-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello. I contacted an exit operator who had BadExit flags on the same host that I run an exit on and we discussed possible reasons for this. Eventually, we jointly set up a new relay on that host and I configured it exactly as I had configured my own relay, and it still obtained the BadExit flag. So far, these are the exact steps I took to configure it: - Unbound is configured to use a second, clean IPv4 - sysctls are tweaked to ensure conntrack does not drop connections - torrc is configured with safe, sensible exit defaults And it still obtained a BadExit flag. We had discussed whether there was a possibility that his family was "tainted" and somehow the BadExit flag was being applied to new exits on his relay family, but starting up a new relay unrelated to his did not help. We tried disabling Unbound and instead using a popular upstream DNS resolver, but that did not prevent a BadExit from being issued either. What other troubleshooting steps are suggested? The provider does not censor or block anything, and I have been successfully running an exit on their infrastructure for more than a month, but when he sets one up, even if he configures it identically to the way I configure mine, it receives a BadExit flag within a matter of days. The criteria for issuing the BadExit flag do not seem very clear. Since it is not a flag intended to be issued to malicious exits, I would like to understand the exact criteria for being issued a BadExit, beyond the vague explanations that I can find on the Gitlab. Note that I am only asking about the automated flag, not about the (potentially sensitive) policies behind determining whether or not a relay is malicious and should be manually excluded from the consensus. Regards, forest -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvLrj6cuOL+I/KdxYBh18rEKN1gsFAmkmGG8ACgkQBh18rEKN 1guZhxAAxUFcZm1SuoCO5OOST915LtPPmZ6mizq+NUfS3tPoJj6zKRd/grZJYIRj TZzw7JqK62ajtMJLQcLLKuMNMHYZmzr0DP8jVo/JAoh/rcGIqXL+jWIupDDxIQG7 Mf25OF6OrhNb23HTwrudJIiM/PFH6Yyoj0hlDBxpSu3IcopP9xxPwPKYXQjgaZEx mJPpbTb86vrs1TmBQ7C7W6pBoq6zOtne2NfqC6SJ1UNpk/dYxQnknuFYLDeaSPdz qNkh/h2Ua0a0ASGswxTRatd2epkDKrJHoVJ5t/WBPnzPOUJdo6D26oLr1bKzSTM1 +nKkd5ws5b2d8Fi+FQk7LbgiLBSdGAIFL3bBL3FD5ERE+1LkOTaOs9wR0dlIFNRV 4draROjsgfYIw0LavO+O8EEbS5R5xyf5RNIueNMpqbV/IGhoYLYUUfdqITB1swHr jFaEUoNIFAvBS1qp+9ApjmQJ/J2CiPZJ7Su73v6vA9Qq6Amv3ruMK+w5sqO1BpFB V9L/pr/ZB3619SyqMVN2e+M58xDumwwMTHK1AVIGHZLlff5VYR4rBtqXR1T0qPKl AdliLh39C+oBFD0q+12tbucjjJjg8LiiZfo7KReZDpN78zJWxtR+Z57/XfXYDqJd 9FDJdYAm4qLa9wEzAUslEdrfGnokYJQQcI07eNqPFgnl4B80V4I= =N2Ia -----END PGP SIGNATURE-----