Hola a todos,
Para apoyar un poco la documentación sobre la vulnerabilidad KeyTrap de DNS hace unos meses APNIC sacó un par de blogs que me parecieron muy interesantes:
Me llamó la atención el siguiente análisis en donde dice que esta vulnerabilidad tiene raíz en la filosofía de diseño.
KeyTrap vulnerabilities are fundamental
Unfortunately, in contrast to software bugs, like HeartBleed, the
vulnerabilities found during our research are fundamental and are not
simple to resolve, since they are rooted in the design philosophy of
DNSSEC. The DNSSEC specification from its early drafts explicitly
includes the flawed requirements, that lead to these vulnerabilities,
and indeed, all DNS resolvers that follow the RFCs, as well as libraries
and other tools that use the DNS or provide DNS functionality, like
zone-checkers and debugging tools, were found to be vulnerable.