Better Fetch

· Paul Crossland

DNSSEC Validation Belongs in Fetch Incidents

A fresh .AL DNSSEC outage shows why crawlers should log resolver, DNSSEC, EDE, cache, and fallback evidence before blaming parsers.

A production fetch incident often starts with a misleading symptom: a crawler reports more timeouts, a browser worker never reaches the origin, API discovery stops for a country-code domain, or extraction yield falls to zero for pages that still look healthy from another network. The visible failure may arrive as ENOTFOUND, SERVFAIL, a browser navigation timeout, or a queue full of retries. None of those names tell you whether the page changed, the resolver changed, DNSSEC validation failed, a cache served stale data, or a fallback path quietly masked the outage.

That distinction became operationally concrete this week. On July 14, Cloudflare published an incident writeup, A broken DNSSEC rollover took down .AL. Now 1.1.1.1 tells you when validation is bypassed, describing how a DNSSEC rollover problem affected the .al top-level domain and how Cloudflare's public resolver now exposes when a negative trust anchor is being used through Extended DNS Error code 33. A few days earlier, Cloudflare's developer changelog announced a new DNS Firewall UX with more dashboard settings, moving previously API-only cluster settings into a more visible operational interface.

The thesis for web-data operators is not "use a different resolver when DNS breaks." That is too shallow and can become unsafe if it encourages blind bypass of validation. The useful thesis is this: DNS validation state is fetch state. If a crawler, browser automation pool, or API discovery worker cannot explain which resolver path, DNSSEC outcome, cache behavior, and error metadata produced a failed fetch, it will misdiagnose resolver incidents as site blocks, parser regressions, proxy problems, or regional bans.

The repeated angle to avoid

Recent Better Fetch posts have already covered session evidence, browser-family variance, TLS groups, AI traffic policy, runtime-specific fetch behavior, redirect timing, consent, language, and browser version drift. The repeated angle to avoid is "another infrastructure component changed, so log the version." Version logging is necessary, but this incident is about something more specific: name resolution and validation can fail before HTTP, before TLS, before rendering, and before any anti-bot or extraction logic has a chance to act.

That matters because DNS failures are easy to flatten. A fetch record might store network_error: true and move on. A browser trace might show only that navigation did not commit. A retry controller might mark the target as temporarily unavailable. An operator might switch regions or increase concurrency because the symptom looks like capacity. Those reactions are expensive when the real question is whether the name was resolvable, whether DNSSEC validation failed, whether an emergency exception was in effect, and whether different resolvers observed different truth.

Source map

Fresh primary evidence from the last seven days:

  • Cloudflare's July 14 .AL DNSSEC writeup contributes the incident mechanism: a DNSSEC rollover failure made a whole TLD unreliable for validating resolvers, and Cloudflare added a way to signal negative trust anchor use with Extended DNS Error 33.
  • Cloudflare's July 9 DNS Firewall changelog contributes the operational context: recursive and forwarding resolver infrastructure is a managed control plane with cluster settings, dashboard visibility, and configuration drift, not an invisible utility.

Older background context:

  • DNSSEC exists to let resolvers validate signed DNS answers rather than trusting every response on the path.
  • Extended DNS Errors are designed to add machine-readable context to DNS failures, which is exactly the kind of metadata fetch systems should preserve rather than collapse.

The synthesis is that resolver correctness should be part of the crawl evidence model. A web-data platform does not need to become a DNS monitoring company, but it does need enough DNS evidence to prevent the wrong remediation.

Why DNSSEC incidents look like fetch incidents

DNS sits upstream of every ordinary web fetch. When it fails, the downstream layers produce familiar but ambiguous symptoms:

  • Direct HTTP clients fail before they can open a socket.
  • Browser workers show navigation timeouts or provisional load failures.
  • Regional workers disagree because resolver caches and trust anchors differ.
  • API discovery jobs miss endpoints because the HTML never loads.
  • Extraction dashboards show empty output and may implicate parsers.
  • Retry systems can amplify load against resolvers and queues without improving success.

DNSSEC adds another important distinction. A domain may have authoritative data, and a non-validating resolver may return it, while a validating resolver rejects it because signatures, keys, or delegation state do not line up. From the viewpoint of a crawler that only stores failed_to_resolve, that difference disappears. From the viewpoint of incident response, it is the difference between an origin outage, a resolver policy decision, a registry or delegation problem, and an emergency negative trust anchor.

