SYSTEM Cited by 1 source

Big Pineapple

Big Pineapple is Cloudflare's in-house recursive DNS resolver. It is the software that powers systems/cloudflare-1-1-1-1-resolver|1.1.1.1, 1.1.1.1 for Families, Gateway DNS, and DNS Firewall — i.e. every public resolver surface Cloudflare operates. Disclosed by name in the 2026-05-06 DNSSEC .de outage post and introduced publicly in the earlier Big Pineapple intro post (not yet ingested on this wiki).

From the 2026-05-06 post:

"For 1.1.1.1 we have our own resolver referred to as Big Pineapple, which also powers 1.1.1.1 for Families, Gateway DNS, DNS Firewall, and more."

Role in Cloudflare's DNS stack

Big Pineapple sits at the recursive-resolver layer — the piece that takes a client's DNS query, walks the DNS hierarchy from root → TLD → authoritative nameserver, validates DNSSEC signatures, and caches answers. It is distinct from Cloudflare's authoritative DNS (which serves records for customer zones) and distinct from the internal origin resolver Cloudflare's CDN uses for customer origin-name resolution — though during the 2026-05-05 .de incident, both the Big-Pineapple-backed 1.1.1.1 and the internal origin resolver received similar NTA-equivalent mitigations.

Implementation details disclosed

From the 2026-05-06 DNSSEC incident:

• No native NTA mechanism at the time of the incident. Cloudflare had to use "an existing override rule mechanism to mark .de as an insecure zone, which causes all .de queries to be resolved as if they don't have DNSSEC enabled. This is functionality equivalent to an NTA, though it is not formally defined in any RFC." Implied future work: implement a proper RFC-7646 NTA mechanism.
• Serve-stale is implemented per RFC 8767. During the .de outage this significantly cushioned user impact — NOERROR rates stayed stable for hours despite upstream SERVFAILs, because expired-TTL records were still being served from cache.
• Extended DNS Error (EDE) code propagation had a latent bug. The trust-chain verifier correctly detected DNSSEC-Bogus signatures and created an EDE 6 code, but the outer resolver layer discarded it and emitted EDE 22 ("No Reachable Authority") instead. The bug was disclosed in the 2026-05-06 post with a commitment to fix: "We're aware that this isn't helpful for 1.1.1.1 users and will be fixing our responses to surface the DNSSEC errors."

Known incidents affecting Big Pineapple (via 1.1.1.1)

Big Pineapple is the software whose bugs + configuration changes show up in the 1.1.1.1 incident record. See systems/cloudflare-1-1-1-1-resolver for the full list. The two most-recent failure modes:

• 2026-01-08 — CNAME/A-record ordering regression in the cache-merge path (PartialChain::fill_cache); disclosed in sources/2026-01-19-cloudflare-what-came-first-the-cname-or-the-a-record. This is a Big-Pineapple internal data-structure issue.
• 2026-05-05 — DENIC .de DNSSEC signature break; Big Pineapple's strict DNSSEC validation correctly rejected the bad signatures and returned SERVFAIL until Cloudflare marked .de insecure via the override mechanism. Not a Big Pineapple bug — a correct validator response to an upstream failure. (Source: sources/2026-05-06-cloudflare-when-dnssec-goes-wrong-de-tld-outage.)

Seen in

• sources/2026-05-06-cloudflare-when-dnssec-goes-wrong-de-tld-outage — first canonical wiki naming of Big Pineapple as the software behind 1.1.1.1. Disclosed as the substrate that absorbed the .de DNSSEC break via serve-stale + override-rule NTA-equivalent. Self-disclosed the EDE-propagation bug.

Related

• systems/cloudflare-1-1-1-1-resolver — the public resolver service Big Pineapple powers.
• concepts/dnssec · concepts/negative-trust-anchor · concepts/dns-resolver-caching · concepts/extended-dns-errors
• companies/cloudflare