"Since the initial disclosure of the vulnerabilities on November 2, 2023, we have been working with all major vendors on mitigating the problems in their implementations."
"We recommend that everyone installs the patches and updates their DNS software. We recommend to continue using DNSSEC, encourage the domains to get signed, and all the resolvers to enforce DNSSEC validation. DNSSEC is the only practical measure to block DNS cache poisoning attacks."
https://labs.ripe.net/author/haya-shulman/keytrap-algorithmic-complexity-attacks-exploit-fundamental-design-flaw-in-dnssec/
[#]DNSSEC #DNS #KEYTRAP
=> More informations about this toot | More toots from antonio@social.prado.it
@antonio @woody interesting that this attack was first published in 2019 but it didn’t gain the same traction in the DNS world - https://essay.utwente.nl/78777/
=> More informations about this toot | More toots from letoams@defcon.social
@letoams @antonio
Indeed. I guess it didn't make it to the attention of people who were in a position to deal with it?
=> More informations about this toot | More toots from woody@pch.net
@letoams @antonio @woody the conclusion in that paper is that the attack is not very effective. Keytrap also introduces many RRSIGs, which makes all the difference
=> More informations about this toot | More toots from otto@bsd.network This content has been proxied by September (ba2dc).Proxy Information
text/gemini