1、详细描述一次加密通讯的过程,结合图示最佳。
以Bob和Alice安全通讯为例:
Bob<———>Alice
1. Bob要和Alice安全通信首先要取得对方的公钥,即对方的证书,并验证证书的合法性。验证过程和内容:
1)、用CA的公钥(双方已知)解密对方证书中CA的签名;能解密说明证书来原可靠;
2)、用证书中标记的“签名算法”来计算证书的相关信息,并将散列计算的结果与证书“发行者签名”解密的结果(证书特征码)进行比较,如果一致说明证书完整性可靠;
3)、检查证书的有效期限是否在合法范围内,防止证书过期;
4)、验证证书的“主体名称”和预通信的人是否对应;
5)、检查证书是否被吊销;
以上验证成功则说明对方证书可靠,并信任该证书。
2. 取得对方证书(即公钥)后进行如下操作:
加密:
1)、Bob对明文数据进行散列计算,提取出数据指纹(特征码,也叫信息摘要);
2)、Bob使用自己的私钥对该数据指纹进行加密,生成数字签名,并将该数字签名附加在明文数据之后;
3)、Bob使用一个一次性的对称加密算法密钥对明文和数字签名进行加密,生成密文;
4)、Bob再使用Alice的公钥对对称加密算法的密钥进行加密,生成数字信封;
5)、Bob将密文和数字信封打包发送给Alice;
解密:
1)、Alice收到数据(密文+数字信封)后,使用自己的私钥解密数字信封,得到对称加密算法的密钥;
2)、使用对称加密密钥解密密文,得到明文数据和数字签名。保证了数据的私密性;
3)、使用Bob的公钥解密数字签名,得到明文的数据指纹(特征码)。如果能解出,说明数据为Bob发送,保证了数据的不可否认性;
4)、Alice使用同样的散列算法对明文计算得出数据指纹(特征码),并与Bob计算的数据指纹进行比对,如果一致,说明数据没有被篡改。保证的数据的完整性;
2、描述创建私有CA的过程,以及为客户端发来的证书请求进行办法证书。
在CA服务器上操作: 1.创建所需要的文件 # cd /etc/pki/CA/ # touch index.txt # echo 01 > serial 2.创建CA私钥 # (umask 077; openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ..................................+++ ...................................................+++ e is 65537 (0x10001) 3.CA自签证书 # openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:guangdong Locality Name (eg, city) [Default City]:guangzhou Organization Name (eg, company) [Default Company Ltd]:n25victor Organizational Unit Name (eg, section) []:Ops Common Name (eg, your name or your server's hostname) []:ca.benz.com Email Address []:caadmin@benz.com 在httpd服务器上操作, 创建生成私钥文件 # mkdir /etc/httpd/ssl # cd /etc/httpd/ssl/ # (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 1024) Generating RSA private key, 1024 bit long modulus ............++++++ .++++++ e is 65537 (0x10001) 生成一个证书请求 # openssl req -new -key httpd.key -out httpd.csr -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:guangdong Locality Name (eg, city) [Default City]:guangzhou Organization Name (eg, company) [Default Company Ltd]:n25victor Organizational Unit Name (eg, section) []:Ops Common Name (eg, your name or your server's hostname) []:ca.benz.com Email Address []:caadmin@benz.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: 将请求文件传给CA服务器 地址为:192.168.171.129 # scp httpd.csr root@192.168.171.129:/tmp 在CA服务器操作, 对HTTP服务器的公钥证书进行认证 # openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Feb 14 14:04:28 2017 GMT Not After : Feb 14 14:04:28 2018 GMT Subject: countryName = CN stateOrProvinceName = guangdong organizationName = n25victor organizationalUnitName = Ops commonName = ca.benz.com emailAddress = caadmin@benz.