`doh.crypto.sx` doesn't support DNSSEC

[lessneek]

doh.crypto.sx doesn't support DNSSEC.

[jedisct1]

It definitely does.

[2020-02-02 01:09:35] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
[2020-02-02 01:09:35] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
[2020-02-02 01:09:35] [NOTICE] Server with the lowest initial latency: doh-crypto-sx (rtt: 10ms)
[2020-02-02 01:09:35] [NOTICE] dnscrypt-proxy is ready - live servers: 1

$ drill -D dnscrypt.info @127.0.0.1

;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 22419
;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

Notice the ad flag.

[lessneek]

I have no the ad flag with dnscrypt-proxy2 2.0.34-1 on OpenWrt 19.07.0 r10860-a3ffeb413b:

$ drill -D dnscrypt.info
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 8616
;; flags: qr rd ra ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 

actually the same issue with other servers too...

what causes the problem?

[mibere]

I have the ad flag too with dnscrypt-proxy 2.0.39

[2020-02-02 12:49:34] [NOTICE] Now listening to 127.11.11.3:7753 [UDP] [2020-02-02 12:49:34] [NOTICE] Now listening to 127.11.11.3:7753 [TCP] [2020-02-02 12:49:34] [NOTICE] [doh-crypto-sx] OK (DoH) - rtt: 36ms [2020-02-02 12:49:34] [NOTICE] Server with the lowest initial latency: doh-crypto-sx (rtt: 36ms) [2020-02-02 12:49:34] [NOTICE] dnscrypt-proxy is ready - live servers: 1

dig @127.11.11.3 -p 7753 dnscrypt.one

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> @127.11.11.3 -p 7753 dnscrypt.one ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20450 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

[lessneek]

I have opened an issue related to dnscrypt-proxy itself https://github.com/DNSCrypt/dnscrypt-proxy/issues/1175