Cloudflare surfaces DNSSEC bypass EDE 33
After the .AL TLD’s failed DNSSEC rollover, 1.1.1.1 now returns RFC EDE 33 signaling validation was bypassed, giving operators explicit transparency into trust-anchor workarounds.
A broken DNSSEC rollover took down .AL. Now 1.1.1.1 tells you when validation is bypassed — When a failed DNSSEC key rollover took down the .AL TLD, we deployed a Negative Trust Anchor to restore resolution. This time, though, clients didn't have to take our word for it: 1.1.1.1 returned EDE 33, a new DNS error code that signals directly in the response that DNSSEC validation was bypassed.




