ISC’s DLV Registry

Last modified: June 21, 2013


DLV (DNSSEC Look-aside Validation) is an extension to the DNSSECbis protocol. It is designed to assist in early DNSSEC adoption by simplifying the configuration of recursive servers.

DLV provides an additional entry point (besides the root zone) from which to obtain DNSSEC validation information. Without DLV, in the absence of a fully signed path from the root to a zone, users wishing to enable DNSSEC-aware resolvers would have to configure and maintain multiple trusted keys into their configuration.

Maintaining multiple trusted keys by hand is an unmanageable task. ISC DLV removes this need by serving as a trusted repository of entry points through which those keys can be securely retrieved by the resolver when it needs them.

In fact, DLV Resource Records have the same semantics and syntax as the DS Resource Records which are part of standard DNSSECbis.

DLV as implemented in BIND 9.4.3-P2 and later is described at Preventing Child Neglect in DNSSECbis Using Lookaside Validation (DLV) published in the IEICE Transactions on Communications and ISC technote ISC-TN-2006-1.

This work was carried out thanks to support by Keio University.

For more information on DNSSECbis and DLV, refer to the RFCs defining the protocol extensions or some of the available reference material, such as Pro DNS and BIND by Ronald Aitchison, which also covers DLV.

Note: Only BIND versions 9.4.3-P2, 9.5.1-P2, and all later releases have fully functional DLV implementations.

Registering your zone key in the DLV tree

Once you have configured your DNS zone according to the instructions above, log into the DLV web site to upload your KSK records to ISC’s DLV Registry.

Before it is accepted into the zone, ISC will perform checks to ensure the keys are being used in the requested zone, that the persons making the request are who they claim to be and that they are authorised by the domain holder to request the inclusion of the keys in the zone.

Individuals and organisations with already established relationships with ISC may make use of that relationship as a means of authentication.

The current DLV KSK public key

Below you will find the current KSK public key, signed with ISC’s software signing PGP key.

This is the key you will need to configure in the trusted-keys clause of your named.conf file.

DLV KSK Public key PGP signature Published: 2008/09/21
DLV KSK for named.conf PGP signature Published: 2008/09/21

Subscribe to the dlv-announce list to be kept up to date with DLV security announcements.

Visit ISC Knowledge Base for additional information on DLV Registry Policy and Practices.