In today’s constantly evolving cybersecurity landscape, it’s essential to remain vigilant and take fast action when vulnerabilities are discovered. The cyber-security community has been discussing the KeyTrap vulnerability, which has been called the most critical vulnerability ever identified in the Domain Name System (DNS).
This issue, tagged by CVE identifiers CVE-2023-50387 and CVE-2023-50868, exploits a design flaw within the DNS Security Extensions (DNSSEC) protocol, leading to a potential denial-of-service (DoS) attack that could disable DNS resolution services by overwhelming them with excessive CPU usage.
Our proactive response.
At Vercara, we pride ourselves on our proactive approach to security and our commitment to safeguarding our infrastructure and, by extension, our customers’ trust. The KeyTrap vulnerability represents a significant threat, particularly to DNS resolvers implementing DNSSEC validation, including well-known services like Google Public DNS, Quad9, and Cloudflare’s 1.1.1.1.
In response to the discovery of KeyTrap, we took immediate and decisive steps to ensure the security of our services and the integrity of our infrastructure. Vercara operates various types of DNS servers, including UltraDNS Authoritative Servers and recursive DNS resolvers. The recursive DNS resolvers are operated under three products: UltraDDR, UltraDNS Firewall, and UltraDNS Public.
It is important to note that even if UltraDNS Authoritative and Recursive servers are located in the same nodes, they serve distinct functions. The UltraDNS Authoritative servers provide authoritative answers, while the UltraDNS Recursive servers provide recursive resolution.
It is important to note that UltraDNS Authoritative services are not subject to denial of service using this vulnerability as it targets recursive servers rather than authoritative ones. This distinction has spared our authoritative servers from the direct impact of KeyTrap, and allowed us to focus our efforts on fortifying other areas of our service against this threat.
UltraDNS Detection and Response.
UltraDDR’s offering is unaffected by the KeyTrap vulnerability due to the comprehensive security measures and system hardening we put in place to protect every aspect of our infrastructure from possible exploits.
UltraDNS Firewall.
Our DNS resolvers used for the UltraDNS Firewall service were susceptible to the exploit and were promptly updated to address the vulnerability following the release of patches. This rapid response was critical in maintaining the resilience of our recursive services against potential exploitation.
UltraDNS public resolvers.
Our public resolver network, operating on the same infrastructure as the UltraDNS Firewall, has also been updated and hardened against the KeyTrap exploit as soon as the patches became available.
Looking ahead: Ongoing mitigation and transparency.
The recent KeyTrap vulnerability has highlighted the importance of being vigilant, taking prompt action, and continuously implementing measures to mitigate such risks. We are currently working on adding more validations and checks to our UltraDNS-managed zones to prevent them from being exploited through similar vulnerabilities. We have also engaged in continuous dialogue with our service vendors, ensuring that our systems are updated with the latest patches. Our commitment to security goes beyond our infrastructure; we promise to maintain the highest service, integrity, and reliability.
We understand the concerns that vulnerabilities like KeyTrap raise among our customers and the wider internet community. We are committed to proactively addressing these issues, ensuring our services remain secure, resilient, and trustworthy.
Ashwin Theadath, Vice President of Software Engineering for UltraDNS at Vercara, emphasizes this commitment: “In the face of emerging threats like the KeyTrap vulnerability, our team at Vercara has not only acted with speed but with foresight. We understand that the security of the DNS infrastructure is a cornerstone of the trust our customers and inevitably their customers place in us. It’s our responsibility to uphold that trust, ensuring that our part of the internet remains not just operational but impenetrable. Our actions are a clear reflection of our commitment to security, and we continue to stand vigilant, ready to protect and serve our digital community.”
Your security is our priority.
We want to assure all our valued customers and partners that none of the susceptible UltraDNS services were attacked before applying the patch and our proactive measures to assess and patch quickly have ensured the continued security of our services. We are constantly monitoring and are ready to apply additional patches and updates as they become available.
Security is a collective effort, and we encourage our customers and partners to stay informed, alert, and engaged with us as we work together to navigate these challenges. If you have any questions or require further clarification, please do not hesitate to reach out to us for support.
