There is a race condition where logrotate's copytruncate directive causes dnscrypt-proxy to end up with a logfile it is writing to that is not truncated, since it could be in the middle of a write (dnscrypt-proxy's file descriptor is still to the middle of the logfile, I believe). The logfile ends up having a bunch of null data at the beginning as it continues to write to it. This has happened multiples times on different machines for me. It's much safer to do a hard restart after a normal rotation. There was an expressed concern that a hard restart invalidates the cache; I suggest that DNS TTLs are fairly short relative to the frequency of logfile rotations. Half of TTLs are one minute or less. https://blog.apnic.net/2019/11/12/stop-using-ridiculously-low-dns-ttls/ Pull request that updates the logrotate configuration: https://github.com/gentoo/gentoo/pull/18383