I think that Christian and Steve Bellovin have both provided reasonable examples of why application-specific security facilities can be more useful for the DNS/directory application (as compared to lower layer, more generic security facilities). Steve