VeriSign, Inc. VeriSign, Inc. VeriSign, Inc. VeriSign, Inc. VeriSign, Inc. This document defines a new Domain Name System (DNS) resource record type called the IPSECA RR that is used to associate an X.509 certificate or a public key to an Internet Protocol Security (IPsec) gateway in a similar manner TLSA RR is used in the DNS-based Authentication of Named Entities (DANE) protocol does that for Transport Layer Security (TLS) in order to make the credential discovery easier through DNS and to allow credential discovery to be performed in a secure manner leveraging DNS Security Extensions (DNSSEC). Among the issues addressed in this draft is the danger of IP address spoofing that can be a liability to IPsec endpoints. It is important to note that the "right destination" in this document is strictly defined by the response of the DNS and does not attest to the identity of the organization or the ownership of the IP address space. The identity of the organization shall be attested in an X.509 certificate issued by a certification authority if desired and the ownership of the IP address space shall be attested by other mechanisms such as Towards A Secure Routing System (TASRS) architecture or Resource Public Key Infrastructure (RPKI).