A broken DNSSEC rollover took down .AL. Now 1.1.1.1 tells you when validation is bypassed¶
Summary¶
On July 3, 2026, Albania's .AL TLD operator (AKEP) attempted a DNSSEC key rollover that went wrong: the old DNSKEY was removed before the root-zone DS record was updated, breaking the chain of trust for every domain under .AL. Cloudflare's 1.1.1.1 resolver installed a Negative Trust Anchor (RFC 7646) within ~3 hours to restore resolution. For the first time, 1.1.1.1 returned a new Extended DNS Error code — EDE 33 (Negative Trust Anchor) — alongside every response served under the NTA, closing a transparency gap that RFC 7646 acknowledged but left unresolved.
This is the second TLD-level DNSSEC failure Cloudflare mitigated via NTA within two months (.DE in May 2026, .AL in July 2026), and the first to ship inline in-band transparency via the new EDE code.
Key takeaways¶
-
Second TLD-level DNSSEC failure in two months:
.DE(May 5, 2026) and.AL(July 3, 2026) demonstrate that TLD key rollover failures are not one-offs but a recurring operational hazard in the DNS hierarchy (Source: intro). -
Incident timeline: The
.ALoperator published a new DNSKEY and stopped serving the old one at ~14:15 UTC while the root DS still pointed to old key id=26319. At ~17:00 UTC they removed the new DNSKEY too (zone had no DNSKEYs at all). At ~19:15 UTC they removed the DS from root, making.ALfully unsigned. As of publication,.ALremains unsigned (Source: "What happened to .AL" section). -
NTA deployed by 17:15 UTC: Cloudflare applied the NTA and rolled it out globally ~3 hours after the chain broke — same operational posture as the
.DEincident (Source: "Why Negative Trust Anchors are used"). -
NTA transparency gap closed with EDE 33: Until this incident, responses served under an NTA were indistinguishable from fully validated ones. RFC 7646 acknowledged this gap and recommended out-of-band disclosure only. The new EDE code 33 (Negative Trust Anchor) provides in-band, per-response transparency (Source: "Bringing transparency to Negative Trust Anchors").
-
EDE 33 is universal within the NTA scope: 1.1.1.1 returns EDE 33 on every response generated while an NTA is active for that zone, regardless of whether the specific query would have failed DNSSEC validation — intentional design: "the NTA covers the entire zone, and transparency applies equally to every response served under it" (Source: "Bringing transparency" section).
-
EDE 9 + EDE 33 together surface root cause + mitigation: The response carries both
EDE: 9 (DNSKEY Missing)(underlying DNSSEC failure) andEDE: 33 (Negative Trust Anchor)(NTA applied) — clients and operators get full visibility into what happened and why (Source: kdig example). -
Fixes the
.DEincident's EDE-propagation bug: During the.DEincident, 1.1.1.1 incorrectly returned EDE 22 (No Reachable Authority) instead of surfacing the DNSSEC error. During.AL, 1.1.1.1 correctly returned EDE 9 alongside EDE 33 (Source: "Bringing transparency" section). -
Internet-Draft + IANA assignment: The new EDE code is co-authored by Cloudflare and Babak Farrokhi (Quad9), filed as draft-farrokhi-dnsop-ede-nta, with IANA code 33 already assigned. Submitted to IETF DNSOP WG for discussion at the Vienna IETF meeting (July 18-24, 2026) (Source: "Bringing transparency" section).
-
Ecosystem adoption underway: Knot DNS's
kdigtool already recognizes EDE 33 by name; an Unbound PR is under review (Source: closing paragraphs). -
Contact channels for .AL operator were unreachable: Cloudflare attempted direct contact and posted on DNS-OARC Mattermost but received no response — in part because the operator's contact addresses were themselves under
.AL(Source: "Why Negative Trust Anchors are used").
Operational numbers¶
.ALTLD rank: #191 on Cloudflare Radar's TLD ranking- DNSSEC break onset: ~14:15 UTC July 3, 2026
- NTA global deployment: 17:15 UTC (≈3 hours post-break)
- NTA removed: following day (once
.ALremoved DS from root, ~19:15 UTC July 3) .ALremains unsigned as of publication (July 14, 2026)
Systems / concepts / patterns extracted¶
- Systems: Big Pineapple (resolver software), systems/cloudflare-1-1-1-1-resolver|1.1.1.1
- Concepts: Negative Trust Anchor, Extended DNS Errors, TLD-level failure blast radius, DNSSEC, DNSSEC chain of trust, NTA transparency
- Patterns: NTA for TLD outage, EDE 33 NTA disclosure
Caveats¶
- The post frames EDE 33 as closing a gap, but the Internet-Draft is still individual submission / early-stage IETF process — adoption by other resolvers is not guaranteed.
- The operational decision to install an NTA trades DNSSEC validation for availability — the post is transparent about this trade-off.
.ALremains unsigned; the incident has ongoing implications for Albanian internet services.
Source¶
- Original: https://blog.cloudflare.com/dnssec-nta-ede-33/
- Raw markdown:
raw/cloudflare/2026-07-14-a-broken-dnssec-rollover-took-down-al-now-1111-tells-you-whe-a9e7f215.md
Related¶
- sources/2026-05-06-cloudflare-when-dnssec-goes-wrong-de-tld-outage — the
.DEincident (May 2026); same NTA mitigation pattern, EDE-propagation bug disclosed and now fixed in the.ALresponse