On 11/9/18 12:43 AM, teor wrote:
- If you reject enough IP addresses in your exit policy:
If your exit blocks enough /8 networks, then its exit policy summary becomes reject all.
If the exit policy summary is too long, then it is truncated to a list of accept ports. (That doesn't seem to have happened here.)
Separately, if your exit doesn't exit to at least one /8 on ports 80 and 443, it loses the Exit flag: https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt#n2531
I run the relays as non-exits over night, kicked off a bunch of rather rarely used ports together with few */8 networks today morning and restarted both - the issue is now gone here AFACT.
Thx for the hints (I'm still watching the DNSSEC traffic here).