|
1、详细描述一次加密通讯的过程,结合图示最佳。
发送方:BOB 1.使用单向加密生成数据的特征码 2.使用自己的私钥加密特征码,并附加在数据后面 3.使用对称加密算法生成临时会话密钥加密特征码和数据 4.使用Alice的公钥加密临时会话秘钥,并附加是数据上 接收方:Alice 1.使用自己的私钥获取临时会话密钥 2.使用临时会话密钥获取特征码和数据 3.使用BOB的公钥解密特征码 4.使用单向加密生产数据的特征码 5.将特征码与第三步获得的特征进行对比,如果一样则证明数据是完整的 2、描述创建私有CA的过程,以及为客户端发来的证书请求进行办法证书。 (1)创建私有CA过程:
步骤:
(1) 生成私钥;
~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
(2) 生成自签证书;
~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655
-new:生成新证书签署请求;
-x509:生成自签格式证书,专用于创建私有CA时;
-key:生成请求时用到的私有文件路径;
-out:生成的请求文件路径;如果自签操作将直接生成签署过的证书;
-days:证书的有效时长,单位是day;
(3) 为CA提供所需的目录及文件;
~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts}
~]# touch /etc/pki/CA/{serial,index.txt}
~]# echo 01 > /etc/pki/CA/serial
(2)客户端证书请求 步骤:(以httpd为例) (1) 用到证书的主机生成私钥; ~]# mkdir /etc/httpd/ssl ~]# cd /etc/httpd/ssl ~]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048) (2) 生成证书签署请求 ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365 (3) 将请求通过可靠方式发送给CA主机; (4) 在CA主机上签署证书; ~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365 查看证书中的信息: ~]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject 3、描述DNS查询过程以及DNS服务器类别。 一次完整的查询请求经过的流程: Client --> hosts文件 --> DNS Local Cache --> DNS Server (recursion) --> 自己负责解析的域:直接查询数据库并返回答案; 不是自己负责解析域:Server Cache --> iteration(迭代) DNS服务器类别: 1.主域名服务器:负责维护这个区域的所有域名信息,是特定的所有信息的权威信息源 2.辅助域名服务器:当主域名服务器出现故障、关闭或负载过重时,辅助域名服务器作为备份服务提供域名 解析服务。辅助域名服务器中的区域文件内的数据是从另外一台域名服务器复制过来的,并不是直接输入 的,也就是说这个区域文件只是一份副本,这里的数据是无法修改的。 3.缓存服务器:可运行域名服务器软件但没有域名数据库。它从某个远程服务器取得每次域名服务器查询的回答, 一旦获取一个答案,就将它放在高速缓存中,以后查询相同的信息时就用它予以回答。缓存域名服务器不是权 威性服务器,因为提供的所有信息都是间接信息。 4.转发服务器:负责所有非本地域名的本地查询。转发域名服务器接到查询请求时,在其缓存中查找,如找 不到就把请求依次转发到指定的域名服务器,直到查询到结果为止,否则返回无法映射的结果。 4、搭建一套DNS服务器,负责解析magedu.com域名(自行设定主机名及IP) (3)、为了保证DNS服务系统的高可用性,请设计一套方案,并写出详细的实施过程 环境拓扑图:
(1)配置正向与反向解析
1.安装bind包
[root@localhost ~]# rpm -q bind
bind-9.8.2-0.17.rc1.el6_4.6.x86_64
2.修改主配置文件/etc/named.conf
options {
listen-on port 53 { 127.0.0.1;192.168.180.130; };//添加监听IP地址
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
//allow-query { localhost; }; //关闭只运行本地查询
recursion yes;
//dnssec-enable yes;
//dnssec-validation yes;
//dnssec-lookaside auto;
/* Path to ISC DLV key */ //关闭dns安全设置
/*bindkeys-file "/etc/named.iscdlv.key";
3.修改主配置文件/etc/named.rfc1912.zones ,增加以下几行
zone "magedu.com" IN {
type master;
file "magedu.zone";
}; //正向区域声明
zone "180.168.192.in-addr.arpa" IN {
type master;
file "192.168.180.zone";
}; //反向区域声明
4.创建正向查找区域文件
[root@localhost ~]# vim /var/named/lgrg.zone
$TTL 3600
$ORIGIN magedu.com.com.
