On Thu, Mar 08, 2001 at 10:42:39AM +0900, itojun@iijlab.net wrote:

 > 	yup, but if there's someone who would like to use IPsec'ed DNS
 > 	lookup...  an option to /etc/resolv.conf may be necessary.

Right, so if there is an option for resolv.conf, I guess it would
work like this:

	- defaults to off.

	- if off, explicitly set policy to "don't use ipsec" when
	  making the DNS request.

	- if on, explitly set policy to "use" or "require", based
	  on whatever the option is set to (and I guess allow the
	  option to set ah or esp or both).

That's the only sane way I can think of.

-- 
        -- Jason R. Thorpe <thorpej@zembu.com>