What is KeyTep DNS Vulnerability?

The vulnerability tries to exploit the standard-compliant DNSSEC validators which try all possible combinations of DNSSEK and RRSIG records to find one combination that matches and validates. In this attack, the attacker creates a zone with multiple DNSKEY and RRSIG records and expends relatively little effort to cause the resolver to expend a lot of effort.

The Remedial

The validator needs to implement an explicit limit on the amount of work it will do.

The Technical Paper: https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf

Press Release: https://www.prleap.com/pr/294914/serious-vulnerability-in-the-internet-infrastructure-fundamental-design-flaw-in-dnssec-discovered

Vulnerability Tracker

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868

Researchers who uncovered the vulnerability: Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner from the German National Research Center for Applied Cybersecurity ATHENE