Dnscrypt proxy here, at least I was until it started fucking about on xubuntu
Tried the autoinstall script but that is a plain fail
Shit needs some proper package maintainers

>>53759154
>If Mallory has access to the parent's key, it easily could. You need some level of access to the parent's key to be able to register domains at all. A system can't work if you cannot use it.
But Mallory wouldn't, unless you don't trust the parent TLD.

>This is just X.509 in disguise. As soon as you give the power to register new certificates to a CA, anybody who infiltrates or controls the CA can use it to forge new certificates.
This is always the case in a hierarchical trust model, not X.509 specifically (just characteristically).

>There's no fundamental way around this limitation. The moment you trust a third party to verify your authenticity, you've given power over your authenticity to said third party.
I understand your concern, but this the trust model itself you have a problem with. Though, a fully distributed peer to peer system such as NameCoin has other issues, like an fast growing blockchain, or a majority in computational power.

My domains have it but I have no idea what it is.

>>53841949
There are already packages for Ubuntu, though: http://packages.ubuntu.com/search?suite=all&searchon=names&keywords=dnscrypt

>>53841985
DNSSEC adds cryptographic security to thwart tampering, forgery, or impersonation attacks. Authoritative name servers do so by using asymmetrical cryptography to sign their complete RRsets for which they are authoritative.

In short, when you want to resolve example.net, your resolving name server checks the added signatures (RRSIGs) to see if the response of the authoritative name server has not been tampered with.

>>53841985
Then start using it. :-)

Already got TLSA RRs for my web server, and I just added HPKP. This is a little out of scope and not really related to DNS, but which certificates should I pin? I'm currently pinning my root CA cert, the intermediate CA cert, and my own cert.

I used dnscrypt for maybe a month. Then I realized it slowed my lookup times to a crawl,and completely fucked over my ping while playing games.(Normally around 35 ping, was at 300+)

This is considering I used the closest server they had. oh well

>>53843472
Then your problem is not DNSCrypt itself. A lookup is done once and gets cached for future lookups. A latency of 300 is not explained by using DNSCrypt, because all traffic is sent directly to the server which name you just resolved.

>>53843390
I'm less experienced with HPKP, but I think that depends on you. You should only pin certificates in your chain that you fully trust, which you most likely do already because otherwise you wouldn't have a CA sign your certificate in the first place. X.509 is a hierarchical trust model anyway, so this makes sense.

>>53842010
Which are broken and don't install properly and don't even uninstall properly

>>53844666
That sucks, you sure? I wouldn't know since I don't use Ubuntu myself. I'd suggest to submit a bug report.

I use hardened unbound + 2 instances of DNScrypt for redundancy

don't want any semi competent mitm to see that I visit 4chang

>>53844727
I did but no one took any fucking notice. Just hope Jedi sct1 or whatever that faggot's name is will fix up a good version, I don't even mind compiling my own as long as it doesn't dick around

>>53846886
If the package doesn't work as expected, the package maintainer from Ubuntu (or Debian) may have made a mistake. If it doesn't work after successful compiling the source code directly, then the developer might have messed up.

So have you compiled the source code and tested that one as well? If it works, update your bug report. If it doesn't, open a new bug report but this time on the developer's GitHub.