Nixpkgs: DNSCrypt project is closed.

cc @joachifm @jgeerds

Sigh, okay I'll be removing the service & related stuff shortly.

It's feasible that we can recover some functionality via unbound (it supports dnscrypt, though I've never actually tried it) or dns-over-tls. I'll be looking into that after removal.

DNS-over-TLS: @Mic92 has experience with this via Unbound; Knot-resolver will also be an option, after a release expected within a week or two, and I will be able to help with such setups.

@vcunat sounds good :)

just as a heads-up, as of right now, unbound does not validate the dns-tls sources ( https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658 ).

That's sad. dnscrypt-wrapper is not affected but without the proxy is pretty much useless.

I've opened a PR to remove the module, I've left the wrapper & related packages alone for now.

Dyne.org has taken over the project!

Yesterday? Is that a co-incidence?

Ugh, it’s a bit harsh to just remove the package before the project is even completely dead, @joachifm.

The project was gone, until dyne.org took it over yesterday, as in the github project page was 404.

He removed the repository and pointed the website to a competitor with no mention of what happened to dnscrypt: something doesn't look right. Anyway without the tarballs on website the package can't still be built.

There’s a Git repo.

@Profpatsch I added autoreconfHook and the head commit builds but the test (nixos/dnscrypt-proxy.nix) is failing with

error while loading shared libraries: libltdl.so.7:

Do you know the commit of the latest release?

@rnhmjoj that's most likely due to apparmor.

Yes, your right. I added a rule for libtool and it passes. Is it really needed though?

Not at all, I'm guessing it simply tries to use it because it is available in the build environment. A better solution is to convince it to not pick it up to begin with. (the daemon used to rely on it for plugins).

It must be some different configure flag that was set in the official release.

So, the repo is back up https://github.com/jedisct1/dnscrypt-proxy; it's going to be rewritten from scratch from the looks of it ...

I found the original release tarballs on launchpad.net. We could use these in the meanwhile.

The NixOS module has now been restored thanks to @rnhmjoj. Still not sure what to think about all this but I do think the immediate issue has been fixed.

My expectation would be a slow decline of DNSCrypt, as DNS-over-(D)TLS got properly standardized in IETF and will be improving its implementation and deployment...

I think this ticket can be marked as "solved", for now.

To finish my advertisement, on nixpkgs master you can do e.g.:

  services.kresd = {
    enable = true;
    extraConfig = ''
      policy.add(policy.all(policy.TLS_FORWARD({
        { '2620:fe::fe', hostname = 'dns.quad9.net', ca_file = '/etc/ssl/certs/ca-bundle.crt' },
      })))
    '';
  };

More possibilities in docs (e.g. certificate pinning). Feel free to reach out to me/us: gitter, ML, GitLab, ...

Also, DNSCrypt moved to version 2, and on NixOS, we are still on 1.9.5.

@concatime feel free to update it.