KeyTrap (original) (raw)

As an end-user, there is no immediate action required. If you want to ensure your Internet provider has resolved the problem, you can inform them of the vulnerability. If your provider is under active attack and resolution is not possible, you may switch to one of the open resolvers which have already deployed patches, including Quad9, Cloudflare, and Google.

As a provider of DNS services, like an open resolver or an ISP, update your DNS resolution software to the newest version as soon as possible to mitigate the attack surface. Patches for all major vendors have already been published. If deployment of patches is not currently possible, you can consider forwarding results of an Open Resolver. We do not advice for disabling DNSSEC validation unless carefully considered and under active attack, as downgrading protection opens the resolver up for other DNS attacks.

Finally, if you run an authoratiative DNS server, you might also want to update the tools you use in case you allow user to upload zones and check them with tooling. Your zone-checking tools might also be vulnerable to the attack.