Frank Denis

I must confess that I don't follow... > Hey, currently, I have to directly talk to a resolver to get a DNS validation What do you mean by DNS validation?...

If I understand correctly, you would like DNS caches to add, to every response, an extra record with a timestamp, as well as an extra record that is a signature...

That is independent from the DNSCrypt protocol, especially since a key feature of DNSCrypt is that queries and responses are not inspected nor modified. It would rather be a feature...

Beyond the DNSCrypt protocol, that doesn't seem trivial, both from a technical and from a deployment perspective. A new record type for these signatures needs to be defined. Given the...

I'm not sure. https://developer.apple.com/support/third-party-SDK-requirements/ includes a list of affected SDKs, and sodium is not there. Looks like SDKs from that list have in common that they can perform network access....

OpenSSL can setup network connections, and can be used to exfiltrate information.

As a side note, you should really use `libsodium-stable` rather than the old point release. No security issues to worry about, but portability has been improved, as well as performance....

Mmmm it should already be the case: https://github.com/jedisct1/libsodium.js/blob/e14d775b6669613906395c82293bd3955d08028c/wrapper/symbols/crypto_kdf_derive_from_key.json#L16 https://github.com/jedisct1/libsodium.js/blob/e14d775b6669613906395c82293bd3955d08028c/wrapper/macros/input_string.js#L7-L9 Maybe not in the version published on `npm`, but in the current code, it is.

Are you using the `sumo` version? Are other functions accessible? If this is too complicated, you can simply use the WebCrypto API: https://bradyjoslin.com/blog/encryption-webcrypto/

Yes, that should totally be doable. The state is just the address of a 52 byte array, that can be safely moved to different hosts.