How the Internet Dodged a Bullet: The KeyTrap Denial-of-Service Attacks against DNSSEC (Nov. 20th)
Thursday, November 20th, 2025: 2:00 PM to 3:00 PM
The Internet relies on the Domain Name System (DNS) for a plethora of its uses, including web browsing, TLS certificates, and email. DNS is critical for today's Internet, so DNSSEC was standardized as one of the first security extensions to any Internet protocol. Until today, DNSSEC has been deployed in about one third of systems.
In this talk we present a new class of devastating attacks on DNSSEC, named KeyTrap, that allow for a comprehensive and continuous DoS of any DNSSEC-validating DNS resolver.
The vulnerabilities stem directly from requirements in the DNSSEC standard and we find all DNSSEC-validating resolvers vulnerable. The KeyTrap attacks exploit algorithmic complexity, e.g., in validating signatures against DNSSEC keys, to stall any resolver and DoS its services for all its clients.
A single 100 Bytes DNS request can cause a resolver to cease responding for between two minutes and 16 hours, depending on the implementation. With KeyTrap, an attacker could have disrupted service for a large part of global Internet users, which is why leading developers of DNS software referred to KeyTrap as "The worst attack on DNS ever discovered".
Hosted by Blackhat