ISC's DNSSEC Look-Aside Validation Registry
  • Updated on 20 Mar 2019
  • 1 minute to read
  • Contributors
  • Print
  • Share
  • Dark
    Light

ISC's DNSSEC Look-Aside Validation Registry

  • Print
  • Share
  • Dark
    Light

Decommissioned as of September 30, 2017

Introduction

DLV (DNSSEC Look-aside Validation) was an extension to the DNSSECbis protocol. It was designed as a transition mechanism to assist in early DNSSEC adoption by allowing DNSSEC signing and validation of a domain whose parent was not DNSSEC-signed.

DLV provided an additional entry point (besides the root zone) from which to obtain DNSSEC validation information.

When it was possible to establish the DNSSEC chain of trust through the parent domain and on up to the DNS root, that was clearly preferable. We encouraged anyone using the DLV to use it as a temporary solution, while simultaneously requesting that their parent zone be signed.

DLV as implemented in BIND 9.4.3-P2 and later is described at Preventing Child Neglect in DNSSECbis Using Lookaside Validation (DLV) published in the IEICE Transactions on Communications and ISC technote ISC-TN-2006-1.

This work was carried out thanks to support by Keio University.

How the DLV Worked

For more information on DNSSECbis and DLV, refer to the RFCs defining the protocol extensions or some of the available reference material, such as Pro DNS and BIND by Ronald Aitchison, which also covers DLV.

DLV Decommissioning

In early 2015, ISC announced a proposed timeline for decommissioning the DLV. This was publicized on the ISC website and at numerous industry conferences (ICANN, RIPE, DNS-OARC, and NANOG, for example).

The ISC DLV Registry was available starting in 2006, and ISC was happy to provide the service. However, due to the great progress that native DNSSEC made, we decided that it was time to wind down the project. It served its purpose well.

In 2016, we stopped accepting any new zones that could validate to the Root, and removed from the DLV any zones that already did. We removed all records from the DLV in September 2017, but have left the (empty) service running so that resolvers that query the zone won’t continue retrying.

We thank everyone who participated in this project!

Was this article helpful?