Home / Companies / Cloudflare / Blog / Post Details
Content Deep Dive

A broken DNSSEC rollover took down .AL. Now 1.1.1.1 tells you when validation is bypassed

Blog post from Cloudflare

Post Details
Company
Date Published
Author
Sebastiaan Neuteboom
Word Count
1,614
Company Posts That Month
12
Language
English
Hacker News Points
-
Post removed?
No
Summary

On July 3, 2026, a failed DNSSEC key rollover by the Albanian communications authority (AKEP) led to DNSSEC validation failures across the .AL top-level domain, affecting access to Albanian government services, banks, and media for users relying on validating DNS resolvers like Cloudflare's 1.1.1.1. This incident mirrored a similar issue with Germany's .DE domain and prompted Cloudflare to apply a Negative Trust Anchor (NTA) to temporarily suspend DNSSEC validation, allowing .AL domains to remain accessible despite losing cryptographic verification against DNS spoofing. During this process, Cloudflare introduced a new Extended DNS Error (EDE) code to signal when responses were served under an NTA, thereby enhancing transparency and addressing a gap in client awareness that had persisted in previous incidents. The response provided insight into both the DNSSEC failure and the application of the NTA, a practice that has been formalized in an Internet-Draft and is being discussed within the IETF DNSOP Working Group to encourage broader adoption by other resolver implementations.

Trends Found in this Post

No tracked trend matches for this post yet.

Use This Data

Use this post, company, and trend context to find content marketing opportunities, perform competitive analysis, or address product feature gaps via the Plushcap MCP server or the Plushcap API.