The "KeyTrap" DNS vulnerability

DNS resolvers (those that handle DNSSEC, at least) are almost uniformlyvulnerable to an exploitthat has been named "KeyTrap". In short, the right type of packet cansend a DNS system into something close to an infinite loop, taking it outof service indefinitely.

With just a single DNS packet, hackers could paralyze all commonDNS implementations and public DNS providers. Exploiting thisattack would have serious consequences for any application thatuses the internet, including the unavailability of technologiessuch as web browsers, email and instant messaging. This devastatingeffect prompted major DNS vendors to call KeyTrap "The worst attackon DNS ever discovered"

Some more information and pointers to updates can be found on theCVE-2023-50387 page; some distributors have been faster to get updatesout than others.

(Thanks to Dave Taht).