You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
DNSJava affected by KeyTrap - NSEC3 closest encloser proof can exhaust CPU resources
Moderate severity
GitHub Reviewed
Published
Jul 21, 2024
in
dnsjava/dnsjava
•
Updated Sep 12, 2024
Impact
Users using the
ValidatingResolver
for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones.Patches
Users should upgrade to dnsjava v3.6.0
Workarounds
Although not recommended, only using a non-validating resolver, will remove the vulnerability.
References
https://www.athene-center.de/en/keytrap
References