Remediating new DNSSEC resource exhaustion vulnerabilities

Cloudflare has been part of an industry-wide effort to mitigate two critical DNSSEC vulnerabilities that exposed significant risks to critical infrastructures providing DNS resolution services. The company's public resolver 1.1.1.1 service was protected from both vulnerabilities before they were disclosed and is safe today. These vulnerabilities do not affect Cloudflare's Authoritative DNS or DNS firewall products. All major DNS software vendors have released new versions of their software, and all other major DNS resolver providers have also applied appropriate mitigations. Users are advised to update their DNS resolver software immediately if they haven't done so already. The Keytrap vulnerability (CVE-2023-50387) involves a malicious actor crafting a DNS response with multiple keys having the same key tag, causing additional work for DNS resolvers by trying every combination when validating responses. Mitigation includes limiting the maximum number of keys accepted at a zone cut and adding signature validations limits per RRSET and total signature validations limit per resolution task. The NSEC3 iteration and closest encloser proof vulnerability (CVE-2023-50868) involves a malicious DNS response from an authoritative DNS server setting high NSEC3 iteration counts and long DNS names with multiple labels to exhaust the computing resources of a validating resolver. Mitigation includes adding a limit for total hash calculations per resolution task to answer a single DNS question.