Hi Shumon, On 14/02/2024 15:49, Shumon Huque wrote:
Does the KeyTrap vulnerability exploit colliding keytags? The paper isn't public yet and the CVE does not mention this.
We didn't want to be very specific in our (NLnet Labs) wording because the paper will follow with all the details. The researchers could exploit various validation paths and have several attacks. KeyTrap is the worst one and involves exploiting colliding keytags. That is why we limited the amount of collisions Unbound will accept (actively while validating) to 4. Recent data shared in dns-oarc showed mainly 2 collisions observed in the wild and we thought 4 is a safe number.
Best regards, -- Yorgos _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
