On Wed, Feb 14, 2024 at 10:14 AM Yorgos Thessalonikefs <yor...@nlnetlabs.nl> wrote:
> Hi Shumon, > > On 14/02/2024 15:49, Shumon Huque wrote: > > Does the KeyTrap vulnerability exploit colliding keytags? The paper > > isn't public yet and the CVE does not mention this. > > We didn't want to be very specific in our (NLnet Labs) wording because > the paper will follow with all the details. > The researchers could exploit various validation paths and have several > attacks. KeyTrap is the worst one and involves exploiting colliding > keytags. > That is why we limited the amount of collisions Unbound will accept > (actively while validating) to 4. Recent data shared in dns-oarc showed > mainly 2 collisions observed in the wild and we thought 4 is a safe number. > > Best regards, > -- Yorgos > Thanks for the info Yorgos! There should definitely be some bound. 4 colliding keytags for a single zone sounds reasonable to me at first glance. I hope we can do a larger ecosystem wide survey of deployed infrastructure to confirm that. Shumon.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
