KeyTrap Denial-of-Service Attacks on DNSSEC

This technical report presents the findings of a study on the vulnerabilities in the DNSSEC standard, specifically focusing on a new class of algorithmic complexity attacks known as KeyTrap attacks. The report outlines how these attacks exploit flaws in the DNSSEC design, leading to significant increases in CPU instruction counts in vulnerable DNS resolvers, with potential stalling periods of up to 16 hours. The authors detail the experimental evaluations and code analysis conducted to demonstrate the detrimental effects of these attacks on DNS availability. Furthermore, the report discusses the implications of these vulnerabilities, which have been acknowledged by major DNS vendors as severe threats to DNS infrastructure. The document also highlights the history of these vulnerabilities, tracing them back to the early drafts of the DNSSEC specification, and emphasizes the challenges in mitigating such fundamental design flaws. The findings underscore the urgent need for the DNS community to address these vulnerabilities to ensure the security and reliability of DNS services.