rawlinp opened a new pull request #4409: Optimize TR DNSSEC zone re-signing URL: https://github.com/apache/trafficcontrol/pull/4409 ## What does this PR (Pull Request) do? If `dnssec.zone.diffing.enabled`, compare the previously generated zone to the newly generated zone. If the only thing different is the SOA record's serial number, just reuse the existing zone instead of signing a new zone. This drastically reduces the amount of CPU time it takes to process new snapshots or new DNSSEC keys, because only the zones that have actually changed will be re-signed and re-primed. - [x] This PR is not related to any Issue ## Which Traffic Control components are affected by this PR? - Documentation - Traffic Router ## What is the best way to verify this PR? 1. Run the TR unit tests: `mvn clean test -Djava.library.path=/usr/local/opt/tomcat-native/lib` 2. _Without_ the new TR profile parameter enabled, snapshot the CDN a few times, verify that TR re-signs all the zones in the CDN every time. You will see INFO log lines like this: `"Signing records, name for first record is <insert name here>"` 3. Enable the new TR profile parameter and snapshot the CDN, verify that TR re-signs all the zones. 4. With the new TR profile parameter now enabled: 4.1. snapshot the CDN with no actual changes from the previous snapshot, verify that TR performs no zone signing. 4.2. remove/add a delivery service from/to an edge, snapshot, and verify that TR performs zone signing for that single zone. NOTE: with the new TR profile parameter enabled, when TR is _not_ going to re-sign a zone, an INFO log line like the following is printed: ``` "found matching ZoneKey for " + domain + " - copying from current Zone cache into new Zone cache - no re-signing necessary" ``` when TR _is_ going to re-sign a zone, an INFO log line like the following is printed: ``` "new zone for " + domain + " is not equal to the old zone - re-signing necessary" ``` ## The following criteria are ALL met by this PR - [x] This PR includes tests - [x] This PR includes documentation - [x] This PR includes an update to CHANGELOG.md - [x] This PR includes any and all required license headers - [x] This PR does not include a database migration - [x] This PR **DOES NOT FIX A SERIOUS SECURITY VULNERABILITY** (see [the Apache Software Foundation's security guidelines](https://www.apache.org/security/) for details)
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
