Subject: Re: per-process socket security settings
To: None <>
From: Jason R Thorpe <>
List: tech-net
Date: 03/07/2001 18:19:42
On Thu, Mar 08, 2001 at 10:42:39AM +0900, wrote:

 > 	yup, but if there's someone who would like to use IPsec'ed DNS
 > 	lookup...  an option to /etc/resolv.conf may be necessary.

Right, so if there is an option for resolv.conf, I guess it would
work like this:

	- defaults to off.

	- if off, explicitly set policy to "don't use ipsec" when
	  making the DNS request.

	- if on, explitly set policy to "use" or "require", based
	  on whatever the option is set to (and I guess allow the
	  option to set ah or esp or both).

That's the only sane way I can think of.

        -- Jason R. Thorpe <>