The security extensions for the Domain Name System aimed to make the Internet more reliable, but instead the technology has exchanged one set of problems for another.

A pair of attacks revealed by researchers this year underscored the fragility of the Domain Name System (DNS) and the security extensions (DNSSEC) that were adopted to help secure the world’s internet infrastructure.

For the past year, Internet infrastructure firms and software makers have worked to patch DNS servers for a critical set of flaws in DNSSEC. Originally discovered more than a year ago by four researchers at Goethe-Universität Frankfurt and Technische Universität Darmstadt, the so-called KeyTrap denial-of-service (DoS) attack could trick DNS servers into spending hours attempting to validate signatures on specially created DNSSEC packets, according to their presentation at the Black Hat Europe 2024 conference earlier this month.

The researchers notified major Internet providers of the issues late last year and worked with them to produce patches earlier this year, but the flaws in DNSSEC are systematic, says Haya Schulmann, a professor of computer science at Goethe-Universität Frankfurt and one of the researchers involved in the work.

“I would not say that the core of the problem has been resolved,” she says. “There are patches which mitigate the most severe problems, but the core issue is yet to be addressed.”

The KeyTrap security weaknesses were not the only DNS attacks to surface in 2024. In May, a team of Chinese researchers revealed that they had discovered three logic vulnerabilities in DNS that allowed three types of attacks: DNS cache poisoning, DoS, and resource consumption. Dubbed TuDoor, the attack affected some 24 different DNS software codebases, the researchers stated in a summary of their work.

Explore IT Tech News for the latest advancements in Information Technology & insightful updates from industry experts!

Source: https://www.darkreading.com/cloud-security/dnssec-denial-of-service-attacks-show-fragility