Skip to content

CLOUDFLARE 2026-07-14

Read original ↗

A broken DNSSEC rollover took down .AL. Now 1.1.1.1 tells you when validation is bypassed

Summary

On July 3, 2026, Albania's .AL TLD operator (AKEP) attempted a DNSSEC key rollover that went wrong: the old DNSKEY was removed before the root-zone DS record was updated, breaking the chain of trust for every domain under .AL. Cloudflare's 1.1.1.1 resolver installed a Negative Trust Anchor (RFC 7646) within ~3 hours to restore resolution. For the first time, 1.1.1.1 returned a new Extended DNS Error code — EDE 33 (Negative Trust Anchor) — alongside every response served under the NTA, closing a transparency gap that RFC 7646 acknowledged but left unresolved.

This is the second TLD-level DNSSEC failure Cloudflare mitigated via NTA within two months (.DE in May 2026, .AL in July 2026), and the first to ship inline in-band transparency via the new EDE code.

Key takeaways

  1. Second TLD-level DNSSEC failure in two months: .DE (May 5, 2026) and .AL (July 3, 2026) demonstrate that TLD key rollover failures are not one-offs but a recurring operational hazard in the DNS hierarchy (Source: intro).

  2. Incident timeline: The .AL operator published a new DNSKEY and stopped serving the old one at ~14:15 UTC while the root DS still pointed to old key id=26319. At ~17:00 UTC they removed the new DNSKEY too (zone had no DNSKEYs at all). At ~19:15 UTC they removed the DS from root, making .AL fully unsigned. As of publication, .AL remains unsigned (Source: "What happened to .AL" section).

  3. NTA deployed by 17:15 UTC: Cloudflare applied the NTA and rolled it out globally ~3 hours after the chain broke — same operational posture as the .DE incident (Source: "Why Negative Trust Anchors are used").

  4. NTA transparency gap closed with EDE 33: Until this incident, responses served under an NTA were indistinguishable from fully validated ones. RFC 7646 acknowledged this gap and recommended out-of-band disclosure only. The new EDE code 33 (Negative Trust Anchor) provides in-band, per-response transparency (Source: "Bringing transparency to Negative Trust Anchors").

  5. EDE 33 is universal within the NTA scope: 1.1.1.1 returns EDE 33 on every response generated while an NTA is active for that zone, regardless of whether the specific query would have failed DNSSEC validation — intentional design: "the NTA covers the entire zone, and transparency applies equally to every response served under it" (Source: "Bringing transparency" section).

  6. EDE 9 + EDE 33 together surface root cause + mitigation: The response carries both EDE: 9 (DNSKEY Missing) (underlying DNSSEC failure) and EDE: 33 (Negative Trust Anchor) (NTA applied) — clients and operators get full visibility into what happened and why (Source: kdig example).

  7. Fixes the .DE incident's EDE-propagation bug: During the .DE incident, 1.1.1.1 incorrectly returned EDE 22 (No Reachable Authority) instead of surfacing the DNSSEC error. During .AL, 1.1.1.1 correctly returned EDE 9 alongside EDE 33 (Source: "Bringing transparency" section).

  8. Internet-Draft + IANA assignment: The new EDE code is co-authored by Cloudflare and Babak Farrokhi (Quad9), filed as draft-farrokhi-dnsop-ede-nta, with IANA code 33 already assigned. Submitted to IETF DNSOP WG for discussion at the Vienna IETF meeting (July 18-24, 2026) (Source: "Bringing transparency" section).

  9. Ecosystem adoption underway: Knot DNS's kdig tool already recognizes EDE 33 by name; an Unbound PR is under review (Source: closing paragraphs).

  10. Contact channels for .AL operator were unreachable: Cloudflare attempted direct contact and posted on DNS-OARC Mattermost but received no response — in part because the operator's contact addresses were themselves under .AL (Source: "Why Negative Trust Anchors are used").

Operational numbers

  • .AL TLD rank: #191 on Cloudflare Radar's TLD ranking
  • DNSSEC break onset: ~14:15 UTC July 3, 2026
  • NTA global deployment: 17:15 UTC (≈3 hours post-break)
  • NTA removed: following day (once .AL removed DS from root, ~19:15 UTC July 3)
  • .AL remains unsigned as of publication (July 14, 2026)

Systems / concepts / patterns extracted

Caveats

  • The post frames EDE 33 as closing a gap, but the Internet-Draft is still individual submission / early-stage IETF process — adoption by other resolvers is not guaranteed.
  • The operational decision to install an NTA trades DNSSEC validation for availability — the post is transparent about this trade-off.
  • .AL remains unsigned; the incident has ongoing implications for Albanian internet services.

Source

Last updated · 585 distilled / 1,765 read