transparent addrsel policy adjustment for outbound TE

[Pekka Savola <pekkas@netcore.fi>]

Hi,

Reading the extended shim design draft, in particular the discussion 
on app modifications to do SRV lookup triggered the following thought.

I'm pretty sure someone must have run this thought experiment before, 
so pointers would be useful if so.

When applications perform DNS lookups and get multiple responses, the 
_resolver libraries_ could, based on transparent (to the app) SRV 
lookups or policy database, "weigh" the getaddrinfo responses given to 
the applications.  That is, because the apps by default try the 
addresses in the order they get them from getaddrinfo, instead of 
returning the records in round-robin fashion, the resolver could very 
well return certain addresses first (e.g.,) 90% of the time, some 
others 10%.  (The obvious other address destination selection criteria 
should be applied first.)

This would not have any negative impact on the application as all the 
addresses would still be there but the ordering would just be modified 
based on preferences, though running transparent SRV lookups could 
incur delays etc. if it's not done in parallel.

This could be very effective means for outbound TE decisions without a 
need to touch applications at all.

This doesn't really help with inbound TE though.  (One could add 
similar function the site's authoritative DNS server, and unmodified 
resolvers might comply with that policy, but caching DNS servers would 
mess this up.)

One could imagine that a part of inbound TE (for sessions which 
originate at the site) could be handled with slightly similar source 
address selection policies, but this doesn't help with inbound TE for 
traffic originated from the Internet (but you could add the SRV 
records or whatever if you care about this).

--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings