ISC DHCP: Helping millions get IP addresses daily. Read more dismiss

To configure and use DLV, you must run BIND versions 9.4.3-P2, 9.5.1-P2, 9.6.1, or later versions. You must include OpenSSL support when compiling. Most system-supplied BIND 9 releases support OpenSSL automatically.

DLV makes several assumptions that are commonly true. Most of these assumptions are ones which publishers of zones must take note of. Consumers of DLV (see using DLV for more) will not generally be affected by these.

Requirements to Publish in DLV

Please make certain you have read the DNSSEC and DLV background.

In order to use DLV to secure your zone, you must use the KSK and ZSK key-types as intended. It is not common knowledge, but you can sign a zone with a KSK, or use a ZSK to chain trust. However, these are against the recommendations and common practices of DNSSEC key management.

You must add a special TXT record in your zone for each DNSKEY record you wish to submit to our database. These TXT records are used initially to prove that you have control over the domain, and once your zone has "good" status you may remove them if you wish. If you leave them, they will cause no harm.

A verification script will periodically test your DNSKEY records (and for newly added DNSKEYs, the TXT records) and verify the signatures on them. If these checks fail, that DNSKEY will be removed from publication. If there are no working DNSKEYs, your zone is disabled until a working key is added, or the checks succeed.

The DLV Registry currently supports key types of RSASHA1, DSA, NSEC3-RSASHA1-SHA1, NSEC3-DSA-SHA1, RSASHA256, and RSASHA512.