Andrew Lytvynov

I'll mark this as done, based on a few confirmations above.

@derpda the default change only applies to new installs. When you update from 1.66.3 (or older) to 1.66.4, the `--stateful-filtering` value has already been set and does not revert to...

@Boerny41 if you start a brand new tailscale instance inside of the container, stateful filtering is false by default. If you have an existing instance, you can run `tailscale set...

@reuben stateful filtering only applies on the machine where requests originate from - in this case that's the host running the docker container and not the k8s service or operator....

The error is coming from this action trying to download the tailscale package from `pkgs.tailscale.com`: https://github.com/tailscale/github-action/blob/main/action.yml#L83. So, something is blocking the traffic to `pkgs.tailscale.com` after the initial node was set...

> I am a bit surprised though: when the DNS server is not accessible I would've expected the fallback DNS servers (Google's DNS servers in my case) to be used...

@seanmcne could you try setting up a new node outside of github actions with `tag:ci` and `--accept-routes`, and see if `curl -v https://pkgs.tailscale.com` works there? It may be a similar...

@Vlaaaaaaad I think it's a separate issue: when you have multiple global nameservers (not split DNS), the query should time out faster and fall back to other configured nameservers.

Turns out we can only seal up to 128 bytes with a TPM. I'm going to change this up to allow storing data larger than that limitation, probably using some...

Ok, switched to doing symmetric encryption instead. PTAL!