Inquiry on Mitigation Measures for DNS Server Vulnerabilities (KeyTrap+ NSEC3)

Denial of Service Vulnerability in DNS servers (KeyTrap+ NSEC3)
Indian - Computer Emergency Response Team (
Severity Rating: High
Two vulnerabilities have been reported in DNS protocol which could allow a remote attacker to cause Denial of Service (DoS) condition on the target DNS server.
Domain Name System (DNS) is a protocol that allows us to use human readable names to communicate over networks, rather than having to manage and memorize IP addresses.
The Domain Name System Security Extensions (DNSSEC) is a feature of the Domain Name System (DNS) that authenticates responses to domain name lookups.
These vulnerabilities exist due to improper input validation while processing DNSSEC related records. A remote attacker could exploit these vulnerabilities to cause denial of service (through CPU consumptions) via DNSSEC responses due to NSEC3 issue or Key Trap issue.
Successful exploitation of these vulnerabilities could allow a remote attacker to perform Denial of Service (DoS) condition on the targeted DNS server.
Apply appropriate security updates to the latest product versions immediately or once they are released by the respective vendors and other mitigation techniques as applicable.
CVE Name: CVE-2023-50387,CVE-2023-50868


I recently got the about the CVE-2023-50387 and CVE-2023-50868 vulnerabilities found, I am using the Route53 service as DNS provider so I am little confused do CVEs mentioned above affect route53 as well or not? If yes then has AWS taken the right steps to mitigate it? I checked the AWS Security Bulletins but could not find anything about CVEs.

Thanks in advance, Mahesh

已提問 3 個月前檢視次數 165 次
1 個回答

As per Vulnerability Reporting - Address potential vulnerabilities in any aspect of our cloud services

If you would like to report a vulnerability or have a security concern regarding AWS cloud services or open source projects, please submit the information by contacting If you wish to protect the contents of your submission, you may use our PGP key.

已回答 3 個月前

您尚未登入。 登入 去張貼答案。