Content deleted Content added
Undid revision 1302534724 by 41.198.159.95 (talk)Reverted very strange addition. |
|||
Line 211:
In January 2024, a "KeyTrap" denial-of-service attack was announced for all specification-respecting DNSSEC resolvers. The DNSSEC specification (RFC4033-4035) specifies that a resolver, when receiving a signed packet from the upstream, should try ''all'' keys with the correct "tag" on ''all'' signatures until one of the combinations successfully verifies. By putting many keys with the same "tag" and many signatures corresponding to that "tag" in a packet, the researchers can slow down a resolver by a factor of 2 million. In response, resolvers began to place limits on the amount of verification errors, key tag collisions, and hash calculations.<ref>{{cite web |title=The KeyTrap Denial-of-Service Algorithmic Complexity Attacks on DNS Version: January 2024 |author1=Elias Heftrig|author2= Haya Schulmann |author3= Niklas Vogel |author4= Michael Waidne |url=https://www.athene-center.de/fileadmin/content/PDF/Keytrap_2401.pdf |website=ATHENE}} ([https://www.athene-center.de/en/keytrap press release])</ref>
==Authenticating
Cryptographically proving the absence of a ___domain requires signing the response to every query for a non-existent ___domain. This is not a problem for online signing servers, which keep their keys available online. However, DNSSEC was designed around using offline computers to sign records so that zone-signing-keys could be kept in cold storage. This represents a problem when trying to authenticate responses to queries for non-existent domains since it is impossible to pre-generate a response to every possible hostname query.
| |||