[trafficcontrol] branch master updated: Remove dnssec optimization flags from Traffic Router (#7109)

zrhoffman Fri, 07 Oct 2022 15:57:28 -0700

This is an automated email from the ASF dual-hosted git repository.

zrhoffman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git



The following commit(s) were added to refs/heads/master by this push:
     new 15709f365e Remove dnssec optimization flags from Traffic Router (#7109)
15709f365e is described below

commit 15709f365eff2ea5d13769eb4b158820014a9d45
Author: Srijeet Chatterjee <[email protected]>
AuthorDate: Fri Oct 7 16:57:13 2022 -0600

    Remove dnssec optimization flags from Traffic Router (#7109)
    
    * Remove dnssec optimization flags
    
    * adding changelog
    
    * code review
---
 CHANGELOG.md                                       |  1 +
 docs/source/admin/traffic_router.rst               |  9 ---------
 .../traffic_router/core/dns/SignatureManager.java  | 17 +----------------
 .../traffic_router/core/dns/ZoneManager.java       | 22 ++--------------------
 .../traffic_router/core/router/TrafficRouter.java  |  9 ++++-----
 .../traffic_router/core/CatalinaTrafficRouter.java |  8 --------
 6 files changed, 8 insertions(+), 58 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b6983741ca..0b24e6bba9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@ The format is based on [Keep a 
Changelog](http://keepachangelog.com/en/1.0.0/).
 
 ## [unreleased]
 ### Added
+- [#7109](https://github.com/apache/trafficcontrol/pull/7109) *Traffic Router* 
Removed `dnssec.zone.diffing.enabled` and `dnssec.rrsig.cache.enabled` 
parameters.
 - [#7075](https://github.com/apache/trafficcontrol/pull/7075) *Traffic Portal* 
Added the `lastUpdated` field to all delivery service forms.
 - [#7055](https://github.com/apache/trafficcontrol/issues/7055) *Traffic 
Portal* Made `Clear Table Filters` option visible to the user.
 - [#7024](https://github.com/apache/trafficcontrol/pull/7024) *Traffic 
Monitor* Added logging for `ipv4Availability` and `ipv6Availability` in TM.
diff --git a/docs/source/admin/traffic_router.rst 
b/docs/source/admin/traffic_router.rst
index 21347d0ae1..e5f967753f 100644
--- a/docs/source/admin/traffic_router.rst
+++ b/docs/source/admin/traffic_router.rst
@@ -253,15 +253,6 @@ Much of a Traffic Router's configuration can be obtained 
through the :term:`Para
        
+-----------------------------------------+------------------------------+---------------------------------------------------------------------------------------------------------------------------------------+
        | dnssec.enabled                          | CRConfig.json               
 | Whether DNSSEC is enabled; this parameter is updated via the DNSSEC 
administration user interface in Traffic Portal.                  |
        
+-----------------------------------------+------------------------------+---------------------------------------------------------------------------------------------------------------------------------------+
-       | dnssec.zone.diffing.enabled             | CRConfig.json               
 | If DNSSEC is enabled, enabling this parameter allows Traffic Router to diff 
existing zones with newly generated zones. If the newly   |
-       |                                         |                             
 | generated zone is the same as the existing zone, Traffic Router will simply 
reuse the existing signed zone instead of signing the     |
-       |                                         |                             
 | same new zone. This reduces the CPU time taken to process new snapshots and 
new DNSSEC keys. Defaults to "false".                     |
-       |                                         |                             
 | NOTE: this may be removed in favor of the ``dnssec.rrsig.cache.enabled`` 
setting in a future release.                                 |
-       
+-----------------------------------------+------------------------------+---------------------------------------------------------------------------------------------------------------------------------------+
-       | dnssec.rrsig.cache.enabled              | CRConfig.json               
 | If DNSSEC is enabled, enabling this parameter allows Traffic Router to cache 
RRSIG records for reuse during DNSSEC signing.           |
-       |                                         |                             
 | This greatly reduces the CPU time taken to sign DNS zones. Defaults to 
"false".                                                       |
-       |                                         |                             
 | NOTE: this may supersede the ``dnssec.zone.diffing.enabled`` setting in a 
future release.                                             |
-       
+-----------------------------------------+------------------------------+---------------------------------------------------------------------------------------------------------------------------------------+
        | dnssec.allow.expired.keys               | CRConfig.json               
 | Allow Traffic Router to use expired DNSSEC keys to sign zones; default is 
"true". This helps prevent DNSSEC related outages due to    |
        |                                         |                             
 | failed Traffic Control components or connectivity issues.                    
                                                         |
        