@ IN SOA ns1.magedu.com. dnsadmin.magedu.com. (
2016112301
1H
10M
3D
1D )
IN NS ns1
IN MX 10 mx1
ns1 IN A 192.168.180.130
ns2 IN A 192.168.180.131
mx1 IN A 192.168.180.132
5.创建反向查找区域文件
[root@localhost named]# vim 192.168.180.zone
$TTL 3600
$ORIGIN 180.168.192.in-addr.arpa.
@ IN SOA n1.magedu.com. nsadmin.magedu.com. (
2016112510
1H
10M
3D
12H
)
IN NS ns1.magedu.com.
130 IN PTR ns1.magedu.com.
131 IN PTR ns2.magedu.com.
132 IN PTR mx1.magedu.com.
6.修改区域文件的属组与权限
[root@localhost named]# chgrp named /var/named/magedu.zone
[root@localhost named]# chmod o= /var/named/magedu.zone
[root@localhost named]# chgrp named /var/named/192.168.180.zone
[root@localhost named]# chmod o= /var/named/192.168.180.zone
7.检查主配置文件和区域配置文件
[root@localhost named]# named-checkconf
[root@localhost named]# named-checkzone magedu.com /var/named/magedu.zone
zone magedu.com/IN: loaded serial 2016112301
[root@localhost named]# named-checkzone 180.168.192.in-addr.arpa /var/named/192.168.180.zone
zone 180.168.192.in-addr.arpa/IN: loaded serial 2016112510
OK
8.启动named服务
[root@localhost named]# service named start
Starting named: [ OK ]
9.查看dns运行状态
[root@localhost named]# rndc status
version: 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6
CPUs found: 1
worker threads: 1
number of zones: 21
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
10.测试解析
正向解析测试:
[root@localhost named]# dig -t A ns1.magedu.com @192.168.180.130
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t A ns1.magedu.com @192.168.180.130
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56056
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;ns1.magedu.com. IN A
;; ANSWER SECTION:
ns1.magedu.com. 3600 IN A 192.168.180.130
;; AUTHORITY SECTION:
magedu.com. 3600 IN NS ns1.magedu.com.
;; Query time: 0 msec
;; SERVER: 192.168.180.130#53(192.168.180.130)
;; WHEN: Fri Dec 2 00:06:11 2016
;; MSG SIZE rcvd: 62
反向解析测试:
[root@localhost named]# dig -x 192.168.180.131 @192.168.180.130
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -x 192.168.180.131 @192.168.180.130
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59233
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;131.180.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
131.180.168.192.in-addr.arpa. 3600 IN PTR ns2.magedu.com.
;; AUTHORITY SECTION:
180.168.192.in-addr.arpa. 3600 IN NS ns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 3600 IN A 192.168.180.130
;; Query time: 0 msec
;; SERVER: 192.168.180.130#53(192.168.180.130)
;; WHEN: Fri Dec 2 00:06
(2)、对子域cdn.magedu.com进行子域授权,子域负责解析对应子域中的主机名; 在192.168.180.130上
1.修改主域服务器的正向区域文件与反向区域文件
[root@localhost named]# vim /var/named/magedu.zone
$TTL 3600
$ORIGIN magedu.com.
@ IN SOA ns1.magedu.com. dnsadmin.magedu.com. (
2016112301
1H
10M
3D
1D )
IN NS ns1
IN NS ns1.cdn
IN MX 10 mx1
ns1 IN A 192.168.180.130
ns2 IN A 192.168.180.131
mx1 IN A 192.168.180.132
ns1.cdn IN A 192.168.180.131
[root@localhost named]# vim /var/named/192.168.180.zone
$TTL 3600
$ORIGIN 180.168.192.in-addr.arpa.
@ IN SOA n1.magedu.com. nsadmin.magedu.com. (
2016112510
1H
10M
3D
12H
)
IN NS ns1.magedu.com.
IN NS ns1.cdn.magedu.com.
