Index: dns/dnscrypt-proxy2/Makefile
===================================================================
--- dns/dnscrypt-proxy2/Makefile	(revision 466876)
+++ dns/dnscrypt-proxy2/Makefile	(working copy)
@@ -1,57 +1,61 @@
 # $FreeBSD$
 
 PORTNAME=	dnscrypt-proxy
 PORTVERSION=	2.0.8
-CATEGORIES=	dns security
+PORTREVISION=	1
+CATEGORIES=	dns security ipv6
 PKGNAMESUFFIX=	2
 
 MAINTAINER=	egypcio@googlemail.com
 COMMENT=	Flexible DNS proxy with support for encrypted protocols
 
 LICENSE=	ISCL
 LICENSE_FILE=	${WRKSRC}/LICENSE
 
 BUILD_DEPENDS=	go:lang/go
 RUN_DEPENDS=	ca_root_nss>=3.35:security/ca_root_nss
 
+PLIST_SUB=	USER="${USERS}" GROUP="${GROUPS}"
+SUB_LIST=	USER="${USERS}" GROUP="${GROUPS}"
 USE_RC_SUBR=	${PORTNAME}
 
 USE_GITHUB=	yes
 GH_ACCOUNT=	jedisct1
 
 USERS=		_dnscrypt-proxy
 GROUPS=		_dnscrypt-proxy
 
 PORTDOCS=	README.*
 PORTEXAMPLES=	example*
 
 CONFLICTS_INSTALL=	dnscrypt-proxy
 
 OPTIONS_DEFINE=	DOCS EXAMPLES
 
 do-build:
 	${RLN} ${WRKSRC}/vendor ${WRKSRC}/src
 	cd ${WRKSRC}/${PORTNAME} && \
 		${SETENV} ${MAKE_ENV} ${BUILD_ENV} GOPATH=${WRKSRC} \
 		go build -ldflags "-s -w" -o ${WRKDIR}/sbin/${PORTNAME}
 
 do-install:
-	${INSTALL_PROGRAM} ${WRKDIR}/sbin/${PORTNAME} ${STAGEDIR}${LOCALBASE}/sbin
+	${INSTALL_PROGRAM} ${WRKDIR}/sbin/${PORTNAME} ${STAGEDIR}${PREFIX}/sbin
 
 do-install-DOCS-on:
 	${MKDIR} ${STAGEDIR}${DOCSDIR}
 	cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR}
 
 do-install-EXAMPLES-on:
 	${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
 	cd ${WRKSRC}/${PORTNAME} && ${INSTALL_DATA} ${PORTEXAMPLES} ${STAGEDIR}${EXAMPLESDIR}
 
 post-install:
-	# After install examples because of the priv drop issue with Go
+	${MKDIR} ${STAGEDIR}/var/run/${PORTNAME} ${STAGEDIR}${PREFIX}/etc/${PORTNAME}
+	# After 'install' because of the priv drop issue with Go; keeping original example files.
 	@${REINPLACE_CMD} -e \
 		"s#\['127.0.0.1:53', '\[::1\]:53'\]#\['127.0.0.1:5353'\]#" \
 		${WRKSRC}/${PORTNAME}/example-${PORTNAME}.toml
 	${INSTALL_DATA} ${WRKSRC}/${PORTNAME}/example-${PORTNAME}.toml \
-		${STAGEDIR}${LOCALBASE}/etc/${PORTNAME}.toml.sample
+		${STAGEDIR}${PREFIX}/etc/${PORTNAME}/${PORTNAME}.toml.sample
 
 .include <bsd.port.mk>
Index: dns/dnscrypt-proxy2/files/dnscrypt-proxy.in
===================================================================
--- dns/dnscrypt-proxy2/files/dnscrypt-proxy.in	(revision 466876)
+++ dns/dnscrypt-proxy2/files/dnscrypt-proxy.in	(working copy)
@@ -1,36 +1,36 @@
 #!/bin/sh
 #
 # $FreeBSD$
 #
 # PROVIDE: dnscrypt_proxy
 # REQUIRE: cleanvar SERVERS
-# BEFORE:  dnsmasq local_unbound unbound named
+# BEFORE:  local_unbound unbound dnsmasq pdns named
 #
-# Options to configure dnscrypt-proxy via /etc/rc.conf:
+#	Options to configure dnscrypt-proxy via /etc/rc.conf:
 #
-# dnscrypt_proxy_enable (bool)	Enable service on boot
-#				Default: NO
+# dnscrypt_proxy_enable	(bool)	Start on Boot.	# Default: NO
+# dnscrypt_proxy_conf	(str)	Config File.	# Default: %%PREFIX%%/etc/dnscrypt-proxy/dnscrypt-proxy.toml
+# dnscrypt_proxy_setuid	(bool)	Set root priv.	# Default: NO
+# dnscrypt_proxy_uid	(str)	User to run as.	# Default: %%USER%%
 #
-# dnscrypt_proxy_conf (str)	Config file to use
-#				Default: %%PREFIX%%/etc/dnscrypt-proxy.toml
-#
-# dnscrypt_proxy_uid (str)	User to run dnscrypt_proxy as
-#				Default: _dnscrypt-proxy
 
