Opportunistic Encryption is a means of initiating IPsec tunnels to remote hosts by publishing and retrieving public keys from the DNS. We publish our own public key, and the remote server publishes its key, and then both servers can obtain the other's public key and set up an IPsec tunnel. No other pre-arrangement is necessary. This is a symmetrical process, and any host can initiate OE to another host. They are equal peers. However, for simplicity, we will sometimes talk about the server and the client. The intended meaning is that the client initiates, and the server responds.
If we use DNS to store our public keys, this will protect us against all passive attacks. If on the other hand DNSSEC is used, we are also protected against active attacks. The verification of DNSSEC records is not done by Openswan itself, but by the resolver library, which is called through a helper application, lwdnsq
. Currently, BIND-9 is the only resolver that supports DNSSEC.