ISC’s DLV Registry


DLV (DNSSEC Look-aside Validation) is an extension to the DNSSECbis protocol. It is designed to assist in early DNSSEC adoption by allowing DNSSEC signing and validation of a domain whose parent is not DNSSEC signed.

DLV provides an additional entry point (besides the root zone) from which to obtain DNSSEC validation information.

When it is possible to establish the DNSSEC chain of trust through the parent domain and on up to the DNS root, that is clearly preferable.  We encourage anyone using the DLV to use it as a temporary solution, while simultaneously requesting that their parent zone be signed.

DLV as implemented in BIND 9.4.3-P2 and later is described at Preventing Child Neglect in DNSSECbis Using Lookaside Validation (DLV) published in the IEICE Transactions on Communications and ISC technote ISC-TN-2006-1.

This work was carried out thanks to support by Keio University.

How to use the DLV

For more information on DNSSECbis and DLV, refer to the RFCs defining the protocol extensions or some of the available reference material, such as Pro DNS and BIND by Ronald Aitchison, which also covers DLV.

To access the dlv, go to and follow the directions there.

Subscribe to the dlv-announce list to be kept up to date with DLV security announcements.

Visit ISC Knowledge Base for additional information on DLV Registry Policy and Practices.

Last modified: November 6, 2014 at 7:00 am