Dear members of the DNSop wg, In the recent years we have been working on DNSSEC and mitigated a number of vulnerabilities. Last year we identified flaws in the DNSSEC standard that can be exploited to launch Denial of Service attacks against DNSSEC validating software. For instance, some popular resolvers can be stalled for 16 hours with just a single DNS packet.
We demonstrated the attacks to the vendors and worked with them to develop effective patches. This task turned out to be challenging and required a number of iterations. The flaws in the DNSSEC standard have implications for ALL standard supporting DNS resolvers and are challenging to resolve, as is also evident from the number of patches-iterations we had with the developers. Further, patched DNS resolvers break the standard requirements, or else are vulnerable to CPU exhaustion attacks. A brief explanation of the flaws in the DNSSEC standard and our KeyTrap attacks that exploit them can be found here: https://labs.ripe.net/author/haya-shulman/keytrap-algorithmic-complexity-attacks-exploit-fundamental-design-flaw-in-dnssec/ The technical report describing our research can be found here: https://www.athene-center.de/fileadmin/content/PDF/Keytrap_2401.pdf We would like to use this opportunity to thank the many vendors for their support and collaboration during the last months. Best regards, Haya Schulmann -- Prof. Dr. Haya Schulmann Goethe-Universität Frankfurt ATHENE
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