+-----------------------------------------+------------------------------+---------------------------------------------------------------------------------------------------------------------------------------+
diff --git 
a/traffic_router/core/src/main/java/org/apache/traffic_control/traffic_router/core/dns/SignatureManager.java
 
b/traffic_router/core/src/main/java/org/apache/traffic_control/traffic_router/core/dns/SignatureManager.java
index 803f38226b..696708bd56 100644
--- 
a/traffic_router/core/src/main/java/org/apache/traffic_control/traffic_router/core/dns/SignatureManager.java
+++ 
b/traffic_router/core/src/main/java/org/apache/traffic_control/traffic_router/core/dns/SignatureManager.java
@@ -58,7 +58,6 @@ public final class SignatureManager {
        private CacheRegister cacheRegister;
        private static ConcurrentMap<RRSIGCacheKey, ConcurrentMap<RRsetKey, 
RRSIGRecord>> RRSIGCache = new ConcurrentHashMap<>();
        private static final Object RRSIGCacheLock = new Object(); // to ensure 
that the RRSIGCache is totally empty if disabled
-       private boolean RRSIGCacheEnabled = false;
        private static ScheduledExecutorService keyMaintenanceExecutor;
        private TrafficOpsUtils trafficOpsUtils;
        private boolean dnssecEnabled = false;
@@ -73,7 +72,6 @@ public final class SignatureManager {
                this.setCacheRegister(cacheRegister);
                this.setTrafficOpsUtils(trafficOpsUtils);
                this.setZoneManager(zoneManager);
-               setRRSIGCacheEnabled(cacheRegister.getConfig());
                initKeyMap();
        }
 
@@ -83,19 +81,6 @@ public final class SignatureManager {
                }
        }
 
-       private void setRRSIGCacheEnabled(final JsonNode config) {
-               RRSIGCacheEnabled = JsonUtils.optBoolean(config, 
TrafficRouter.DNSSEC_RRSIG_CACHE_ENABLED, false);
-               if (!RRSIGCacheEnabled) {
-                       synchronized (RRSIGCacheLock) {
-                               RRSIGCache = new ConcurrentHashMap<>();
-                       }
-               }
-       }
-
-       private boolean isRRSIGCacheEnabled() {
-               return this.RRSIGCacheEnabled;
-       }
-
        private void initKeyMap() {
                synchronized(SignatureManager.class) {
                        final JsonNode config = cacheRegister.getConfig();
@@ -508,7 +493,7 @@ public final class SignatureManager {
                                final ZoneSigner zoneSigner = new 
ZoneSignerImpl();
 
                                signedRecords = zoneSigner.signZone(records, 
kskPairs, zskPairs, start.getTime(),
-                                               signatureExpiration.getTime(), 
isRRSIGCacheEnabled() ? RRSIGCache : null);
+                                               signatureExpiration.getTime(), 
RRSIGCache);
 
                                
zoneKey.setMinimumSignatureExpiration(signedRecords, signatureExpiration);
                                zoneKey.setKSKExpiration(kskExpiration);
diff --git 
a/traffic_router/core/src/main/java/org/apache/traffic_control/traffic_router/core/dns/ZoneManager.java
 
b/traffic_router/core/src/main/java/org/apache/traffic_control/traffic_router/core/dns/ZoneManager.java
index d1a2c9a44e..d1a27ef025 100644
--- 
a/traffic_router/core/src/main/java/org/apache/traffic_control/traffic_router/core/dns/ZoneManager.java
+++ 
b/traffic_router/core/src/main/java/org/apache/traffic_control/traffic_router/core/dns/ZoneManager.java
@@ -103,7 +103,6 @@ public class ZoneManager extends Resolver {
        private final TrafficRouter trafficRouter;
        private static LoadingCache<ZoneKey, Zone> dynamicZoneCache = null;
        private static LoadingCache<ZoneKey, Zone> zoneCache = null;
-       private static ConcurrentMap<String, ZoneKey> domainsToZoneKeys = new 
ConcurrentHashMap<>();
        private static ScheduledExecutorService zoneMaintenanceExecutor = null;
        private static ExecutorService zoneExecutor = null;
        private static final int DEFAULT_PRIMER_LIMIT = 500;
@@ -177,7 +176,7 @@ public class ZoneManager extends Resolver {
 
