The directory service supports message authentication using public-key and shared-key cryptographic signatures. This allows clients to determine that the answer they get from the directory service is authentic, and allows relay agents to identify a particular principal associated with a client.
Unlike DNS security[5], a single name-to-address mapping cannot be signed by the authoritative server for a name because the address also depends on the intervening relay agents. Instead, relay agents must establish trust relationships.