Just to point out that DNSSEC authenticates data even in the case of
null data; that is, it provide authenticated denial of the existence
of data.
Thanks,
Donald
=============================
Donald E. Eastlake 3rd +1-508-333-2270 (cell)
155 Beaver Street, Milford, MA 01757 USA
d3e3e3(_at_)gmail(_dot_)com
On Sat, Aug 9, 2014 at 1:03 PM, Paul Wouters <paul(_at_)nohats(_dot_)ca> wrote:
On Sat, 9 Aug 2014, Dave Crocker wrote:
Data integrity is an important side-effect of crypto signing
methodology. However I'm not used to seeing it classed as the primary
purpose of DNSSec, with no mention of authentication.
In the mid ninetees when dnssec was worked on, there were two camps. The
DNS people who wanted to only secure DNS and explicitely did NOT
want the DNS to become a PKI. And those that mainly wanted secure
DNS to make a new PKI (eg Gilmore and the FreeS/WAN people). This
fight continued throughout, and is the reason KEY/SIG/NXT changed to
DNSKEY/RRSIG/NSEC. The change dictated those records were for DNS only
and not for use by applications as PKI.
So the PKI people had to silently go along with the DNS people to
write and deploy DNSSEC, so that they could add their RRTYPE's for a
PKI later even if the DNS people hated the idea. That is why you don't
see it listed anywhere in any document as a purpose of DNSSEC.
Paul
_______________________________________________
saag mailing list
saag(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/saag