Running DNSCrypt and DNSSEC (using Debian testing repositories)

FAQs Community How-to's
3

I don't want to question the instructions above, these are the first DNSCRYPT /DNSSEC comments on this forum that contribute to problem solving. I will however list some thoughts and findings that I've discovered, trying to get things to work. I also don't pretend to be a linux guru, everything I found comes from google, thus, I may even try to make some invalid points, correct me If I'm wrong.

  • I don't like running all testing (stretch) packages. I already researched a solution to upgrade dnsmasq only, read this topic. This will allow you to run current packages, apart from dnsmasq.
  • I explained here, why I moved away from dnscrypt-loader, and use dnscrypt-proxy.
  • I edited the entry a few times, and updated the rar file, containing a configuration example.
  • I also added a remark to eliminate a warning dnscrypt-proxy gave (random numbers)
  • I tried to get responses from other users in this, this, this and this topic (maybe even some more), unfortunately the responses only inspired me to continue looking
  • I researched the chicken or the egg problem explained in the dnsmasq man pages (search for --dnssec-no-timecheck). and listed a solution (for those users that are interested) here

Despite my efforts, I still cannot get valid results, using dnscrypt-proxy and DNSSEC. I get a lot of INSECURE validations, some ABANDONED, some BOGUS and a few SECURE.
So I decided to contact the developer of dnsmasq (mail only) and the developer of dnscrypt (issue on github). These guys have been very helpful, unfortunately I'm still no closer to a result, even though the dnsmasq developer stated, in one of his replies:

I can see how the dnsmasq validation routines would react badly to an upstream server which sometimes just closed the connection in TCP mode: that's probably the cause of the ABANDONED message.

The investigation continues...

Some questions:
I noticed you added a lot of parameters to the service file(s), and have no socket file(s). Compared to my configuration (I just followed the instructions from the wiki), I have one service file and multiple socket files. I also noticed my configuration instructs dnscrypt-proxy to NOT run as root, I cannot find this in your configuration.Could you please explain these questions.

Again, I'm NOT a linux guru, just trying to get a stable workin dnscrypt-proxy/DNSSEC enabled running pihole.