The authenticity and integrity go hand in hand. The party looking up a domain
name wants to know if the answer is correct. “Correct” in this context means
that it was provided by the party that is authorized to provide it, i.e. the
domain owner, and that the information hasn’t been modified along the path to
the user. That’s integrity and authenticity combined.
Steve
On Aug 9, 2014, at 12:25 PM, Dave Crocker <dhc(_at_)dcrocker(_dot_)net> wrote:
On 8/6/2014 3:39 PM, John C Klensin wrote:
the discussion suggests noting, again, the very limited
nature of what DNSSEC actually protects. It is ultimately an
integrity test within the DNS hierarchy.
This is such a fundamental point and of such broad community relevance,
it's important we have clarity about it.
I have always understood DNSSec to provide /authentication
for DNS data/, specifically that the data were put there
are under the authority of the domain name owner.
The signing hierarchy (up to the root, when full DNSSec signing is used)
certifies the authenticity of the domain owner's signature.
Data integrity is an important side-effect of crypto signing
methodology. However I'm not used to seeing it classed as the primary
purpose of DNSSec, with no mention of authentication.
It would be helpful for DNSSec experts to provide clear, simple,
definitive statements on this.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
saag mailing list
saag(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/saag