What is CVE-2023-50387 Vulnerability?
CVE-2023-50387, known as KeyTrap, is a Denial-of-Service (DoS) vulnerability discovered within DNSSEC-validating DNS resolvers, including BIND, Unbound, and other recursive resolver implementations. It allows attackers to exhaust system resources by exploiting a flaw in the way DNSSEC signatures are validated within the DNSKEY and RRSIG record processing logic. By crafting maliciously complex DNS responses, attackers can force affected resolvers to perform excessive cryptographic operations, causing CPU exhaustion and rendering the resolver unresponsive.
This vulnerability is tracked under the Common Vulnerabilities and Exposures program and presents significant risks to any organization relying on DNS resolvers that perform DNSSEC validation.
When was it discovered?
The CVE-2023-50387 vulnerability was discovered and responsibly disclosed by researchers from the ATHENE National Research Center for Applied Cybersecurity (Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner).
Discovery date: November 2, 2023 (initial vendor disclosure)
Public disclosure date: February 13, 2024
The ATHENE team coordinated with major DNS software vendors for patch development and public release before full disclosure.
Affected products & versions
Product | Versions Affected | Fixed Versions / Patch Links |
BIND 9 | 9.0.0 → 9.16.46, 9.18.0 → 9.18.22, 9.19.0 → 9.19.20 | |
Unbound | Up to 1.19.1 | NLnet Labs Advisory |
Knot Resolver | 5.x prior to February 2024 patches | |
Akamai DNSi (CacheServe, AnswerX, Cloud & Managed) | Pre-February 2024 builds | |
dnsmasq and other DNSSEC-validating resolvers | Versions supporting DNSSEC prior to early 2024 updates | Refer to individual vendor advisories |
CVE-2023-50387 technical description
This vulnerability stems from an algorithmic complexity flaw within the DNSSEC validation process. When a resolver receives a DNS response containing a large number of cryptographic keys and signatures, it attempts to verify every possible key-signature combination. The absence of computational limits or safeguards in the validation routine allows an attacker to send a malicious DNS response that triggers excessive cryptographic computations.
Example behavior:
dig @
A malicious domain can return thousands of DNSKEY and RRSIG records, causing full CPU utilization on the resolver during validation. This flaw allows attackers to render the resolver unresponsive—disrupting DNS resolution for entire networks and services. While it does not enable arbitrary code execution, it critically impacts availability at scale.
Tactics, techniques & procedures (TTPs)
Adversaries can exploit CVE-2023-50387 by:
Operating a malicious DNS zone that sends crafted DNSSEC responses.
Leveraging compromised or misconfigured DNS servers to redirect resolver queries to malicious domains.
Conducting amplified DoS attacks targeting recursive resolvers that perform DNSSEC validation.
These attacks can disrupt internet-facing applications, VPNs, and web services reliant on the affected resolvers.
Indicators of Compromise
Organizations should monitor for:
Sustained or unexplained high CPU usage on DNS resolvers.
DNS query timeouts or resolution failures across client networks.
Logs showing repeated queries to suspicious or unknown DNSSEC-enabled domains.
Indicators may include:
DNS queries to domains hosting oversized DNSKEY and RRSIG sets.
Outbound connections from resolvers to unexpected authoritative servers.
Increased latency or resource exhaustion alerts in monitoring tools.
Known Proof-of-Concepts & Exploits
As of publication, no public proof-of-concept exploit has been released, but research details from ATHENE’s KeyTrap paper demonstrate reproducible conditions. Major vendors and national CERTs have warned that exploitation is practical and easily weaponizable, with potential for large-scale service disruption if left unpatched.
How to detect CVE-2023-50387 vulnerability
Detection strategies include:
Network monitoring: Identify DNS responses with unusually large DNSSEC payloads.
Host-based tools: Use resolver debug or query logs to spot repetitive validation loops.
SIEM correlation: Query for anomalous resolver CPU spikes linked to DNSSEC validation routines.
Impact & risk of CVE-2023-50387 vulnerability
Exploitation can cause:
Denial-of-Service on DNS resolvers, halting domain resolution.
Network-wide service outages for applications, websites, and email systems relying on DNS.
Potential exploitation in chained attacks, where downtime facilitates secondary intrusions or misdirection.
Given that a large portion of the internet relies on DNSSEC-validating resolvers, this flaw poses systemic risk to global availability.
Mitigation & remediation strategies
To address CVE-2023-50387, organizations should:
Apply patches immediately from BIND, Unbound, or other resolver vendors.
Rate-limit DNSSEC validation tasks where supported.
Isolate or segment resolvers to reduce blast radius of DoS events.
Monitor for excessive resource utilization tied to DNSSEC activity.
Temporarily disable DNSSEC validation only if absolutely necessary and operational continuity is at risk.
CVE-2023-50387 Vulnerability FAQs
Protect What Matters
