Discovered by Florian Maury, at the French Network and Information Security Agency (ANSSI), it is called “infinite recursion“.
It only affects DNS resolvers (and in certain circumstances, BIND software, even when it is on an authoritative server). It is present in several software systems, at least BIND (CVE-2014-8500), PowerDNS (CVE-2014-8601) and Unbound (CVE-2014-8602).
It does not seem to be present in the Microsoft Windows DNS resolver.
The vulnerability enables easy denial of service attack, which stops the operation of the resolver without committing extensive resources. It is therefore necessary for all DNS resolver managers to quickly update their software.
For Unbound, upgrade to 1.5.1 “Fix CVE-2014-8602: denial of service by making resolver chase endless series of delegations”.
For PowerDNS, upgrade to 3.6.2, which was released several weeks ago.
Afnic is the acronym for Association Française pour le Nommage Internet en Coopération, the French Network Information Centre. The registry has been appointed by the French government to manage domain names under the .fr Top Level Domain. Afnic also manages the .re (Reunion Island), .pm (Saint-Pierre and Miquelon), .tf (French Southern and Antarctic Territories), .wf (Wallis and Futuna) and .yt (Mayotte) French Overseas TLDs.
In addition to managing French TLDs, Afnic’s role is part of a wider public interest mission, which is to contribute on a daily basis, thanks to the efforts of its teams and its members, to a secure and stable internet, open to innovation and in which the French internet community plays a leading role. As part of that mission, Afnic, a non-profit organization, donates 90% of its profits to its Foundation for Digital Solidarity. Afnic is also the back-end registry for the companies as well as local and regional authorities that have chosen to have their own TLD, such as .paris, .bzh, .alsace, .corsica, .mma, .ovh, .leclerc and .sncf.
Established in 1997 and based in Saint-Quentin-en-Yvelines, Afnic currently has 80 employees.