In some email I received from itojun@iijlab.net, sie wrote:
> 
> >> 	you right.  i will need some trick to allow DNS lookups to go out
> >> 	without ipsec...
> >maybe libresolv could explicity check and reset it if it's not enabled
> >via resolv.conf ?
> 
> 	yup, but if there's someone who would like to use IPsec'ed DNS
> 	lookup...  an option to /etc/resolv.conf may be necessary.

libresolv already has extensive support for disabling and enabling
options via environment variables, so I can't see why this would be
too hard to manage.