dnscrypt.ca ... Free Canadian based encrypted DNS service with DNSSEC validation for your pleasure.


With the help of Mikaela, IPv6 has been added to server #1 and some issues with the keys on server #2 were cleared up. Since I had to revamp the front page of the web site to accommodate the new info about the servers, I figured it would be a good time to trim some outdated crap off the rest of the site. It should look a little leaner now and most of the links to the old dnscrypt-proxy stuff are gone. I'm not thrilled about it, but I guess people should be using the new client.

Thanks Mikaela!


A helpful user recently alerted me to an "Incorrect signature" error message they were seeing in their dnscrypt-proxy logs. I fiddled with a virtual machine, but at first had trouble pinning down exactly how to reproduce the problem. Today I was able to determine that the keys for dnscrypt.ca-2-ipv6 were not always working properly. I created a fresh set of keys, and they seem to be working so far. If my testing continues to work as expected I'll probably:

  1. Add IPv6 support to the dnscrypt.ca-1 server
  2. Have both stamps updated in the public resolver list
  3. Update the web site to reflect the new configuration

As a result of the new keys dnscrypt.ca-2 and dnscrypt.ca-2-ipv6 both had a couple of minor outages this afternoon. My apologies for the interruption.


There was a problem with the script that checks whether or not the servers are up. As a result, the web site had showed both servers as being down between 9am and 11am Eastern this morning. The script has been fixed and the servers experienced no actual outage.


Had yet another power outage, this time due to a small tornado that blew through here. The web site was down for a few days, but as far as I know the DNS servers continued to run. If anyone knows of any downtime lemmie know and I'll change the announcement.


There was another power outage at my "datacenter" last night, and as a result the web site was down until this morning when I could get it back up again. Same as last time, the resolvers were unaffected.


There was a power outage at my "datacenter" shortly after noon Eastern today that lasted for a couple hours. The web site was down during this time but the DNS servers were unaffected. Everything should be back to normal now.


Got an alert at 3pm Eastern today that Server #1 was down. Quickly logged in and saw that ps was not showing the wrapper running at all. I just started it up using the existing key/cert, and it seems to be fine now. No changes should be required for users, and downtime was an estimated dozen minutes or so. I'll continue to monitor of course.


I updated the root hints for Unbound with this yesterday. It has been a day and I haven't noticed any trouble with either server. Carry on.


I just noticed that dnscrypt.ca is currently not DNSSEC signed. I did not ask to have the DS records removed from the .ca registry, but they do not seem to be there. I have opened a support ticket with my registrar to confirm the DS records for me. In the meantime, this domain is currently unsigned. :-(


I have chosen March 31st as the last day for dnscrypt.ca-3. The redirection will be disabled on that day so if you are currently using it you should switch to another server before then.


Tonight at about 8:45pm Eastern time dnscrypt.ca-2 apparently rebooted. I immediately got a notification and started working to fix it, then at around 8:55pm, dnscrypt.ca-1 also rebooted. Both are currently up and running. I tested my own ability to resolve using both and was succesful without having to even recreate the connection. Everything should be back to normal and I will resume trying to figure out what happened.


The dnscrypt-proxy github project has now been deleted. There has been some discussion about it in my github issue, and Fusl has taken my recently updated fork of the project and copied it to dnscrypt/dnscrypt-proxy. I also found this reddit post on the topic of what happened to DNSCrypt but it seems to be plenty full of people basically calling DNSCrypt a dead end and suggesting the use of DNS-over-TLS. I have a really hard time not seeing this as the DNS-over-TLS folks simply buying out DNSCrypt from it's maintainer and out from under the users who wanted it. I am pretty disappointed by the events and am concerned that DNSCrypt will simply fall in to less and less useage until DNS-over-TLS simply becomes the defacto standard. Some might consider this a good thing, but I wonder what might motivate the DNS-over-TLS fanbois to be so douchey about it.

There has also been a significant increase in my bandwidth use, and according to the control panel for my VPS I'll be far enough past my monthly limit that I will hear about it from the provider. I guess we'll see how that plays out soon enough.

Older News

Curious eh? Well, have a look at the 2017 News.