On 8/6/2014 3:39 PM, John C Klensin wrote:
> the discussion suggests noting, again, the very limited
> nature of what DNSSEC actually protects. It is ultimately an
> integrity test within the DNS hierarchy.
This is such a fundamental point and of such broad community relevance,
it's important we have clarity about it.
I have always understood DNSSec to provide /authentication
for DNS data/, specifically that the data were put there
are under the authority of the domain name owner.
The signing hierarchy (up to the root, when full DNSSec signing is used)
certifies the authenticity of the domain owner's signature.
Data integrity is an important side-effect of crypto signing
methodology. However I'm not used to seeing it classed as the primary
purpose of DNSSec, with no mention of authentication.
It would be helpful for DNSSec experts to provide clear, simple,
definitive statements on this.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net