Although it's been sitting there since 2000, researchers were just recently able to suss out a fundamental design flaw in a Domain Name System (DNS) security extension, which under certain circumstances could be exploited to take down wide expanses of the Internet.
DNS servers translate website URLs into IP addresses and, mostly invisibly, carry all Internet traffic.
The team behind the discovery is from ATHENE National Research Center for Applied Cybersecurity in Germany. They named the security vulnerability "KeyTrap," tracked as CVE-2023-50387. According to their new report on the KeyTrap DNS bug, the researchers found that a single packet sent to a DNS server implementation using the DNSSEC extension to validate traffic could force the server into a resolution loop that causes it to consume all of its own computing power and stall. If multiple DNS servers were exploited at the same time with KeyTrap, they could be downed at the same time, resulting in widespread Internet outages, according to the team of academics.
In testing, the length of time the DNS servers remained offline after an attack differed, but the report noted that Bind 9, the most widely deployed DNS implementation, could remain stalled for up to 16 hours.
According to the Internet Systems Consortium (ISC), which oversees DNS servers worldwide, 34% of keytrap threatens widespread internet outages
