Frank Denis

You should use [encrypted-dns-server](https://github.com/dnscrypt/encrypted-dns-server) instead.

I can't read images, sorry. DNSSEC support is reported by `dnscrypt-proxy -resolve`: ```text $ dnscrypt-proxy -resolve example.com ./dnscrypt-proxy -resolve example.com Resolving [example.com] using 127.0.0.1 port 53 Resolver : 74.125.47.9 ......

It doesn't. Maybe we can use `-list -json` to get the DNSSEC information from the stamp, and indeed compare that to the output of `-resolve`.

Added this to my regular check scripts. And sure enough, it quickly detected quite a few resolvers that advertise DNSSEC but don't support it. I'm going to add it to...

> Probably I'm doing it wrong but both with https://dnscheck.tools/ ("Great! Your DNS responses are authenticated with DNSSEC") and using `dnscrypt-proxy -resolve example.com` ("DNSSES signed : yes") I get positive...

"DNSSEC signed" is printed in the section about the domain name you are querying, not the server properties.

Hi! And thanks for reporting this! Indeed, it is not expected to block local IP addresses when the "no filter" flag is set. And this is causing more issues that...

Hi! If the cert in the stamp is found, no matter at which position, validation will pass. You should pick a cert that is not going to change too frequently....

Yes, exactly.

Unrelated: `meganerd-ipv6` (dnscrypt) seems to be having a certificate issue right now.