Just one bad packet can bring down a vulnerable DNS server thanks to DNSSEC

2024-02-13 23:27

A 20-plus-year-old security vulnerability in the design of DNSSEC could allow a single DNS packet to exhaust the processing capacity of any server offering the system for domain-name resolution, effectively disabling the machine.

Yes, a single DNS packet can take out a remote DNSSEC server.

The researchers who found the flaw - from the German National Research Center for Applied Cybersecurity in Darmstadt - said DNS vendors briefed about the vulnerability described it as "The worst attack on DNS ever discovered."

A technical paper on the vulnerability provided to The Register, titled, "The KeyTrap Denial-of-Service Algorithmic Complexity Attacks on DNS," describes how an assault would be carried out.

"Our complexity attacks are triggered by feeding the DNS resolvers with specially crafted DNSSEC records, which are constructed in a way that exploits validation vulnerabilities in cryptographic validation logic," the paper explains.

If your DNS queries LoOk liKE tHIs, it's not a ransom note, it's a security improvement Internet's safe-keepers forced to postpone crucial DNSSEC root key signing ceremony - no, not a hacker attack, but because they can't open a safe Is DNSSEC causing more problems than it solves? ICANN proposes creating.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/02/13/dnssec_vulnerability_internet/

#DNS #server