[tptacek]

That's a little of an oversimplification. DNSSEC is indeed limited to authenticity. But the idea of DNSCrypt is that with very widespread deployment, you get most of the benefit of resource integrity, in the same way that we do with TLS even though no system in TLS explicitly "signs" HTML pages.

[bluejekyll]

Sure. But who's running every node in the DNSCrypt graph? I've never been clear about what that looks like.

I still see DNSSec as providing value before the entire graph of DNSCrypt or DNSoverTLS exists.

[tptacek]

There isn't one DNSCrypt graph. It's a forest of graphs that, in the event DNSCrypt became mainstream, would effectively converge. But, unlike DNSSEC, DNSCrypt doesn't require universal adoption to provide value.

DNSSEC provides no value at all until graph coverage is reached, and even then provides absolutely no privacy.