                        final ConcurrentMap<String, ZoneKey> 
newDomainsToZoneKeys = new ConcurrentHashMap<>();
 
-                       if (tr.isDnssecZoneDiffingEnabled()) {
+                       if (tr.isDnssecEnabled()) {
                                if (ZoneManager.dynamicZoneCache == null || 
ZoneManager.zoneCache == null) {
                                        initZoneDirectory();
                                } else {
@@ -219,8 +218,6 @@ public class ZoneManager extends Resolver {
                                LOGGER.info("old static zone cache size: " + 
oldZCSize + ", new static zone cache size: " + zc.size() +
                                                ", old dynamic zone cache size: 
" + oldDCZSize + ", new dynamic zone cache size: " + dzc.size());
 
-                               ZoneManager.domainsToZoneKeys = 
newDomainsToZoneKeys;
-
                                if (tze != null) {
                                        tze.shutdownNow();
                                }
@@ -511,23 +508,8 @@ public class ZoneManager extends Resolver {
                generationTasks.add(() -> {
                        try {
                                final ZoneKey newZoneKey = 
signatureManager.generateZoneKey(name, list);
-                               if (tr.isDnssecZoneDiffingEnabled() && 
domainsToZoneKeys.containsKey(domain)) {
-                                       final ZoneKey oldZoneKey = 
domainsToZoneKeys.get(domain);
-                                       if 
(zonesAreEqual(newZoneKey.getRecords(), oldZoneKey.getRecords())) {
-                                               final Zone oldZone = 
ZoneManager.zoneCache.getIfPresent(oldZoneKey);
-                                               if (oldZone != null) {
-                                                       LOGGER.info("found 
matching ZoneKey for " + domain + " - copying from current Zone cache into new 
Zone cache - no re-signing necessary");
-                                                       zc.put(oldZoneKey, 
oldZone);
-                                                       
newDomainsToZoneKeys.put(domain, oldZoneKey);
-                                                       return;
-                                               }
-                                               LOGGER.warn("found matching 
ZoneKey for " + domain + " but the Zone was not found in the Zone cache");
-                                       } else {
-                                               LOGGER.info("new zone for " + 
domain + " is not equal to the old zone - re-signing necessary");
-                                       }
-                               }
                                final Zone zone = zc.get(newZoneKey); // cause 
the zone to be loaded into the new cache
-                               if (tr.isDnssecZoneDiffingEnabled()) {
+                               if (tr.isDnssecEnabled()) {
                                        newDomainsToZoneKeys.put(domain, 
newZoneKey);
                                }
                                final CacheRegister data = 
tr.getCacheRegister();
diff --git 
a/traffic_router/core/src/main/java/org/apache/traffic_control/traffic_router/core/router/TrafficRouter.java
 
