[Openswan Users] DNSSEC opportunistic encryption: just a beautiful dream?

Paul Wouters paul at nohats.ca
Sat Mar 10 22:21:42 EST 2012

On Sun, 11 Mar 2012, Niccolò Belli wrote:

> That's the very same implementation I thought while trying to find an 
> alternative, unfortunately installing openswan and a validating resolver in 
> every client isn't realistic: only a bunch of nerds will end up using it.

Not really. It will get deployed everywhere. Fedora17 almost had it per
default and Fedora18 will have it active per default.

> With the reverse approach, instead, a sysadmin can simply put openswan in his 
> network's gateway to encrypt all the connections from the clients. Anyway

That does not change. For servers, you just put the IPSECKEY in the
forward of the hostname instead of in the reverse of its IP address.

> Also, there is a thing in the old approach I never fully understood: when an 
> iOE wants to connect to a full-OE, it transmits the FQDN as an ID during the 
> IKE negotiation, then the other peer retrieves the TXT record with the keying 
> information. What's the point? Why not sending the informations directly?

Because there was no way of sending the key inline in the ipsec
protocol. They later had the X509 stuff where you could do it but no one
wanted ASN1 in openswan for this.

> Concerning the reverse zones: your SMTP doesn't have a valid PTR record (I 
> keep receiving your e-mails in the spam folder).

I've been trying to tell my ISP that for months. I will soon move this
service into colocated space.


More information about the Users mailing list