RE: Host-based may be the way to go, but network controls are neccessary

[Erik Nordmark <Erik.Nordmark@sun.com>]

> An enhanced network-aware DNS approach is definitely a clean way to do
> valid source address selection.  In order for it to work, this service
> would need to know the current site-exit for every external prefix in
> the site's network routing table (::/0 included), and the source
> prefixes that that site-exit will honor.  This is certainly not
> impossible.  I run gated on several unix systems and could easily hack
> out a non-DNS prototype that could do this simply by (1) having a
> table of all the site-exits and the prefixes honored at those
> site-exits (2) looking into the routing table and seeing who's the
> current site-exit for a requested destination (3) respond with the
> prefixes associated to that site-exit.

Would this run on the host, or run on a DNS resolver box?

In the latter case you need to think about DNSSEC implications
of your approach. The DNSSEC signatures are on the RRset (e.g. all AAAA RRs
for a name).

  Erik