On Sat, 12 May 2018 04:50:29 +0000 Matthew Finkel matthew.finkel@gmail.com wrote:
But isn't that what the subject line says? And the original email contains:
The goal is to be bellow the following thresholds within one year: not have any single remoteAS entity control more than 10% exit capacity reduce the overall remoteAS share to bellow 20% exit capacity
The subject line I think does effectively say to not use them as fallbacks, but indirectly. It requires some inferring by the relay operator and so it's easy for an operator to arrive at a different conclusion. The text you quoted immediately above (and the medium.com post) I think is not clear about this at all; it talks about an entity "controlling" dns traffic. If google's dns is set as a fallback, does google "control" my exit's dns traffic? The answer to that seems subjective to me; or if objective, then at least not obvious for the casual operator.
The email and the guide page says to "not use" those dns services, but it tends to frame the issue as an either-or decision. That is, you guys are telling relay operators e.g. "if you have your resolv.conf set to google's dns, you should instead point to localhost and set up unbound". What if I just have google's dns as a fallback; does that count as "using" it? IMO, the text doesn't (explicitly) say. You can argue that the relay operator should infer that this does count, but if it was explicitly spelled out, there is less room for error. (The list of relays of course is one way of very explicitly spelling this out, by identifying problematic relays. That's the only way I found out that I was considered using google's dns.) It also would make it clear that trying to make dns resolution more "robust" (by providing fallbacks) is not considered by you to be worth the privacy implications of using those resolvers.
An operator may think they're not "using" google's dns because they're pointed at localhost first, and their local resolver is working, so they shouldn't normally be using the fallback so it doesn't matter. Obviously that's not true, otherwise such relays wouldn't be identified in that list :) I imagine it's not _as_ bad as depending on google's dns first, but maybe that is an insignificant difference.
I don't mean to make a big deal about this; I'm just trying to explain some of what was going through my head when reading this stuff. "Fixing" it can be very simple, like just adding a small phrase like "don't use these, even as a fallback" or "don't mention anywhere in resolv.conf", like you said.