1、详细描述一次加密通讯的过程,结合图示最佳。
-
单向加密:只能加密,不能解密,提取数据指纹(特征码),来保证数据的完整性,如上图的第二步,单向加密的协议有MD5,SHA等
-
非对称加密:公钥和私钥成对出现,私钥必须本机器保存,用公钥加密的数据,只能使用与之配对儿的私钥解密;反之亦然,数字签名是私钥加密特征码,如上图的第三步;实现对称秘钥交换,如上图第五步
-
对称加密:加密和解密使用同样的秘钥,实现数据加密,产生对称秘钥,如上图的第四步
2、描述创建私有CA的过程,以及为客户端发来的证书请求进行办法证书
-
openssl的配置文件:/etc/pki/tls/openssl.cnf,创建所需要的文件;
[root@centos CA]# ls certs crl newcerts private [root@centos CA]# touch index.txt serial [root@centos CA]# echo "01" >serial [root@centos CA]# cat serial 01 [root@centos CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 1024) Generating RSA private key, 1024 bit long modulus 私钥cakey.pem .++++++ ....++++++
-
CA自签证书;
[root@centos CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem cacert.pem 是CA证书,内含CA公钥
-
发证;
[root@localhost tmp]# (umask 077;openssl genrsa -out /tmp/test.key 1024) Generating RSA private key, 1024 bit long modulus .++++++ ............++++++ e is 65537 (0x10001) [root@localhost tmp]# openssl req -new -key /tmp/test.key -days 365 -out /tmp/test.csr 证书请求 [root@localhost tmp]# scp /tmp/test.csr root@192.168.40.128:/tmp/ root@192.168.40.128's password: test.csr 100% 684 0.7KB/s 00:00 [root@centos private]# openssl ca -in /tmp/test.csr -out /tmp/test.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: [root@centos CA]# cat index.txt serial V170604033819Z01unknown/C=CN/ST=BJ/O=BJorg/OU=BJorg/CN=centos.localhost/emailAddress=admin@bat.com 02
3、描述DNS查询过程以及DNS服务器类别
-
DNS:域名解析系统,使用tcp/53进行区域传输,udp/53进行查询操作;根域名全球13台服务器,顶级域名(国家级cn uk… ,通用级org com net…,反向域),二级域名,三级域名
-
DNS查询方法:递归查询(要求DNS直接给出域名对应的IP),迭代查询(通常是发生在DNS服务器间,当请求的域名不再自己所负责的解析范围内,便开始从根迭代直到查询到相应解析为止)
-
DNS查询过程:Client –> hosts文件 –> DNS Service–>Local Cache –> DNS Server (recursion) –> Server Cache –> iteration(迭代) –>其他DNS服务器
-
DNS服务器类别:主DNS(维护所负责解析的域内解析库服务器,解析库由管理维护),从DNS(从主DNS服务器或其它的从DNS服务器那里区域传输一份解析库),缓存DNS服务器(为客户端缓存客户端曾经查询的记录,找不到时,DNS服务器去迭代查询),转发器(当请求的DNS记录不在自己所负责的解析区域时,交给转发器处理,转发器去迭代查询)
4、搭建一套DNS服务器,负责解析magedu.com域名(自行设定主机名及IP)
(1)、能够对一些主机名进行正向解析和逆向解析;
[root@centos named]# host -t NS magedu.com 192.168.40.128
Using domain server:
Name: 192.168.40.128
Address: 192.168.40.128#53
Aliases:
magedu.com name server centos.magedu.com.
[root@centos named]# host -t A www.magedu.com 192.168.40.128
Using domain server:
Name: 192.168.40.128
Address: 192.168.40.128#53
Aliases:
www.magedu.com has address 192.168.50.128
[root@centos named]# host -t MX mail.magedu.com 192.168.40.128
Using domain server:
Name: 192.168.40.128
Address: 192.168.40.128#53
Aliases:
mail.magedu.com mail is handled by 10 192.168.40.128.magedu.com.
[root@centos named]# host -t CNAME test.magedu.com 192.168.40.128
Using domain server:
Name: 192.168.40.128
Address: 192.168.40.128#53
Aliases:
test.magedu.com is an alias for www.magedu.com.
[root@centos named]# host -t PTR 192.168.50.128 192.168.40.128
Using domain server:
Name: 192.168.40.128
Address: 192.168.40.128#53
Aliases:
128.50.168.192.in-addr.arpa domain name pointer test.magedu.com.
[root@centos named]# cat /etc/named.conf
options {
listen-on port 53 { 192.168.40.128; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursion yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "magedu.com" IN {
type master;
file "magedu.com.file";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@centos named]# cat /var/named/magedu.com.file
$TTL 1D
$ORIGIN magedu.com.
