blog.cloudflare.com 7/14/2026, 4:40:22 PM · external

Albanian .AL DNSSEC failure prompts Cloudflare to skip validation

Albanian .AL DNSSEC failure prompts Cloudflare to skip validation
CyberSIXT Evidence Panel Source marked as original reporting

ON July 3, 2026, the Albanian communications authority (AKEP) experienced a DNSSEC key rollover failure in the .AL TLD, leading to widespread DNS resolution issues. Anyone attempting to access .AL domains via validating DNS resolvers encountered errors. In response, Cloudflare's DNS resolver, 1.1.1.1, implemented a Negative Trust Anchor (NTA) to temporarily bypass DNSSEC validation and restore access. The incident mirrored a previous issue with the .DE TLD two months earlier.

The failure stemmed from a broken DNSKEY chain where the DS record in the root zone pointed to an outdated key that no longer existed. By 17:15 UTC, Cloudflare had deployed the NTA, allowing resolution without DNSSEC validation. However, this also left the domains vulnerable to spoofing. For the first time, alongside responses, 1.1.1.1 included Extended DNS Error (EDE) codes to indicate when DNSSEC validation had been bypassed, enhancing transparency. As of publication, .AL remains unsigned, limiting its DNSSEC protections.

View full article

Article by CyberSIXT