« All posts

Broken .AL DNSSEC Rollover Caused Outage; 1.1.1.1 Adds Bypass Alerts

Cloudflare fixed a broken .AL DNSSEC rollover with a Negative Trust Anchor and introduced a new EDE code that flags bypassed DNS validation.

On July 3, 2026, Albania's ccTLD operator AKEP broke .AL's DNSSEC chain during a key rollover: it published a new DNSKEY without updating the DS record in the root zone, then removed that new key too, leaving .AL with no valid DNSKEY while the root still expected one. Validating resolvers, including Cloudflare's 1.1.1.1, had to return SERVFAIL for any .AL query, making government, banking and media sites under the TLD unreachable.

To restore access, Cloudflare applied a Negative Trust Anchor (NTA) as defined in RFC 7646, telling 1.1.1.1 to treat .AL as unsigned and skip validation — the same fix it used for a similar .DE outage two months earlier. NTAs restore availability but sacrifice transparency: previously, a client had no way to tell from the response alone that validation had been bypassed.

For this incident, 1.1.1.1 rolled out a new Extended DNS Error (EDE) code, developed with Quad9 as an IETF draft, that explicitly flags when an NTA is active. Queries for .AL during the outage returned EDE 9 (DNSKEY Missing) alongside EDE 33 (Negative Trust Anchor), giving clients and monitoring tools visibility into the fact that an answer, though valid, was not cryptographically verified.

AKEP eventually removed the DS record from the root entirely, restoring resolution but leaving .AL unsigned as of publication — a reminder that registry-level DNSSEC misconfigurations can take down an entire TLD, and that resolver-side mitigations need to be visible to be trustworthy.