@IN SOA centos.magedu.com. admin.magedu.com. (
20168102053; serial
1D; refresh
1H; retry
1W; expire
3H ); minimum
IN NS centos
mail IN MX 10 192.168.40.128
centosIN A192.168.40.128
mail IN A 192.168.40.128
www IN A 192.168.50.128
test1 IN A 192.168.60.128
test IN CNAME www
[root@centos named]# cat /var/named/50.168.192.arpa.file
$TTL 1D
@IN SOA centos.magedu.com admin.magedu.com. (
201608102205; serial
1D; refresh
1H; retry
1W; expire
3H ); minimum
IN NScentos.magedu.com.
128 IN PTR test.magedu.com.
(2)、对子域cdn.magedu.com进行子域授权,子域负责解析对应子域中的主机名;
-
主域需要在(1)的基础上添加子域的NS记录并注释掉主域的 /etc/named.conf 的
//include "/etc/named.root.key"; IN NS centos cdn.magedu.com. IN NS centos.cdn.magedu.com. 子域名称服务器 centos.cdn.magedu.com. IN A 192.168.40.130 子域名称服务器主机记录 mail IN MX 10 192.168.40.128 centos IN A 192.168.40.128 mail IN A 192.168.40.128 www IN A 192.168.50.128 test1 IN A 192.168.60.128 test IN CNAME www
-
子域注释掉主配置文件的include "/etc/named.root.key";,添加 转发主域区域,正常配置自己的区域解析数据库文件即可
zone "magedu.com" IN {
type forward;
forwarders{192.168.40.128;};
};
-
测试
[root@centos ~]# host -t A www.magedu.com 192.168.40.130 使用子域DNS解析父域域名 Using domain server: Name: 192.168.40.130 Address: 192.168.40.130#53 Aliases: www.magedu.com has address 192.168.50.128 [root@centos ~]# host -t A www.cdn.magedu.com 192.168.40.130 使用子域解析自己区域的主机记录 Using domain server: Name: 192.168.40.130 Address: 192.168.40.130#53 Aliases: www.cdn.magedu.com has address 119.20.20.20 [root@centos ~]# host -t A www.cdn.magedu.com 192.168.40.128 使用父域DNS解析子域域名 Using domain server: Name: 192.168.40.128 Address: 192.168.40.128#53 Aliases: www.cdn.magedu.com has address 119.20.20.20
(3)、为了保证DNS服务系统的高可用性,请设计一套方案,并写出详细的实施过程
为了实现DNS服务系统的高可用性建议搭建一主多从,一主一从,下面是一主一从实施过程:
-
假设192.168.30.128为主DNS为magedu.com提供域名解析服务,构建主DNS服务器
zone "magedu.com" IN {
type master;
file "magedu.com.file";
};
[root@centos ~]# cat /var/named/magedu.com.file
$TTL 1D
$ORIGIN magedu.com.
@IN SOA centos.magedu.com. admin.magedu.com. (
20168102053; serial
1D; refresh
1H; retry
1W; expire
3H ); minimum
IN NS centos
cdn.magedu.com. IN NS centos.cdn.magedu.com.
centos.cdn.magedu.com. IN A 192.168.40.130
mail IN MX 10 192.168.40.128
centosIN A192.168.40.128
mail IN A 192.168.40.128
www IN A 192.168.50.128
test1 IN A 192.168.60.128
test IN CNAME www
-
假设192.168.30.130为主DNS为magedu.com提供域名解析服务,构建从DNS服务器
zone "magedu.com" IN {
type slave;
masters {192.168.40.128;};
file "slaves/slave.magedu.com.file"; 自动在主DNS服务器下载解析库文件
};
[root@centos slaves]# ls
slave.magedu.com.file
[root@centos slaves]# cat slave.magedu.com.file
$ORIGIN .
$TTL 86400; 1 day
magedu.comIN SOAcentos.magedu.com. admin.magedu.com. (
2988232869 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
604800 ; expire (1 week)
10800 ; minimum (3 hours)
)
NScentos.magedu.com.
$ORIGIN magedu.com.
cdnNScentos.cdn
$ORIGIN cdn.magedu.com.
centosA192.168.40.130
$ORIGIN magedu.com.
centosA192.168.40.128
mailA192.168.40.128
MX10 192.168.40.128
testCNAMEwww
test1A192.168.60.128
wwwA192.168.50.128
-
测试使用192.168.40.130
[root@centos slaves]# vim /etc/resolv.conf [root@centos slaves]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 192.168.40.128 主DNS nameserver 192.168.40.130 从DNS [root@centos slaves]# host -t A www.magedu.com www.magedu.com has address 192.168.50.128 [root@centos ~]# service named stop Stopping named: [ OK ] 关闭主DNS服务 [root@centos slaves]# host -t A www.magedu.com www.magedu.com has address 192.168.50.128 [root@centos slaves]# host -t A www.magedu.com www.magedu.com has address 192.168.50.128
原创文章,作者:Snoo,如若转载,请注明出处:http://www.178linux.com/31955
评论列表(1条)
写的很好,排版也很棒,加油