Decommissioning the DLV

Completed as of September 30, 2017

Update, September 30, 2017: The DLV contents have been replaced with a signed empty zone. There is no longer any need or benefit to querying the DLV.


The ISC DLV Registry has been available since 2006, and ISC has been happy to provide the service. However, due to the great progress that native DNSSEC has made, we have decided that it is time to wind down the project. It has served its purpose well.

If you have a zone that can be properly validated to the Root, please do that. It helps everyone. If you’re not sure if your zone can be validated, we recommend you try the DNSViz tool. If you have a zone already in DLV that could validate properly to the Root, we’d like you to remove it from DLV. For now, these are just requests.

In 2016, we plan to stop accepting zones that could validate to the Root, and will remove from the DLV any zones that already do. We will remove all records from DLV in 2017, but leave the (empty) service running.

We thank everyone who has participated in this project, and encourage everyone to sign their zones and publish their zones with native DNSSEC!



We discussed our plans at ICANN in February in Singapore, at DNS-OARC and RIPE in May in Amsterdam, and at NANOG in San Francisco in June.  The feedback from those groups was very positive in favor of moving ahead with this timeline.  There are a few more details in the presentations linked below.

ICANN 52, Sunset for the DLV– Vicky Risk, Director of Marketing February 9, 2015
RIPE 70 – Sunset for the DLV– Jim Martin, Director of Operations May 13, 2015

We have directly notified those operating system distributors of BIND that we are aware of, as well as the Unbound team at NLNET Labs. If you know of other organizations we should notify, let us know at


  1. Just Me May 29, 2015

    Since almost no domain registrar supports publishing the KSK, DNSSEC will be history without the ISC DLV Registry. Anyway, thanks for providing this service!

  2. Madbunny June 29, 2015

    I share same opinion as Just Me. Right now there are (too) many big names who still do not (natively) support DNSSEC and not sure how good would be to stop offering the service. Just as example, CloudFlare postponed several times DNSSEC and some people like me are waiting for months to see any news. Then Namecheap one of the top domain registrars does support DNSSEC but only if you ask them over tickets and even then you are not sure how would be the initial response which depends on how much is educated their support staff currently dealing with you. The situation is even worst when it comes to payment processors like PayPal who was only one using DNSSEC. I could go on and on with similar examples but for whatever reason we are still far away from anything ideal.

Leave a reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Last modified: October 2, 2017 at 10:34 am