DNSSEC Glitch Takes Down Albania's .AL TLD, Cloudflare Introduces Transparency
A failed DNSSEC rollover for Albania's .AL TLD caused widespread outages, prompting Cloudflare's 1.1.1.1 resolver to implement a new Extended DNS Error code to signal bypassed validation.

On July 3, 2026, Albania's country-code top-level domain (.AL) experienced a significant outage affecting government services, banks, and media. The disruption stemmed from a failed DNSSEC key rollover attempt by the Albanian communications authority (AKEP), the TLD's operator. This failure resulted in DNSSEC validation errors for any resolver attempting to verify .AL domain responses, rendering them inaccessible.
The incident mirrored a similar event that impacted Germany's .DE TLD just two months prior. In both cases, Cloudflare's public DNS resolver, 1.1.1.1, was forced to temporarily suspend DNSSEC validation for the affected TLDs by installing a Negative Trust Anchor (NTA). This measure, while restoring connectivity, meant that domains were no longer protected against DNS spoofing for the duration of the NTA's deployment.
DNSSEC, or Domain Name System Security Extensions, establishes a chain of trust from the root zone down to individual domain names. It uses cryptographic signatures to ensure the authenticity and integrity of DNS responses. A failure in this chain, such as a mismatch between a TLD's DNSKEY and the Delegation Signer (DS) record in the root zone, causes validating resolvers to reject all subsequent DNS queries for that TLD.
In the case of .AL, the root zone's DS record continued to point to an outdated DNSKEY after the TLD operator attempted to roll over to a new one. This mismatch led to validation failures. The situation was further complicated when the operator subsequently removed the new DNSKEY without restoring the old one, leaving the zone without any DNSKEY records while the DS record in the root still pointed to a non-existent key.
Cloudflare's response to the .AL outage marked a significant step towards transparency. While NTAs restore resolution, they do so silently, leaving clients unable to distinguish between a legitimately validated response and one served under an NTA. For the first time, 1.1.1.1 accompanied responses served under the .AL NTA with a new Extended DNS Error (EDE) code. This EDE code explicitly signaled to clients that DNSSEC validation had been bypassed due to the NTA, providing crucial visibility into the security posture of the received data.
The .AL operator eventually resolved the issue by removing the DS record from the root zone, effectively making the entire TLD unsigned. As of the report, .AL remains unsigned, lacking DNSSEC protections. Cloudflare's NTA was removed the following day once the root DS record was gone, as the NTA was no longer necessary.
This incident highlights the fragility of DNSSEC implementations and the critical need for robust operational procedures during key rollovers. The introduction of EDE codes by Cloudflare represents a proactive effort to address the inherent lack of transparency in Negative Trust Anchors, offering a more informed experience for users and applications relying on DNS resolution.