b/traffic_router/core/src/main/java/org/apache/traffic_control/traffic_router/core/router/TrafficRouter.java
index b9a9da33d6..c847bb66fb 100644
--- 
a/traffic_router/core/src/main/java/org/apache/traffic_control/traffic_router/core/router/TrafficRouter.java
+++ 
b/traffic_router/core/src/main/java/org/apache/traffic_control/traffic_router/core/router/TrafficRouter.java
@@ -105,7 +105,6 @@ public class TrafficRouter {
         * Diversity").
         */
        public static final String DNSSEC_ENABLED = "dnssec.enabled";
-       public static final String DNSSEC_ZONE_DIFFING = 
"dnssec.zone.diffing.enabled";
        public static final String DNSSEC_RRSIG_CACHE_ENABLED = 
"dnssec.rrsig.cache.enabled";
        public static final String STRIP_SPECIAL_QUERY_PARAMS = 
"strip.special.query.params";
        private static final long DEFAULT_EDGE_NS_TTL = 3600;
@@ -118,7 +117,7 @@ public class TrafficRouter {
        private final AnonymousIpDatabaseService anonymousIpService;
        private final FederationRegistry federationRegistry;
        private final boolean consistentDNSRouting;
-       private final boolean dnssecZoneDiffingEnabled;
+       private final boolean dnssecEnabled;
        private final boolean stripSpecialQueryParamsEnabled;
        private final boolean edgeDNSRouting;
        private final boolean edgeHTTPRouting;
@@ -155,7 +154,7 @@ public class TrafficRouter {
                this.anonymousIpService = anonymousIpService;
                this.federationRegistry = federationRegistry;
                this.stripSpecialQueryParamsEnabled = 
JsonUtils.optBoolean(cr.getConfig(), STRIP_SPECIAL_QUERY_PARAMS);
-               this.dnssecZoneDiffingEnabled = 
JsonUtils.optBoolean(cr.getConfig(), DNSSEC_ENABLED) && 
JsonUtils.optBoolean(cr.getConfig(), DNSSEC_ZONE_DIFFING);
+               this.dnssecEnabled = JsonUtils.optBoolean(cr.getConfig(), 
DNSSEC_ENABLED);
                this.consistentDNSRouting = 
JsonUtils.optBoolean(cr.getConfig(), "consistent.dns.routing"); // 
previous/default behavior
                this.edgeDNSRouting =  JsonUtils.optBoolean(cr.getConfig(), 
"edge.dns.routing") && cr.hasEdgeTrafficRouters();
                this.edgeHTTPRouting = JsonUtils.optBoolean(cr.getConfig(), 
"edge.http.routing") && cr.hasEdgeTrafficRouters();
@@ -1924,8 +1923,8 @@ public class TrafficRouter {
                return consistentDNSRouting;
        }
 
-       public boolean isDnssecZoneDiffingEnabled() {
-               return dnssecZoneDiffingEnabled;
+       public boolean isDnssecEnabled() {
+               return dnssecEnabled;
        }
 
        private List<Cache> enforceGeoRedirect(final Track track, final 
DeliveryService ds, final String clientIp, final Geolocation 
queriedClientLocation, final IPVersions requestVersion) {
diff --git 
a/traffic_router/core/src/test/java/org/apache/traffic_control/traffic_router/core/CatalinaTrafficRouter.java
 
b/traffic_router/core/src/test/java/org/apache/traffic_control/traffic_router/core/CatalinaTrafficRouter.java
index 4e9ffc68a4..0f75db95e8 100644
--- 
a/traffic_router/core/src/test/java/org/apache/traffic_control/traffic_router/core/CatalinaTrafficRouter.java
+++ 
b/traffic_router/core/src/test/java/org/apache/traffic_control/traffic_router/core/CatalinaTrafficRouter.java
@@ -49,20 +49,12 @@ public class CatalinaTrafficRouter {
 
                // Override the port and app base property of server.xml
                StandardService trafficRouterService = (StandardService) 
catalina.getServer().findService("traffic_router_core");
-
-               List<Connector> secureConnectorList = 
Arrays.stream(trafficRouterService.findConnectors()).filter(k -> 
k.getAttribute("portAttribute").equals("SecureApiPort")).collect(Collectors.toList());
-               boolean hasHttpsPort = secureConnectorList.size() > 0;
-               int securePort = hasHttpsPort ? 
secureConnectorList.get(0).getPort() : 0;
-               int apiPort = 
Arrays.stream(trafficRouterService.findConnectors()).filter(k -> 
k.getAttribute("portAttribute").equals("ApiPort")).collect(Collectors.toList()).get(0).getPort();
-
                Connector[] connectors = trafficRouterService.findConnectors();
                for (Connector connector : connectors) {
                        if (connector.getPort() == 80) {
                                
connector.setPort(Integer.parseInt(System.getProperty("routerHttpPort", 
"8888")));
                        }
 
-                       SocketUtils.findAvailableTcpPort();
-
                        if (connector.getPort() == 443) {
                                
connector.setPort(Integer.parseInt(System.getProperty("routerSecurePort", 
"8443")));
                        }

[trafficcontrol] branch master updated: Remove dnssec optimization flags from Traffic Router (#7109)

Reply via email to