNSSEC

Haya Shulman haya.shulman at gmail.com
Fri Feb 16 16:44:46 UTC 2024

In the recent years we have been working on DNSSEC and mitigated a number
of vulnerabilities. Last year we identified flaws in the DNSSEC standard
that can be exploited to launch Denial of Service attacks against DNSSEC
validating software. For instance, some popular resolvers can be stalled
for 16 hours with just a single DNS packet.

We demonstrated the attacks to the vendors and worked with them to develop
effective patches. This task turned out to be challenging and required a
number of iterations.

The flaws in the DNSSEC standard have implications for ALL standard
supporting DNS resolvers and are challenging to resolve, as is also evident
from the number of patches-iterations we had with the developers. Further,
patched DNS resolvers break the standard requirements, or else are
vulnerable to CPU exhaustion attacks.

A brief explanation of the flaws in the DNSSEC standard and our KeyTrap
attacks that exploit them can be found here:


The technical report describing our research can be found here:


We would like to use this opportunity to thank the many vendors for their
support and collaboration during the last months.

Best regards,
Haya Schulmann

Prof. Dr. Haya Schulmann
Goethe-Universität Frankfurt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20240216/023b2416/attachment.html>

More information about the dns-operations mailing list