Enable ephemeral keys for improved privacy

[lucaspetter]

dnscrypt-proxy 1.5.0 has a new ephemeral key feature, thus enabling forward secrecy for every DNS query — a big privacy improvement. This can be enabled with a simple -E or --ephemeral-keys flag when calling dnscrypt-proxy. dnscrypt-autoinstall will need to be updated to use dnscrypt-proxy 1.5.0 or later first.

For example, the init-scripts can call: $DAEMON --daemonize --user=dnscrypt -R OpenDNS --ephemeral-keys instead of: $DAEMON --daemonize --user=dnscrypt -R OpenDNS

Possible topic for discussion: Should dnscrypt-autoinstall offer the user an option about whether to enable ephemeral keys during initial setup, or should this feature be turned on by default with no option? I don't see why anyone would want it off, so my vote is for on by default with no option.

Of note: the Mac client, dnscrypt-osxclient, recently implemented ephemeral keys in version 1.0.6.

From the dnscrypt-proxy technotes:

Ephemeral key pair mode:

• The proxy always generates a new, in-memory session key at startup.
• This session key and the client nonce are used to derive an ephemeral key pair for each query.

From the dnscrypt-proxy manpage:

-E, --ephemeral-keys: By default, queries are always sent with the same public key, allowing providers to link this public key to the different IP addresses you are using. This option requires extra CPU cycles, but mitigates this by computing an ephemeral key pair for every query.