When a broken DNSSEC key rollover crippled the .AL top-level domain, Cloudflare was forced to deploy a Negative Trust Anchor (NTA) to restore resolution. This time, however, clients get transparency: 1.1.1.1 now returns EDE 33, a new DNS error code that explicitly indicates DNSSEC validation was bypassed, as documented in RFC 8914.
- The failed rollover of the .AL KSK caused widespread resolution failures for .AL domains under DNSSEC validation.
- To restore connectivity, Cloudflare deployed an NTA, which disables DNSSEC validation for the TLD on its resolvers.
- Previously, clients had no standard way to detect such a bypass. Now, when an NTA is active, 1.1.1.1 includes an EDE 33 value in the
EXTRA-TEXTfield of the DNS response. - Clients can inspect EDE 33 (code
33— “DNSSEC validation was bypassed via Negative Trust Anchor”) to programmatically know that DNSSEC was disabled for a specific domain. - The change applies to all queries to 1.1.1.1 and 1.0.0.1 that would otherwise fail validation; the resolver still attempts validation first and falls back to NTA only if needed.
For developers, this is a critical transparency improvement. DNSSEC is meant to provide cryptographic guarantees; an NTA breaks that guarantee silently—unless the client can detect it. By leveraging EDE 33, applications can learn when a domain’s DNSSEC is bypassed and adjust trust accordingly. This is especially important for security monitoring tools, DNS clients, and any service relying on authenticated denial of existence. While NTAs solve outages like the .AL incident, they should be rare; EDE 33 lets you log, alert, or inform users about the degraded security posture in real time.