In some email I received from itojun@iijlab.net, sie wrote:
> >Um, some application programs will do multiple host transactions, 
> >possibly (probably) with different security constraints for each 
> >host. To use your example:
> >	% secure telnet peer
> >What about the DNS transaction to get the IP address of "peer"?
> >I recognize that you're trying to make IPsecurity useful without 
> >requiring a wholesale change to every IP-speaking application, but 
> >I'm not sure that's really possible...
> >	just thinking out loud,
> 
> 	you right.  i will need some trick to allow DNS lookups to go out
> 	without ipsec...

maybe libresolv could explicity check and reset it if it's not enabled
via resolv.conf ?