Huston: KeyTrap!
It's by no means "[devastating]" for the DNS, and the fix is much the same as the previous fix. As well as limiting the number of queries that a resolver can generate to resolve a queried name, a careful resolver will limit both the elapsed time and perhaps the amount of the resolver's processing resources that are used to resolve any single query name.It's also not a novel discovery by the ATHENE folk. The vulnerability was described five years ago by a student at the University of Twente. I guess the issue was that the student failed to use a sufficient number of hysterical adjectives in describing this DNS vulnerability in the paper!
Posted Mar 12, 2024 12:37 UTC (Tue)
by johnjones (guest, #5462)
[Link]
Posted Mar 12, 2024 14:45 UTC (Tue)
by paulj (subscriber, #341)
[Link]
So basically, the answer to "A malicious DNS zone could tie up naive resolvers" is that zone operators should just... be respectful of the resources of resolvers, and /not/ generate zones with lots of keys, especially not with lots of keys with KeyTag collisions. And where a zone operator is just taking the piss, resolvers should put a sensible cap on how far they'll check.
Ok, this will break name resolution in zones made by evil operators, but... so what? :)
"Don't break your back to accommodate malicious data crafted by evil operators" should be a new networking principle I guess.
Posted Mar 12, 2024 16:11 UTC (Tue)
by auerswal (subscriber, #119876)
[Link] (1 responses)
1. The KeyTrap[1] paper from ATHENE describes four related vulnerabilities. The University of Twente Bachelor Thesis[2] describes one of these vulnerabilities.
2. The KeyTrap paper describes combining vulnerabilities to create quadratic algorithmic complexity attacks, while the University of Twente Bachelor Thesis only describes a linear algorithmic complexity attack.
3. The University of Twente student did not manage to create a denial of service (DoS), although they tried. The ATHENE researchers could create DoS situations with all their attack methods.
I guess the issue was that the student failed in their attempts to demonstrate a DoS attack, while the ATHENE project demonstrated a 16h DoS of BIND9 with a single DNS request (and more DoS attacks against quite a few DNS resolvers). ;-)
[1]: https://www.athene-center.de/fileadmin/content/PDF/Keytra...
Posted Mar 16, 2024 2:02 UTC (Sat)
by gdt (subscriber, #6284)
[Link]
Posted Mar 12, 2024 19:55 UTC (Tue)
by flussence (guest, #85566)
[Link]
And that there is why we despise brand-and-logo CVEs. They've just reinvented warning fatigue and pushed responsible, non-clickbait disclosure even further out of sight. Even the phrase "responsible disclosure" has been twisted into SEO dreck nowadays...
Posted Mar 14, 2024 0:31 UTC (Thu)
by motk (subscriber, #51120)
[Link]
Huston: KeyTrap!
Bleeker, D.A. (2019) DoS attack on recursive resolvers with DNSSEC key-tag collisions. http://essay.utwente.nl/78777/
Huston: KeyTrap!
Huston: KeyTrap!
[2]: https://essay.utwente.nl/78777/1/Research_paper.pdf
Huston: KeyTrap!
Huston: KeyTrap!
Huston: KeyTrap!