AFNIC – Multiple Vulnerabilities in Several DNS Products

AFNIC, the company behind .FR extension ,announced that a serious DNS security vulnerability was published on Monday,December 8,2014  by ANSSI.

You can read the announcement after the jump :

“Discovered by Florian Maury, at the French National Agency for the Security of Information Systems (ANSSI), it is called “infinite recursion”.

It only affects DNS resolvers (and in certain circumstances, BIND software), even when it is on an authoritative server. It is present in several software systems, at least BIND (CVE-2014-8500), PowerDNS (CVE-2014-8601) and Unbound (CVE-2014-8602).

It does not seem to be present in the Microsoft Windows DNS resolver.

The vulnerability enables easy denial of service, which stops the operation of the resolver without committing extensive resources. It is therefore necessary for all DNS resolver managers to quickly update their software.

For BIND, upgrade to versions 9.9.6-P1 and 9.10.1-P1

<https://kb.isc.org/article/AA-01224/81/BIND-9.9.6-P1-Release-Notes.html>

<https://kb.isc.org/article/AA-01223/81/BIND-9.10.1-P1-Release-Notes.html>

For Unbound, upgrade to 1.5.1 “Fix CVE-2014-8602: denial of service by making resolver chase endless series of delegations”.

<https://unbound.nlnetlabs.nl/pipermail/unbound-users/2014-December/003663.html>

For PowerDNS, upgrade to 3.6.2, which was released several weeks ago.

<http://mailman.powerdns.com/pipermail/pdns-users/2014-December/011009.html>”