A broken DNSSEC rollover took down .AL. Now 1.1.1.1 tells you when validation is bypassed
Here is a 3-sentence summary of the blog post:
A broken DNSSEC rollover by the Albanian .AL TLD operator caused widespread DNS validation failures, leading Cloudflare's 1.1.1.1 resolver to apply a Negative Trust Anchor (NTA) to bypass validation and keep domains reachable. However, NTAs silently disable DNSSEC validation, making it difficult for clients to determine if the response is legitimate or spoofed, and Cloudflare introduced a new Extended DNS Error (EDE) code to address this issue. The new EDE code, which signals the presence of an NTA, is now included in responses from 1.1.1.1, providing clients and operators with transparency into the validation process and the reasons behind a response.
NetworkingSecurity