Your Shield is My Sword - A Persistent Denial-of-Service Attack via the Reuse of Unvalidated Caches in DNSSEC Validation

Explore a groundbreaking cybersecurity research presentation from USENIX Security '25 that reveals a critical vulnerability in DNSSEC (Domain Name System Security Extensions) implementation. Learn how researchers from Tsinghua University and Zhongguancun Laboratory discovered the RUC (Reuse of Unvalidated Caches) attack, which exploits DNSSEC troubleshooting mechanisms to transform the security protocol from a protective shield into an attack vector. Understand how adversaries can inject forged data into DNS resolver caches through troubleshooting interfaces, causing persistent DNSSEC validation failures that can disrupt domain resolution for over 24 hours with a single injection. Discover the widespread impact of this vulnerability across mainstream DNS software, public DNS services, and DNSSEC-compliant open resolvers through comprehensive Internet-wide measurements. Examine the technical details of how resolvers improperly mix cached data from troubleshooting operations with routine DNS operations, creating an exploitable attack surface. Review the responsible disclosure process and patches implemented by major DNS providers including BIND, Cloudflare, and OpenDNS following the researchers' findings and recommendations for formal guidelines on handling troubleshooting data in DNSSEC environments.