Background: I am a developer in hipl.hiit.fi project which develops Linux-based IPsec key and mobility management daemon for Host Identity Protocol (HIP). The daemon stores its keys in DNS according to RFC5206 and uses a local DNS proxy to returns hashes of public keys to application from the DNS. The daemon calls also getaddrinfo() to resolve identifiers from the DNS when using registration extensions defined in RFC5204. The problem: it appears that calling getaddrinfo() also calls connect() with the given IP address, UDP protocol and port 0. This a problem in the IPsec key management daemon because it calls also getaddrinfo and this triggers a Diffie-Hellman based key exchange (which is a costly operation) Is it really necessary to call connect() in getaddrinfo() or is there some other way around this? Currently it's not possible to filter requests to trigger key exchange with UDP port zero in IPsec key managers because Linux XFRM does not support it.
Yes, the connect calls are necessary because there is no other way to determine the source address. If you don't like this implement something in the kernel to get the source address in another way.