[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"branding":3,"analytics":7,"article-cloudflare-now-flags-when-dnssec-validation-is-quietly-bypassed":10,"sections":34},{"siteName":4,"siteTagline":5,"publisherName":4,"contactEmail":6},"The Revision","Tech news, decoded.","editor@therevision.news",{"gaMeasurementId":8,"adsenseClientId":9},"G-ZW2MV82GYR","ca-pub-8533917693782264",{"article":11},{"id":12,"slug":13,"title":14,"dek":15,"body_md":16,"tags_json":17,"published_at":18,"created_at":19,"updated_at":20,"status":21,"review_note":22,"review_notes":23,"image_url":22,"persona_id":22,"persona_name":22,"section":24,"tags":25,"sources":29,"feedback":33,"feedback_at":22,"cost_usd":33,"total_tokens":33},4696,"cloudflare-now-flags-when-dnssec-validation-is-quietly-bypassed","Cloudflare Now Flags When DNSSEC Validation Is Quietly Bypassed","After Albania's top-level domain broke DNSSEC and went dark for hours, Cloudflare added a new error code so clients can tell when security checks were skipped.","Albania's entire .AL domain went unsigned last week, and Cloudflare used the mess to ship a transparency feature DNS has needed for years.\n\nOn July 3, the Albanian communications authority botched a DNSSEC key rollover. The operator swapped in a new signing key without updating the corresponding DS record in the root zone — the fingerprint that resolvers use to verify the key is legitimate. Any resolver that tried to validate .AL responses found no matching key and returned errors. Government sites, banks, and media outlets all went unreachable for users on validating resolvers, including Cloudflare's 1.1.1.1. The same failure mode hit Germany's .DE just two months earlier. To restore access, Cloudflare installed a Negative Trust Anchor (NTA) — an RFC 7646 mechanism that tells a resolver to stop checking DNSSEC for a zone and serve answers anyway. The NTA had .AL domains responding again by 17:15 UTC, about three hours after the chain broke. As of publication, .AL is still unsigned; the operator removed the DS record from the root zone to end the outage but has not restored it.\n\nThe catch with NTAs has always been silence: a response served under one looks identical to a fully validated answer, so clients, monitoring tools, and applications had no way to know DNSSEC was bypassed. That gap matters because suspending validation re-exposes domains to DNS spoofing for the duration. For the .AL incident, Cloudflare implemented a new Extended DNS Error code — EDE 33, drafted in an Internet-Draft co-authored with Quad9's Babak Farrokhi — that attaches a machine-readable signal to every affected response. Clients that understand EDE 33 now know the answer arrived without cryptographic verification, even when the query returns NOERROR.\n\nTwo major TLD failures in sixty days is worth noting. DNSSEC key rollovers are a known operational hazard, and country-code TLDs run the gamut from well-staffed registries to single-person operations — Albania's contact addresses were themselves under .AL, making them unreachable during the very outage Cloudflare was trying to report. EDE 33 is a reasonable patch, but it relies on clients actually reading the error codes, which most software today does not.","[\"dns\",\"security\",\"cloudflare\",\"dnssec\"]","2026-07-14T13:00:00.000Z","2026-07-14T16:45:51.725Z","2026-07-14T16:45:54.695Z","published",null,[],"security",[26,24,27,28],"dns","cloudflare","dnssec",[30],{"name":31,"url":32},"Cloudflare Blog","https:\u002F\u002Fblog.cloudflare.com\u002Fdnssec-nta-ede-33\u002F",0,{"sections":35},[36,41,44,49,54,59,64,69,74,79,84,89,94,99],{"name":37,"slug":38,"count":39,"latest_published_at":40},"AI","ai",2599,"2026-07-17T04:00:00.000Z",{"name":42,"slug":24,"count":43,"latest_published_at":40},"Security",305,{"name":45,"slug":46,"count":47,"latest_published_at":48},"Deals","deals",179,"2026-06-29T20:02:07.000Z",{"name":50,"slug":51,"count":52,"latest_published_at":53},"Policy","policy",165,"2026-07-16T22:02:31.000Z",{"name":55,"slug":56,"count":57,"latest_published_at":58},"Hardware","hardware",126,"2026-07-16T20:09:48.000Z",{"name":60,"slug":61,"count":62,"latest_published_at":63},"Consumer Tech","consumer-tech",94,"2026-07-16T16:29:46.000Z",{"name":65,"slug":66,"count":67,"latest_published_at":68},"Software","software",71,"2026-07-16T15:33:28.000Z",{"name":70,"slug":71,"count":72,"latest_published_at":73},"Science","science",66,"2026-07-10T10:29:37.000Z",{"name":75,"slug":76,"count":77,"latest_published_at":78},"Dev Tools","dev-tools",60,"2026-07-16T16:59:13.000Z",{"name":80,"slug":81,"count":82,"latest_published_at":83},"Startups","startups",42,"2026-07-16T16:30:35.000Z",{"name":85,"slug":86,"count":87,"latest_published_at":88},"Gaming","gaming",41,"2026-07-09T04:00:00.000Z",{"name":90,"slug":91,"count":92,"latest_published_at":93},"General","general",29,"2026-07-10T22:28:58.000Z",{"name":95,"slug":96,"count":97,"latest_published_at":98},"Reviews","reviews",20,"2026-06-24T12:00:01.000Z",{"name":100,"slug":101,"count":102,"latest_published_at":103},"How-To","how-to",6,"2026-06-16T09:00:00.000Z"]