On Sat, 9 Aug 2014, Dave Crocker wrote:
Data integrity is an important side-effect of crypto signing methodology. However I'm not used to seeing it classed as the primary purpose of DNSSec, with no mention of authentication.
In the mid ninetees when dnssec was worked on, there were two camps. The DNS people who wanted to only secure DNS and explicitely did NOT want the DNS to become a PKI. And those that mainly wanted secure DNS to make a new PKI (eg Gilmore and the FreeS/WAN people). This fight continued throughout, and is the reason KEY/SIG/NXT changed to DNSKEY/RRSIG/NSEC. The change dictated those records were for DNS only and not for use by applications as PKI. So the PKI people had to silently go along with the DNS people to write and deploy DNSSEC, so that they could add their RRTYPE's for a PKI later even if the DNS people hated the idea. That is why you don't see it listed anywhere in any document as a purpose of DNSSEC. Paul