I have written a small forwarding DNS resolver in Perl that I use in the opportunistic IPsec project. It was the first thing I wrote when I started this project back in December, 2011. Today I changed it to use the patched racoonctl I wrote about yesterday.
This means that if you use my racoon patches and my resolver together you can now have opportunistic encryption with fairly strong DNS authentication.
Typically you will trigger the authentication and encryption automagically just by querying DNS and then sending traffic to the other node. This means a simple, say,
% ping6 ipsec1.hack.org
will automatically authenticate that you're talking to the right node and then encrypt all your precious traffic.
I have updated the HOWTO. Please try to follow the instructions and test. Report back to me.
Please note that all this is still very experimental.