Security Advisory Description
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the “KeyTrap” issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. (CVE-2023-50387)
Impact
Unbound
A remote attacker may be able to trigger high CPU consumption using Domain Name System Security Extensions (DNSSEC) responses, causing a denial-of-service (DoS) in validating resolvers. The following BIG-IP configurations are impacted:
BIND
There is no impact; F5 products are not affected by this vulnerability in default, standard, or recommended configurations. However, if the BIND configuration (named.conf) was modified to enable DNS recursion with therecursion yes; line added to the options section of your BIND configuration file, a remote attacker may be able to trigger high CPU consumption using DNSSEC responses, causing a DoS in validating resolvers.