Using DNS for IPsec authentication

Warning! Proof-of-concept. Not yet production code. Please feel free to experiment and report back to me.

This was last touched 2012.


I have written a proof of concept implementation of a system for IPsec authentication with bare public keys (that is, not X.509 nor OpenPGP certificates) in DNS.

Three scenarios are suggested:

For background, goals and a discussion, see the forthcoming article.

This project was sponsored in part by the .SE Foundation during 2011/2012.

You might also be interested in my BTNS project.

Key Server

I have patched the racoon IKE server from ipsec-tools and its management program, racoonctl. I have made three changes:

Automatic key loading and security policy

If you already know your peer's name you can start and it will automatically query for the peer's addresses and public key, load the key into racoon and configure a security policy. This can be used to establish transport mode communication or a tunnel between nodes that are both using dynamic IP addresses such as most home networks.

DNS resolver with automatic key loading is a small forwarding resolver using Perl's Net::DNS module. The resolver sits on the local node and captures attempts to query for A and AAAA records. When it captures these DNS queries it forwards them to a real resolver and additionally queries for a public key record (IPSECKEY) for the same name.

If an IPSECKEY record is found the resolver loads the key into a running IKE daemon, racoon (see below). The resolver then creates a security policy to trigger the IKE dialogue.

The resolver can be used together with a full validating DNSSEC resolver for added security.

Note that in a production system this functionality would most likely be merged with the real resolver.

Source Code

Automatic setup & DNS resolver

You can use git clone directly on:

IKE server

You can use git clone directly on:

There are two branches, master and loadkey.

If you want the whole shebang, go for master.

If you only want the changes that implements the loadkey command, use the loadkey branch.

For your convenience I have also released the diffs from ipsec-tools 0.8.0 here:

The master:


Only loadkey changes:


These patches should build on FreeBSD and if you follow the instructions in the howto it might also build on Linux.

Please note that I've changed the flex files token.l and cftoken.l. This will regenerate the corresponding token.c and cftoken.c that was included in the original tar ball but the changes to the *.c files are not included in the patches proper.

Warning: This set of patches are not always in sync with the git repository. For the latest code changes please clone from git.


Using racoon with IPSECKEY records on FreeBSD.

Last updated: <2015-08-17 09:45:32 CEST>