The DuckCorp CA is self-signed, which is a deliberate and well considered decision. We do not trust the top CAs and their broken security model.
To improve the situation we have implemented the DANE/TLSA protocol. Unfortunately browser integration is not yet done, nevertheless this feature is available as plugins.
Because it's quite inconvenient to setup for non-technical users and because it makes our life difficult to communicate and exchange with external persons through our infrastructure, we decided to trust Let's Encrypt to generate certificates for certain services. The root of the problem is not solved but at least the validation process is sound and open. It is also automated, using Free Softwares, so we can handle certificate management by ourselves.
Non-web and critical services use our CA. You can download the CA's certificate and check it against our administrators' signatures (if you trust them):