Description of problem: Unbound isn't configured with the '--enable-dnscrypt' compilation option. Unbound has the ability to act as a DNSCrypt server, but the feature needs to be enabled via the '--enable-dnscrypt' compilation option. Version-Release number of selected component (if applicable): unbound-1.17.0-1.fc37 How reproducible: 100% Steps to Reproduce: 1. Configure Unbound source without '--enable-dnscrypt'. 2. Build Unbound. 3. Install Unbound. 4. unbound -V | grep -i dnscrypt Actual results: ./configure \ --build=x86_64-redhat-linux-gnu \ --host=x86_64-redhat-linux-gnu \ --program-prefix= \ --disable-dependency-tracking \ --prefix=/usr \ --exec-prefix=/usr \ --bindir=/usr/bin \ --sbindir=/usr/sbin \ --sysconfdir=/etc \ --datadir=/usr/share \ --includedir=/usr/include \ --libdir=/usr/lib64 \ --libexecdir=/usr/libexec \ --localstatedir=/var \ --sharedstatedir=/var/lib \ --mandir=/usr/share/man \ --infodir=/usr/share/info \ --with-pythonmodule \ --with-pyunbound PYTHON=/usr/bin/python3 \ --enable-dnstap \ --with-libnghttp2 \ --with-libevent \ --with-pthreads \ --with-ssl \ --disable-rpath \ --disable-static \ --enable-relro-now \ --enable-pie \ --enable-subnet \ --enable-ipsecmod \ --with-conf-file=/etc/unbound/unbound.conf \ --with-pidfile=/run/unbound/unbound.pid \ --enable-sha2 \ --disable-gost \ --enable-ecdsa \ --with-rootkey-file=/var/lib/unbound/root.key \ --enable-linux-ip-local-port-range \ && make && make install $ unbound -V | grep -i dnscrypt $ Expected results: ./configure --enable-dnscrypt \ --build=x86_64-redhat-linux-gnu \ --host=x86_64-redhat-linux-gnu \ --program-prefix= \ --disable-dependency-tracking \ --prefix=/usr \ --exec-prefix=/usr \ --bindir=/usr/bin \ --sbindir=/usr/sbin \ --sysconfdir=/etc \ --datadir=/usr/share \ --includedir=/usr/include \ --libdir=/usr/lib64 \ --libexecdir=/usr/libexec \ --localstatedir=/var \ --sharedstatedir=/var/lib \ --mandir=/usr/share/man \ --infodir=/usr/share/info \ --with-pythonmodule \ --with-pyunbound PYTHON=/usr/bin/python3 \ --enable-dnstap \ --with-libnghttp2 \ --with-libevent \ --with-pthreads \ --with-ssl \ --disable-rpath \ --disable-static \ --enable-relro-now \ --enable-pie \ --enable-subnet \ --enable-ipsecmod \ --with-conf-file=/etc/unbound/unbound.conf \ --with-pidfile=/run/unbound/unbound.pid \ --enable-sha2 \ --disable-gost \ --enable-ecdsa \ --with-rootkey-file=/var/lib/unbound/root.key \ --enable-linux-ip-local-port-range \ && make && make install $ unbound -V | grep -i dnscrypt Configure line: ... --enable-dnscrypt ... DNSCrypt feature available $ Additional info: With DNSCrypt enabled in Unbound, there wouldn't be a need to setup a separate DNSCrypt service. Unbound could do everything itself after the feature is enabled! Even when compiled into the program, Unbound's DNSCrypt feature isn't enabled by default, and Unbound's behavior wouldn't change unless DNSCrypt is enabled in the config file. This would introduce a dependency on 'libsodium', so I would understand if this isn't desirable.
Yes the requirement for libsodium is a deal breaker. Honestly, with DoT, DoH, DoQ et all, the dnscrypt protocol is really legacy.