The Cloudflare writeup is useful because EDE 33 gives operators a better label for one of those emergency states. If a resolver is temporarily bypassing DNSSEC validation for a zone through a negative trust anchor, that should not be indistinguishable from a normal successful answer. It is a degraded trust condition. A production fetch system may still choose to continue for low-risk public data, but it should record that the artifact was collected under degraded validation, and it should avoid mixing those results with ordinary validated fetches without annotation.

What to log for every resolved fetch

Most crawlers do not need packet-level DNS traces for every request. They do need enough fields to answer incident questions later. A practical logging contract looks like this:

FieldWhy it matters
resolver_provider and resolver_endpointSeparates local stub, public resolver, DNS Firewall, DoH, DoT, and provider-managed paths.
dns_query_name and record_typeMakes CNAME chains, apex lookups, IPv4/IPv6 differences, and API hostnames inspectable.
dns_rcodeDistinguishes NOERROR, NXDOMAIN, SERVFAIL, timeout, and client-side cancellation.
dnssec_validatedRecords whether the answer was validated, insecure, bogus, or not checked.
extended_dns_error_code and textPreserves resolver-provided failure context, including negative trust anchor signals when available.
answer_ttl and cache_statusExplains stale answers, cache masking, and sudden recovery without an application deploy.
resolved_addresses_hashAllows comparison without storing every address in high-volume logs.
resolution_duration_msSeparates DNS latency from connect, TLS, first byte, and rendering latency.
resolver_regionCaptures regional variance in recursive infrastructure and cache state.

Keep these fields attached to the fetch attempt, not only to a separate DNS monitoring stream. The fetch artifact needs to carry the evidence that produced it. A screenshot captured after degraded DNS validation, a JSON response discovered through one resolver, and an extraction failure from another resolver are not identical observations.

Diagnostics before remediation

When a domain family suddenly fails, run a resolver comparison before changing crawl behavior:

  1. Compare the same hostname through the production resolver, a second validating resolver, and a controlled non-validating diagnostic resolver if policy allows it.
  2. Capture rcode, DNSSEC status, EDE code, answer TTL, CNAME chain, and resolved address set for each path.
  3. Test from at least two worker regions because resolver cache state and upstream paths may differ.
  4. Join DNS evidence to HTTP evidence: connect error, TLS handshake result, status code, redirect chain, and final URL.
  5. Pause aggressive retries when failures are dominated by resolver errors. Retrying at browser level will not fix a bad delegation.
  6. Mark any artifact collected during negative trust anchor use or degraded validation so downstream consumers understand the trust condition.

This is conservative reliability work, not evasion. The goal is to respect validation and origin policy while keeping operators from misclassifying infrastructure failures. If a validating resolver says a zone is bogus, the safe default is not to silently route around it. The safe default is to record the condition, reduce blast radius, and decide explicitly whether the use case can tolerate degraded trust.

Failure modes this prevents

The biggest failure mode is blaming the target site. A .al API, marketplace, publisher, or government page could appear to block a crawler when the real issue is DNSSEC validation. Changing headers, browsers, or proxies would add noise and might create compliance risk without improving correctness.

The second failure mode is contaminating datasets. If half the fleet collected data through a resolver using an emergency exception and the other half failed validation, the resulting dataset has an invisible split. That can show up later as regional disagreement, missing records, duplicate retries, or inconsistent freshness.

The third failure mode is losing the incident timeline. DNS TTLs and caches mean failures do not start and stop everywhere at the same time. Without resolver and cache fields, a post-incident review cannot explain why one queue recovered before another.

A decision rule for fetch platforms

Treat DNS as a first-class stage in the fetch pipeline whenever the output is used for production data. If resolution fails or validation is degraded, classify the attempt before escalating to browser rendering or changing network routes. If resolution succeeds under ordinary validation, downstream HTTP, TLS, WAF, session, and extraction evidence can be interpreted normally. If it succeeds only under degraded validation, store and surface that fact.

Reliable fetching is not just about reaching the page. It is about knowing which trust, policy, and state conditions produced the page. DNSSEC validation belongs in that evidence trail.