ISC's DNSSEC Look-aside Validation Registry

Decommissioned as of September 30, 2017


DLV (DNSSEC Look-aside Validation) is an extension to the DNSSECbis protocol. It was designed as a transition mechanism to assist in early DNSSEC adoption by allowing DNSSEC signing and validation of a domain whose parent is not DNSSEC signed.

DLV provides an additional entry point (besides the root zone) from which to obtain DNSSEC validation information.

When it is possible to establish the DNSSEC chain of trust through the parent domain and on up to the DNS root, that is clearly preferable.  We encourage anyone using the DLV to use it as a temporary solution, while simultaneously requesting that their parent zone be signed.

DLV as implemented in BIND 9.4.3-P2 and later is described at Preventing Child Neglect in DNSSECbis Using Lookaside Validation (DLV) published in the IEICE Transactions on Communications and ISC technote ISC-TN-2006-1.

This work was carried out thanks to support by Keio University.

How to use the DLV

For more information on DNSSECbis and DLV, refer to the RFCs defining the protocol extensions or some of the available reference material, such as Pro DNS and BIND by Ronald Aitchison, which also covers DLV.

To access the dlv, go to and follow the directions there.

Subscribe to the dlv-announce list to be kept up to date with DLV security announcements.

DLV Decommissioning

In early 2015, ISC announced a proposed timeline for decommissioning the DLV.  This was publicized on the ISC web site, at at numerous industry conferences (ICANN, RIPE, DNS-OARC, NANOG, for example).

The ISC DLV Registry has been available since 2006, and ISC has been happy to provide the service. However, due to the great progress that native DNSSEC has made, we have decided that it is time to wind down the project. It has served its purpose well.

If you have a zone that can be properly validated to the Root, please do that. It helps everyone. If you’re not sure if your zone can be validated, we recommend you try the DNSViz tool. If you have a zone already in DLV that could validate properly to the Root, we’d like you to remove it from DLV. For now, these are just requests.

In 2016, we stopped accepting any new zones that could validate to the Root, and removed from the DLV any zones that already do. We will remove all records from DLV in 2017, but leave the (empty) service running.

We thank everyone who has participated in this project, and encourage everyone to sign their zones and publish their zones with native DNSSEC!

Last modified: October 2, 2017 at 10:30 am