Re:KEY record debate... (Score 1)

Nope, check RFC 3445. The record sub-type is gone, the bits are reserved and FreeS/WAN is trying to use a record type that doesn't exist anymore. Once DNS servers start following the host of MUSTs in that doc their implementation of opportunistic encryption is going to break left and right (luckily it'll fail hard instead of silently becoming insecure). There are better ways to do it, but the FreeS/WAN guys don't seem to care. No amount of bitching on their part is likely to change this - 3445 has now advanced to "PROPOSED STANDARD" status...