 . /etc/rc.subr
 
 name="dnscrypt_proxy"
-rcvar="dnscrypt_proxy_enable"
-pidfile="/var/run/dnscrypt-proxy.pid"
+rcvar="${name}_enable"
+pidfile="/var/run/dnscrypt-proxy/${name}.pid"
 procname="%%PREFIX%%/sbin/dnscrypt-proxy"
 
 load_rc_config $name
 
-: ${dnscrypt_proxy_enable:=NO}
-: ${dnscrypt_proxy_conf:=%%PREFIX%%/etc/dnscrypt-proxy.toml}
-: ${dnscrypt_proxy_uid:=_dnscrypt-proxy}
+: ${dnscrypt_proxy_enable:="NO"}
+: ${dnscrypt_proxy_conf:="%%PREFIX%%/etc/dnscrypt-proxy/dnscrypt-proxy.toml"}
+: ${dnscrypt_proxy_setuid:="NO"}
+: ${dnscrypt_proxy_uid:="%%USER%%"}
 
+checkyesno dnscrypt_proxy_setuid && dnscrypt_proxy_uid="root"
+
 command="/usr/sbin/daemon"
-command_args="-p ${pidfile} -u ${dnscrypt_proxy_uid} -f ${procname} -config ${dnscrypt_proxy_conf}"
+command_args="-p ${pidfile} -t ${name} -u ${dnscrypt_proxy_uid} -f ${procname} -config ${dnscrypt_proxy_conf}"
 
-run_rc_command "$1"
+run_rc_command $1
Index: dns/dnscrypt-proxy2/pkg-message
===================================================================
--- dns/dnscrypt-proxy2/pkg-message	(revision 466876)
+++ dns/dnscrypt-proxy2/pkg-message	(working copy)
@@ -1,40 +1,55 @@
-=====================================================================
-Version 2 of dnscrypt-proxy is written in Go and therefore isn't capable
-of dropping privileges after binding to a low port on FreeBSD.
+======================================================================
+Version 2 of dnscrypt-proxy is written in Go, and therefore isn't capable
+  of dropping privileges after binding to a low port on FreeBSD.
 
-By default, the dnscrypt-proxy2 port will listen on (tcp/udp) port 5353
-as the _dnscrypt-proxy user.
+By default, this port's daemon will listen on port 5353 (TCP/UDP) as the 
+  %%USER%% user. It's still possible to bind it and listen on port 53 (TCP/UDP),
+  but it's not recommended.
 
-It's possible to change back to port 53, but not recommended.
+Below are a few examples on how to redirect traffic from port 5353 to 53.
 
-Below are a few examples on how to redirect local connections from port
-5353 to 53.
-
 [ipfw]
 
-  ipfw nat 1 config if lo0 reset same_ports \
-    redirect_port tcp 127.0.0.1:5353 53 \
-    redirect_port udp 127.0.0.1:5353 53
-  ipfw add nat 1 ip from any to 127.0.0.1 via lo0
+  /etc/rc.firewall.local:
+    ipfw nat 1 config if lo0 reset same_ports \
+      redirect_port tcp 127.0.0.1:5353 53 \
+      redirect_port udp 127.0.0.1:5353 53
+    ipfw add nat 1 ip from any to 127.0.0.1 via lo0
 
   /etc/rc.conf:
+    firewall_enable="YES"
     firewall_nat_enable="YES"
 
   /etc/sysctl.conf:
     net.inet.ip.fw.one_pass=0
 
 [pf]
 
-  rdr pass on lo0 proto { tcp udp } from any to port 53 -> 127.0.0.1 port 5353
+  /etc/pf.conf:
+    set skip on lo0
+    rdr pass on lo0 proto { tcp udp } from any to port 53 -> 127.0.0.1 port 5353
 
+  /etc/rc.conf:
+    pf_enable="YES"
+
 [unbound]
 
-  server:
-    interface: 127.0.0.1
-    do-not-query-localhost: no
+  /etc/rc.conf:
+    local_unbound_enable="YES"
 
-  forward-zone:
-    name: "."
-    forward-addr: 127.0.0.1@5353
+  /var/unbound/unbound.conf:
+    server:
+      interface:              127.0.0.1
+      do-not-query-localhost: no
 
-=====================================================================
+  /var/unbound/forward.conf:
+    forward-zone:
+      name:         "."
+      forward-addr: 127.0.0.1@5353
+
+----------------------------------------------------------------------
+
+If you are using local_unbound, DNSSEC is enabled by default. You should
+  comment the "auto-trust-anchor-file" line or change dnscrypt-proxy to use
+  servers with DNSSEC support only.
+======================================================================
Index: dns/dnscrypt-proxy2/pkg-plist
===================================================================
--- dns/dnscrypt-proxy2/pkg-plist	(revision 466876)
+++ dns/dnscrypt-proxy2/pkg-plist	(working copy)
@@ -1,2 +1,4 @@
-@sample etc/dnscrypt-proxy.toml.sample
+@dir(%%USER%%,%%GROUP%%,750) etc/dnscrypt-proxy
+@dir(%%USER%%,%%GROUP%%,750) /var/run/dnscrypt-proxy
+@sample etc/dnscrypt-proxy/dnscrypt-proxy.toml.sample
 sbin/dnscrypt-proxy