© Fraunhofer SIT

ATHENE-researchers have uncovered a critical flaw in the design of DNSSEC, the security extension to the Domain Name System (DNS) (DNS Security Extensions) which introduces a vulnerability in all DNS (Domain Name System) implementations and are helping vendors and service providers to fix it. Without correction, the flaw could have serious implications for DNSSEC-validating implementations and public DNS providers such as Google and Cloudflare. Led by Prof. Dr. Haya Schulmann of Goethe University Frankfurt, the ATHENE team has developed a new class of attack called "KeyTrap" that shows how hackers could exploit the design flaw: With just a single DNS packet, hackers could paralyze all common DNS implementations and public DNS providers. Exploiting this attack would have serious consequences for any application that uses the internet, including the unavailability of technologies such as web browsers, email and instant messaging. This devastating effect prompted major DNS vendors to call KeyTrap “The worst attack on DNS ever discovered”. ATHENE-researchers have been working with vendors and DNS providers to develop specific patches to close the vulnerability. It is highly recommended for all providers of DNS services to apply these patches immediately to mitigate this critical vulnerability.

The attack vectors exploited in the KeyTrap class of attacks are registered in the Common Vulnerabilities and Exposures (CVE) database as an umbrella CVE-2023-50387. 

Discovering and fixing of this design flaw in DNSSEC is a good example of the importance of cybersecurity research in helping to proactively prevent cyberattacks and improve security. ATHENE's work has already uncovered several serious security vulnerabilities on the internet, helping to improve security for the benefit of millions of users in Germany and around the world.

Go to our press release

Prof. Haya Schulmann

Tel.: +49 69 798-23777
E-Mail

Prof. Michael Waidner
CEO

Tel.:  +49 6151 869-250
E-Mail