What is KeyTep DNS Vulnerability?
The vulnerability tries to exploit the standard-compliant DNSSEC validators which try all possible combinations of DNSSEK and RRSIG records to find one combination that matches and validates. In this attack, the attacker creates a zone with multiple DNSKEY and RRSIG records and expends relatively little effort to cause the resolver to expend a lot of effort.
The Remedial
The validator needs to implement an explicit limit on the amount of work it will do.
The Technical Paper: https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf
Press Release: https://www.prleap.com/pr/294914/serious-vulnerability-in-the-internet-infrastructure-fundamental-design-flaw-in-dnssec-discovered
Vulnerability Tracker
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868
Researchers who uncovered the vulnerability: Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner from the German National Research Center for Applied Cybersecurity ATHENE