On Sat, 9 Aug 2014, Dave Crocker wrote:
Data integrity is an important side-effect of crypto signing
methodology. However I'm not used to seeing it classed as the primary
purpose of DNSSec, with no mention of authentication.
In the mid ninetees when dnssec was worked on, there were two camps. The
DNS people who wanted to only secure DNS and explicitely did NOT
want the DNS to become a PKI. And those that mainly wanted secure
DNS to make a new PKI (eg Gilmore and the FreeS/WAN people). This
fight continued throughout, and is the reason KEY/SIG/NXT changed to
DNSKEY/RRSIG/NSEC. The change dictated those records were for DNS only
and not for use by applications as PKI.
So the PKI people had to silently go along with the DNS people to
write and deploy DNSSEC, so that they could add their RRTYPE's for a
PKI later even if the DNS people hated the idea. That is why you don't
see it listed anywhere in any document as a purpose of DNSSEC.
Paul