Ensure BoringSSL (bssl) is compiled and accessible in your environment.
Create a directory and generate the Encrypted Client Hello (ECH) keys using bssl.
mkdir -p /etc/sdproxy/ech
cd /etc/sdproxy/ech
bssl generate-ech \
-out-ech-config-list ech_config_list.bin \
-out-ech-config ech_config.bin \
-out-private-key ech.key \
-public-name "dns.home.arpa" \
-config-id 1ech_config_list.bin: The public configuration payload advertised to clients via DDR (SVCB/HTTPS records).ech.key: The raw 32-byte X25519 private seed used by sdproxy to decrypt incoming TLS client hellos.ech_config.bin: The single ECH config (often unused directly, as the list format is required for DNS records).
Edit your config.yaml to include the absolute paths to the generated ECH files under the server: block.
server:
# ... existing server configuration ...
# Encrypted Client Hello (ECH)
ech_config_list: "/etc/sdproxy/ech/ech_config_list.bin"
ech_key: "/etc/sdproxy/ech/ech.key"Restart sdproxy to load the credentials. The server will automatically bind the ECH keys to the TLS listeners (DoH/DoT/DoQ) and broadcast the public ech_config_list natively to clients requesting _dns.resolver.arpa.