CVE-2023-50387 Information

Description

Certain DNSSEC aspects of the DNS protocol (in RFC 4035 and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses when there is a zone with many DNSKEY and RRSIG records aka the \KeyTrap\ issue. The protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

Reference

https://datatracker.ietf.org/doc/html/rfc4035 https://www.athene-center.de/aktuelles/key-trap https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ https://kb.isc.org/docs/cve-2023-50387 https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ https://news.ycombinator.com/item?id=39367411 https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ https://www.isc.org/blogs/2024-bind-security-release/ https://news.ycombinator.com/item?id=39372384 https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html