Read more https://packetstormsecurity.com/files/177250/Technical_Report_KeyTrap.pdf
The KeyTrap Denial-of-Service Algorithmic Complexity Attacks On DNS
In this paper, the authors show that the design of DNSSEC is
flawed. Exploiting vulnerable recommendations in the DNSSEC
standards, they developed a new class of DNSSEC-based algorithmic
complexity attacks on DNS, they dubbed KeyTrap attacks. All popular
DNS implementations and services are vulnerable. With just a single
DNS packet, the KeyTrap attacks lead to a 2.000.000x spike in CPU
instruction count in vulnerable DNS resolvers, stalling some for as
long as 16 hours. This devastating effect prompted major DNS
vendors to refer to KeyTrap as "the worst attack on DNS ever
discovered". Exploiting KeyTrap, an attacker could effectively
disable Internet access in any system utilizing a DNSSEC-validating
resolver.