A broken DNSSEC rollover took down .AL. Now 1.1.1.1 tells you when validation is bypassed
Curated from Cloudflare Blog
When critical infrastructure fails, the immediate priority is often restoring service, but the long-term lesson lies in observability. The recent outage of the .AL top-level domain due to a DNSSEC rollover error highlights a common operational blind spot: administrators frequently assume validation is working correctly until it silently breaks. While deploying Negative Trust Anchors can mitigate immediate resolution failures, they do not provide clear feedback to clients about why trust was bypassed. This lack of transparency makes debugging difficult and leaves users in the dark regarding the security posture of their DNS queries. The introduction of EDE 33 by 1.1.1.1 addresses this gap by explicitly signaling validation bypasses within the DNS response itself. This shift from opaque failures to explicit error codes allows for faster identification of configuration drift or policy errors. For practitioners managing large-scale DNS deployments, integrating tools that provide granular validation status is essential for maintaining both availability and security integrity.
When a failed DNSSEC key rollover took down the . AL TLD, we deployed a Negative Trust Anchor to restore resolution. This time, though, clients didn't have to take our word for it: 1.
— Cloudflare Blog