Today I got the administrative tool
racoonctl to talk to racoon and
load an RSA key. Typical debug output from racoon:
Received loadkey command from admin socket, len = 610 Key for addresses: IP address: 2001:16d8:ffff:1::4 IP address: 2001:16d8:ffff:1::3 Key length 514. RSA key exp: 3 RSA key mod: ...
This means that the small capturing DNS resolver I wrote can load keys into racoon when it captured a user process in the process of querying for A/AAAA.
One step closer to authenticated but opportunistic IPsec encryption.