KeyTrap attacks exploit algorithmic complexity, for example, in validating signatures against DNSSEC keys, to tie up resources and stop resolvers from handling valid requests.
A single 100-byte DNS request can cause a resolver to cease responding for between two minutes and 16 hours, depending on the implementation. Because the vulnerability exploited features of the DNSSEC standard designed to support functions such as key rollover and algorithm rollover, all implementations were vulnerable.
Researchers Elias Heftrig and Niklas Vogel — part of the four-person ATHENE team — explained during their talk at Black Hat the roots of the problem and how it was resolved through a month-long confidential disclosure process. They worked with vendors and operators including ISC (BIND), Google, Cloudflare, and Akamai to develop mitigations and patches, which were rolled out in February 2024.
