KeyTrap assaults exploit algorithmic complexity, for instance, in validating signatures in opposition to DNSSEC keys, to tie up sources and cease resolvers from dealing with legitimate requests.
A single 100-byte DNS request may cause a resolver to stop responding for between two minutes and 16 hours, relying on the implementation. As a result of the vulnerability exploited options of the DNSSEC customary designed to assist features corresponding to key rollover and algorithm rollover, all implementations have been susceptible.
Researchers Elias Heftrig and Niklas Vogel — a part of the four-person ATHENE crew — defined throughout their discuss at Black Hat the roots of the issue and the way it was resolved by a month-long confidential disclosure course of. They labored with distributors and operators together with ISC (BIND), Google, Cloudflare, and Akamai to develop mitigations and patches, which have been rolled out in February 2024.
