Huston: KeyTrap!

Geoff Huston digs into thedetails of the KeyTrap DNS vulnerability, which was disclosed in February.

It's by no means "[devastating]" for the DNS, and the fix is much thesame as the previous fix. As well as limiting the number of queriesthat a resolver can generate to resolve a queried name, a carefulresolver will limit both the elapsed time and perhaps the amount ofthe resolver's processing resources that are used to resolve anysingle query name.

It's also not a novel discovery by the ATHENE folk. Thevulnerability was described five years ago by a student at theUniversity of Twente. I guess the issue was that the student failedto use a sufficient number of hysterical adjectives in describingthis DNS vulnerability in the paper!