The authenticity and integrity go hand in hand. The party looking up a domain name wants to know if the answer is correct. “Correct” in this context means that it was provided by the party that is authorized to provide it, i.e. the domain owner, and that the information hasn’t been modified along the path to the user. That’s integrity and authenticity combined. Steve On Aug 9, 2014, at 12:25 PM, Dave Crocker <dhc@xxxxxxxxxxxx> wrote: > On 8/6/2014 3:39 PM, John C Klensin wrote: >> the discussion suggests noting, again, the very limited >> nature of what DNSSEC actually protects. It is ultimately an >> integrity test within the DNS hierarchy. > > > This is such a fundamental point and of such broad community relevance, > it's important we have clarity about it. > > I have always understood DNSSec to provide /authentication > for DNS data/, specifically that the data were put there > are under the authority of the domain name owner. > > The signing hierarchy (up to the root, when full DNSSec signing is used) > certifies the authenticity of the domain owner's signature. > > Data integrity is an important side-effect of crypto signing > methodology. However I'm not used to seeing it classed as the primary > purpose of DNSSec, with no mention of authentication. > > It would be helpful for DNSSec experts to provide clear, simple, > definitive statements on this. > > d/ > -- > Dave Crocker > Brandenburg InternetWorking > bbiw.net > > _______________________________________________ > saag mailing list > saag@xxxxxxxx > https://www.ietf.org/mailman/listinfo/saag