DNSCrypt project is closed.

[MrSorcus]

Issue description

https://twitter.com/jedisct1/status/928942292202860544

dnscrypt-proxy is also looking for a new maintainer (along with the website), as I dont use it any more. I will archive it next week.

nixpkgs/pkgs/tools/networking/dnscrypt-proxy/default.nix

Line 10 in 0653b73

url = "https://download.dnscrypt.org/dnscrypt-proxy/${name}.tar.bz2";

Will not working anymore.

[adisbladis]

cc @joachifm @jgeerds

[joachifm]

Sigh, okay I'll be removing the service & related stuff shortly.

[joachifm]

It's feasible that we can recover some functionality via unbound (it supports dnscrypt, though I've never actually tried it) or dns-over-tls. I'll be looking into that after removal.

[vcunat]

DNS-over-TLS: @Mic92 has experience with this via Unbound; Knot-resolver will also be an option, after a release expected within a week or two, and I will be able to help with such setups.

[joachifm]

@vcunat sounds good :)

[makefu]

just as a heads-up, as of right now, unbound does not validate the dns-tls sources ( https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658 ).

[rnhmjoj]

That's sad. dnscrypt-wrapper is not affected but without the proxy is pretty much useless.

[joachifm]

I've opened a PR to remove the module, I've left the wrapper & related packages alone for now.

[rnhmjoj]

Dyne.org has taken over the project!

[vcunat]

Yesterday? Is that a co-incidence?

[Profpatsch]

Ugh, it’s a bit harsh to just remove the package before the project is even completely dead, @joachifm.

[joachifm]

The project was gone, until dyne.org took it over yesterday, as in the github project page was 404.

[rnhmjoj]

He removed the repository and pointed the website to a competitor with no mention of what happened to dnscrypt: something doesn't look right. Anyway without the tarballs on website the package can't still be built.

[Profpatsch]

There’s a Git repo.

[rnhmjoj]

@Profpatsch I added autoreconfHook and the head commit builds but the test (nixos/dnscrypt-proxy.nix) is failing with

error while loading shared libraries: libltdl.so.7:

Do you know the commit of the latest release?

[joachifm]

@rnhmjoj that's most likely due to apparmor.

[rnhmjoj]

Yes, your right. I added a rule for libtool and it passes. Is it really needed though?

[joachifm]

Not at all, I'm guessing it simply tries to use it because it is available in the build environment. A better solution is to convince it to not pick it up to begin with. (the daemon used to rely on it for plugins).

[rnhmjoj]

It must be some different configure flag that was set in the official release.

[joachifm]

So, the repo is back up https://github.com/jedisct1/dnscrypt-proxy; it's going to be rewritten from scratch from the looks of it ...

[rnhmjoj]

I found the original release tarballs on launchpad.net. We could use these in the meanwhile.

[joachifm]

The NixOS module has now been restored thanks to @rnhmjoj. Still not sure what to think about all this but I do think the immediate issue has been fixed.

[vcunat]

My expectation would be a slow decline of DNSCrypt, as DNS-over-(D)TLS got properly standardized in IETF and will be improving its implementation and deployment...

I think this ticket can be marked as "solved", for now.

[vcunat]

To finish my advertisement, on nixpkgs master you can do e.g.:

  services.kresd = {
    enable = true;
    extraConfig = ''
      policy.add(policy.all(policy.TLS_FORWARD({
        { '2620:fe::fe', hostname = 'dns.quad9.net', ca_file = '/etc/ssl/certs/ca-bundle.crt' },
      })))
    '';
  };

More possibilities in docs (e.g. certificate pinning). Feel free to reach out to me/us: gitter, ML, GitLab, ...

[concatime]

Also, DNSCrypt moved to version 2, and on NixOS, we are still on 1.9.5.

[Mic92]

@concatime feel free to update it.