From akamai.com
Introduction
In February 2024, the newly disclosed “KeyTrap” vulnerability received a lot of attention because of its potential impact on worldwide DNS resolution infrastructure. Thanks to the responsible security researchers at the German National Research Center for Applied Cybersecurity ATHENE, part of the Fraunhofer Institute, and a responsive DNS community, patches were developed and awareness was spread of the urgent need to deploy those patches on all DNS resolvers doing DNS Security Extensions (DNSSEC) validation.
Akamai teams patched affected services we operate and provided our ISP and mobile network operator (MNO) customers with proactive guidance to protect validating DNS infrastructure (DNSi) CacheServe resolvers they operate, which serve approximately one billion subscribers.
KeyTrap is a useful reminder of the long history of threats to DNS infrastructure. In this blog post, we’ll discuss two major ways DNS resolvers are exposed — and their potential impact on provider networks. We’ll also offer perspectives on resolver software architecture and design practices that can enable enduring resilience, which can yield benefits in the form of network stability and operational simplicity.