PATTERN Cited by 1 source
EDE 33 NTA disclosure¶
Pattern¶
When a DNS resolver installs a Negative Trust Anchor (RFC 7646) to restore resolution during a TLD-level DNSSEC failure, attach Extended DNS Error code 33 (Negative Trust Anchor) to every response served under the NTA — providing per-response, in-band transparency that DNSSEC validation was bypassed.
Mechanism¶
The resolver returns both the answer (NOERROR + resource records) and two EDE codes:
- EDE 9 (DNSKEY Missing) — surfaces the underlying DNSSEC failure (chain of trust broken, no matching key)
- EDE 33 (Negative Trust Anchor) — signals that the resolver applied an NTA and served the response anyway
Together they give clients full visibility: the answer is real, but it was not DNSSEC-validated.
Design decision: zone-wide, not per-query¶
EDE 33 is returned on every response generated while an NTA is active for a zone, regardless of whether that specific query would have failed validation. A query for a domain that doesn't use DNSSEC at all still carries EDE 33 if it falls under an active NTA. This is intentional — the NTA covers the entire zone, and transparency applies equally.
Wire example¶
$ kdig @1.1.1.1 google.al
;; EDE: 9 (DNSKEY Missing): 'no SEP matching the DS found for al.'
;; EDE: 33 (Negative Trust Anchor): 'a Negative Trust Anchor has been applied for this query (see RFC 7646)'
;; ANSWER SECTION:
google.al. 300 IN A 142.251.142.196
Standards status¶
- Internet-Draft: draft-farrokhi-dnsop-ede-nta
- Co-authors: Cloudflare + Babak Farrokhi (Quad9)
- IANA code 33 assigned
- Submitted to IETF DNSOP Working Group (discussion at Vienna IETF, July 18-24, 2026)
- Knot DNS
kdigrecognizes EDE 33 by name; Unbound PR under review
Seen in¶
- sources/2026-07-14-cloudflare-dnssec-nta-ede-33 — first production deployment during the
.ALTLD DNSSEC failure (July 3, 2026)
Relationship to prior incidents¶
The .DE incident (May 2026) exposed both the NTA transparency gap and an EDE-propagation bug (EDE 22 returned instead of EDE 6/9). The .AL incident (July 2026) deployed EDE 33 as the structural fix for both: the transparency gap is closed by EDE 33 existing, and the propagation bug is fixed by EDE 9 now correctly accompanying EDE 33.