DNSSEC Lookaside Validation (DLV) Reference Page
What is DLV?
DLV is an easy way to configure trust anchors in DNSSEC-aware
resolvers. It
allows site administrators to set up a single repository for DNSSEC
trust anchors instead of having to configure a large set on each
DNSSEC-aware resolver. It also allows resolvers to outsource
DNSSEC trust anchor management to other organizations.
Why use it?
To gain benefit from DNSSEC, resolver operators must configure each
resolver with "trust anchors" (public keys) for each zone they want to
validate unless they have already configured a trust anchor for one of
the zone's ancestors, and there's a secure delegation chain all the way
down to the zone in question. And each of those preconfigured
trust anchors must be actively maintained. At the moment, with
the root and most TLDs unsigned, that's an unwieldy chore. DLV
helps reduce the configuration burden for each resolver.
How can I try it?
Take at look at the existing DLV registries:
IKS GmbH
Where's the specification?
RFC 5074
RFC 4431, describing the DLV typecode.
What else has been written about DLV?
Deploying DNSSEC Without a Signed Root,
a Carnegie Mellon tech report discussing the design of DLV in more
detail
Copyright 2006 Samuel Weiler