Today I got the administrative tool racoonctl to talk to racoon and load an RSA key. Typical debug output from racoon:

Received loadkey command from admin socket, len = 610
Key for addresses:
IP address: 2001:16d8:ffff:1::4
IP address: 2001:16d8:ffff:1::3
Key length 514.
RSA key exp: 3
RSA key mod: ...

This means that the small capturing DNS resolver I wrote can load keys into racoon when it captured a user process in the process of querying for A/AAAA.

One step closer to authenticated but opportunistic IPsec encryption.