[Openswan Users] DNSSEC opportunistic encryption: just a beautiful dream?

[Niccolò Belli]

That's the very same implementation I thought while trying to find an 
alternative, unfortunately installing openswan and a validating resolver 
in every client isn't realistic: only a bunch of nerds will end up using it.
With the reverse approach, instead, a sysadmin can simply put openswan 
in his network's gateway to encrypt all the connections from the 
clients. Anyway maybe we can achieve the same goal putting the 
validating resolver in the gateway itself...

Also, there is a thing in the old approach I never fully understood: 
when an iOE wants to connect to a full-OE, it transmits the FQDN as an 
ID during the IKE negotiation, then the other peer retrieves the TXT 
record with the keying information. What's the point? Why not sending 
the informations directly?

P.S.
Concerning the reverse zones: your SMTP doesn't have a valid PTR record 
(I keep receiving your e-mails in the spam folder).

Cheers,
Niccolò