<edit>I noticed a lot op people are reading this article. Although this topic still contains some valid points, you're better of reading this topic. It explains the steps I've taken to get a working combination of dnscrypt-proxy and DNSSEC, using a new version of dnsmasq. I've explained here why I stopped using dnscrypt-loader (this was in fact the reason I couldn't update dnscrypt-proxy beyond version 1.9.1). This topic however still explains how to upgrade dnscrypt-proxy.
I've already installed DNScrypt, highest possible version 1.9.1
I noticed the pull request from dschaper, and noticed DNSSEC will be supported in v.2.12. As this is easy to configure (just two lines in /etc/dnsmasq.d/01-pihole.conf and one line in /etc/pihole/setupVars.conf), I've tested the configuration.
You need to select DNSSec enabled dnscrypt servers (using dnscrypt-loader), there are only 2 DNSSEC enabled, non-logging servers available (ref this list).
To verify the configuration is working, goto to this page. If the page doesn't load, DNSSEC is working (you'll notice a message - validation result is BOGUS - in the pihole log). If the page does load, the setup is NOT working.
- What is the general advise, regarding the use of both DNScrypt and DNSSEC?
- Is using DNSSEC usefull, since there are almost no sites that have it implemented (use this site to check the DNSSEC status of a domain)?