Just to point out that DNSSEC authenticates data even in the case of null data; that is, it provide authenticated denial of the existence of data. Thanks, Donald ============================= Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA d3e3e3@xxxxxxxxx On Sat, Aug 9, 2014 at 1:03 PM, Paul Wouters <paul@xxxxxxxxx> wrote: > On Sat, 9 Aug 2014, Dave Crocker wrote: > >> Data integrity is an important side-effect of crypto signing >> methodology. However I'm not used to seeing it classed as the primary >> purpose of DNSSec, with no mention of authentication. > > > In the mid ninetees when dnssec was worked on, there were two camps. The > DNS people who wanted to only secure DNS and explicitely did NOT > want the DNS to become a PKI. And those that mainly wanted secure > DNS to make a new PKI (eg Gilmore and the FreeS/WAN people). This > fight continued throughout, and is the reason KEY/SIG/NXT changed to > DNSKEY/RRSIG/NSEC. The change dictated those records were for DNS only > and not for use by applications as PKI. > > So the PKI people had to silently go along with the DNS people to > write and deploy DNSSEC, so that they could add their RRTYPE's for a > PKI later even if the DNS people hated the idea. That is why you don't > see it listed anywhere in any document as a purpose of DNSSEC. > > Paul > > > _______________________________________________ > saag mailing list > saag@xxxxxxxx > https://www.ietf.org/mailman/listinfo/saag