Elias Heftrig

**Name of the Vulnerable Software and Affected Versions** BIND versions prior to the fixed version **Description** The issue is related to the DNSSEC implementation in the DNS protocol, which can be exploited by remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses. This is known as the "KeyTrap" issue. The protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records, which can lead to CPU exhaustion when there is a zone with many DNSKEY and RRSIG records. The estimated number of potentially affected devices worldwide is not specified. However, it is mentioned that this issue can potentially cause extended Internet outages by sending a single malicious packet that sends DNS servers into an unresolvable loop. **Recommendations** To resolve the issue, users should upgrade to a version of BIND that contains the fix for this vulnerability. As a temporary workaround, consider using a non-validating resolver to remove the vulnerability, although this is not recommended. Restrict access to the vulnerable DNSSEC validation module to minimize the risk of exploitation. Avoid using the `ValidatingResolver` for DNSSEC validation until the issue is resolved.