130 IN PTR ns1.magedu.com.
131 IN PTR ns2.magedu.com.
132 IN PTR mx1.magedu.com.
131 IN PTR ns1.cdn.magedu.com.
在192.168.180.131上
1.修改/etc/named.rfc1912.zones文件,增加以下几行
[root@localhost named]# vim /etc/named.rfc1912.zones
zone "cdn.magedu.com" IN {
type master;
file "cdn.magedu.com.zone";
};
2.修改/etc/named.conf
options {
listen-on port 53 { 127.0.0.1; 192.168.180.131; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
//allow-query { localhost; };
recursion yes;
//dnssec-enable yes;
//dnssec-validation yes;
//dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
2.创建子域的正向区域文件,并修改权限与属组
[root@localhost ~]# vim /var/named/cdn.magedu.com.zone
$TTL 3600
@ IN SOA ns1.cdn.magedu.com. dnsadmin.cdn.magedu.com. (
2016112301
1H
10M
3D
1D )
IN NS ns1.cdn.magedu.com.
IN NS ns1.cdn.magedu.com.
ns1.cdn.magedu.com. IN A 192.168.180.131
test.cdn.magedu.com. IN A 192.168.180.134
[root@localhost ~]# chgrp named /var/named/cdn.magedu.com.zone
[root@localhost ~]# chmod o= /var/named/cdn.magedu.com.zone
4.重启named服务
[root@localhost ~]# service named restart
Stopping named: [ OK ]
Starting named: [ OK ]
5.测试解析
[root@localhost ~]# dig -t A test.cdn.magedu.com @192.168.180.131
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t A test.cdn.magedu.com @192.168.180.131
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50134
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;test.cdn.magedu.com. IN A
;; ANSWER SECTION:
test.cdn.magedu.com. 3600 IN A 192.168.180.134
;; AUTHORITY SECTION:
cdn.magedu.com. 3600 IN NS ns1.cdn.magedu.com.
;; ADDITIONAL SECTION:
ns1.cdn.magedu.com. 3600 IN A 192.168.180.131
;; Query time: 0 msec
;; SERVER: 192.168.180.131#53(192.168.180.131)
;; WHEN: Fri Dec 2 16:54:49 2016
;; MSG SIZE rcvd: 8
(3)、为了保证DNS服务系统的高可用性,请设计一套方案,并写出详细的实施过程 方案:如拓扑图所示
1.在192.168.180.130上,修改主配置文件/etc/named.rfc1912.zones
zone "cdn.magedu.com" IN {
type slave;
file "slaves/cdn.magedu.com.zone";
masters { 192.168.180.131; };
};
2.重新装载DNS配置文件
[root@localhost slaves]# rndc reload
server reload successful
3.在192.168.180.131上。修改主配置文件/etc/named.rfc1912.zones
zone "cdn.magedu.com" IN {
type master;
file "cdn.magedu.com.zone";
};
zone "magedu.com" IN {
type slave;
file "slaves/magedu.com.zone";
masters { 192.168.180.130; };
};
zone "180.168.192.in-addr.arpa" IN {
type slave;
file "slaves/192.168.180.zone";
masters { 192.168.180.130; };
};
4.测试解析,192.168.180.130能够解析子域的记录,192.168.180.131能够解析主域的记录
[root@localhost slaves]# dig -t A test.cdn.magedu.com @192.168.180.130 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t A test.cdn.magedu.com @192.168.180.130 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11901 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;test.cdn.magedu.com.INA ;; ANSWER SECTION: test.cdn.magedu.com.3600INA192.168.180.134 ;; AUTHORITY SECTION: cdn.magedu.com.3600INNSns1.cdn.magedu.com. ;; ADDITIONAL SECTION: ns1.cdn.magedu.com.3600INA192.168.180.131 ;; Query time: 0 msec ;; SERVER: 192.168.180.130#53(192.168.180.130) ;; WHEN: Mon Dec 5 00:42:08 2016 ;; MSG SIZE rcvd: 87 [root@localhost slaves]# dig -t A ns2.magedu.com @192.168.180.131 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t A ns2.magedu.com @192.168.180.131 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33791 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;ns2.magedu.com.INA ;; ANSWER SECTION: ns2.magedu.com.3600INA192.168.180.131 ;; AUTHORITY SECTION: magedu.com.3600INNSns1.magedu.com. magedu.com.3600INNSns1.cdn.magedu.com. ;; ADDITIONAL SECTION: ns1.magedu.com.3600INA192.168.180.130 ns1.cdn.magedu.com.3600INA192.168.180.131 ;; Query time: 1 msec ;; SERVER: 192.168.180.131#53(192.168.180.131) ;; WHEN: Mon Dec 5 16:49:54 2016 ;; MSG SIZE rcvd: 120 |
原创文章,作者:a295053193,如若转载,请注明出处:http://www.178linux.com/54577
