How about requiring that each host have a DNSSEC key record? This would provide a minimum interoperable basis for authentication.