Skip to content

PATTERN Cited by 1 source

EDE 33 NTA disclosure

Pattern

When a DNS resolver installs a Negative Trust Anchor (RFC 7646) to restore resolution during a TLD-level DNSSEC failure, attach Extended DNS Error code 33 (Negative Trust Anchor) to every response served under the NTA — providing per-response, in-band transparency that DNSSEC validation was bypassed.

Mechanism

The resolver returns both the answer (NOERROR + resource records) and two EDE codes:

  1. EDE 9 (DNSKEY Missing) — surfaces the underlying DNSSEC failure (chain of trust broken, no matching key)
  2. EDE 33 (Negative Trust Anchor) — signals that the resolver applied an NTA and served the response anyway

Together they give clients full visibility: the answer is real, but it was not DNSSEC-validated.

Design decision: zone-wide, not per-query

EDE 33 is returned on every response generated while an NTA is active for a zone, regardless of whether that specific query would have failed validation. A query for a domain that doesn't use DNSSEC at all still carries EDE 33 if it falls under an active NTA. This is intentional — the NTA covers the entire zone, and transparency applies equally.

Wire example

$ kdig @1.1.1.1 google.al
;; EDE: 9 (DNSKEY Missing): 'no SEP matching the DS found for al.'
;; EDE: 33 (Negative Trust Anchor): 'a Negative Trust Anchor has been applied for this query (see RFC 7646)'

;; ANSWER SECTION:
google.al.              300    IN    A    142.251.142.196

Standards status

  • Internet-Draft: draft-farrokhi-dnsop-ede-nta
  • Co-authors: Cloudflare + Babak Farrokhi (Quad9)
  • IANA code 33 assigned
  • Submitted to IETF DNSOP Working Group (discussion at Vienna IETF, July 18-24, 2026)
  • Knot DNS kdig recognizes EDE 33 by name; Unbound PR under review

Seen in

Relationship to prior incidents

The .DE incident (May 2026) exposed both the NTA transparency gap and an EDE-propagation bug (EDE 22 returned instead of EDE 6/9). The .AL incident (July 2026) deployed EDE 33 as the structural fix for both: the transparency gap is closed by EDE 33 existing, and the propagation bug is fixed by EDE 9 now correctly accompanying EDE 33.

Last updated · 585 distilled / 1,765 read