A broken DNSSEC rollover took down .AL. Now 1.1.1.1 tells you when validation is bypassed
Blog post from Cloudflare
On July 3, 2026, a failed DNSSEC key rollover by the Albanian communications authority (AKEP) led to DNSSEC validation failures across the .AL top-level domain, affecting access to Albanian government services, banks, and media for users relying on validating DNS resolvers like Cloudflare's 1.1.1.1. This incident mirrored a similar issue with Germany's .DE domain and prompted Cloudflare to apply a Negative Trust Anchor (NTA) to temporarily suspend DNSSEC validation, allowing .AL domains to remain accessible despite losing cryptographic verification against DNS spoofing. During this process, Cloudflare introduced a new Extended DNS Error (EDE) code to signal when responses were served under an NTA, thereby enhancing transparency and addressing a gap in client awareness that had persisted in previous incidents. The response provided insight into both the DNSSEC failure and the application of the NTA, a practice that has been formalized in an Internet-Draft and is being discussed within the IETF DNSOP Working Group to encourage broader adoption by other resolver implementations.
No tracked trend matches for this post yet.
Use this post, company, and trend context to find content marketing opportunities, perform competitive analysis, or address product feature gaps via the Plushcap MCP server or the Plushcap API.