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 92:52:73:FC:E9:0A:57:23:74:91:D7:2D:1C:E4:85:51:B9:56:71:BF X509v3 Authority Key Identifier: keyid:68:3C:A5:61:48:8C:EC:7F:9C:28:DA:F2:5C:7E:6B:81:E9:B9:A8:33 Certificate is to be certified until Feb 14 14:04:28 2018 GMT (365 days) Sign the certificate? [y/n]:yes 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 将签署过的证书发到请求证书的httpd服务器,地址:192.168.171.134 # scp /tmp/httpd.crt root@192.168.171.134:/etc/httpd/ssl/ 查看证书签发的内容: # openssl x509 -in /etc/httpd/ssl/httpd.crt -noout –text Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=guangdong, L=guangzhou, O=n25victor, OU=Ops, CN=ca.benz.com/emailAddress=caadmin@benz.com Validity Not Before: Feb 14 14:04:28 2017 GMT Not After : Feb 14 14:04:28 2018 GMT Subject: C=CN, ST=guangdong, O=n25victor, OU=Ops, CN=ca.benz.com/emailAddress=caadmin@benz.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b4:57:ba:61:9b:6d:03:b6:b1:2b:7d:0d:9f:f5: 4d:bb:89:fe:74:9b:12:26:03:13:5d:27:a8:ea:f7: 6f:1f:0e:71:1e:b7:3d:48:cb:6b:83:d5:cf:57:2e: da:60:fb:3f:d4:16:c2:e0:2b:c2:6a:a9:d2:8f:fe: 6d:e9:cf:63:50:17:5f:4a:76:20:3f:ee:e5:7c:61: d3:cf:14:33:22:55:4e:3a:9e:d4:b6:bc:59:04:c9: f4:11:74:2e:e7:c0:52:94:3c:d0:c9:cd:fe:33:26: 62:a0:97:ca:dd:da:3a:54:68:d8:3b:76:fd:2f:2f: f0:84:06:0a:40:e4:19:1f:a0:56:54:78:19:bc:f9: 4f:d3:61:9e:33:6c:0c:0a:2d:55:16:f0:9d:2c:af: 6e:7b:11:e0:b8:98:5a:9d:42:b4:ae:56:91:b5:26: a4:69:f4:99:ea:66:89:a9:8d:43:17:86:44:4f:e9: 49:12:26:91:98:2c:d7:1d:15:bc:0f:24:9e:e6:93: b8:c3:30:9a:fa:bb:02:bd:5f:1a:e6:c0:f3:91:59: 35:20:4c:eb:4c:d3:a2:97:92:1a:2c:3f:cf:4a:e3: 7f:93:98:23:fd:55:08:b0:8f:34:0a:15:f0:b0:c8: 6c:c2:81:96:fd:31:29:fb:19:87:29:38:1c:3a:a7: 87:d5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 92:52:73:FC:E9:0A:57:23:74:91:D7:2D:1C:E4:85:51:B9:56:71:BF X509v3 Authority Key Identifier: keyid:68:3C:A5:61:48:8C:EC:7F:9C:28:DA:F2:5C:7E:6B:81:E9:B9:A8:33 Signature Algorithm: sha256WithRSAEncryption 9e:55:d5:15:09:5c:cd:66:84:19:f0:70:12:9c:bb:ce:db:9a: fe:9b:5d:4c:07:9c:7a:31:e0:ed:26:f1:44:1a:8d:39:05:ef: d2:b2:b7:de:87:f5:68:1b:7a:e4:1b:be:37:86:a9:0c:dd:3d: 9f:7d:31:3a:e8:d4:cc:96:c4:2e:d2:52:52:9d:e0:24:df:bc: 2b:40:67:74:ca:98:34:e4:70:f5:33:f2:37:7c:ef:f4:52:01: 09:99:7e:10:3c:ed:40:99:1f:d4:d6:89:75:85:79:c8:9b:1a: 4a:1a:44:9e:71:90:95:f0:47:d2:22:6c:b8:f2:a1:25:34:1b: 82:6f:a8:a9:b8:be:76:8a:b9:e3:d4:db:50:d3:76:1b:74:ec: ba:20:a7:b9:d5:8b:28:37:23:77:87:d3:d9:12:82:83:49:3d: 04:ab:cc:50:cb:c5:12:6d:5d:13:60:08:37:e9:51:1a:c5:23: 9b:39:1c:20:70:c8:29:a3:f6:ce:b1:18:26:76:f5:44:ed:e0: 26:c7:27:29:05:f8:27:5a:a8:c8:b5:53:d6:bd:78:6a:04:da: c1:ad:b8:f9:b7:0e:1b:52:1d:49:77:ed:05:4d:c9:0c:06:1b: 5b:42:35:fc:a5:ca:be:b8:f5:4e:ca:cb:8c:03:8b:90:6a:b0: 80:50:d8:a5
3、描述DNS查询过程以及DNS服务器类别。
DNS的查询过程
DNS查询过程:
Client –> hosts文件 –> DNS Service –> Local Cache
–> DNS Server (recursion) –> Server Cache –> iteration(迭代)
-
在浏览器中输入www.qq.com域名,操作系统会先检查自己本地的hosts文件是否有这个网址映射关系,如果有,就先调用这个IP地址映射,完成域名解析。
-
如果hosts里没有这个域名的映射,则查找本地DNS解析器缓存,是否有这个网址映射关系,如果有,直接返回,完成域名解析。
-
如果hosts与本地DNS解析器缓存都没有相应的网址映射关系,首先会找TCP/ip参数中设置的首选DNS服务器,在此我们叫它本地DNS服务器,此服务器收到查询时,如果要查询的域名,包含在本地配置区域资源中,则返回解析结果给客户机,完成域名解析,此解析具有权威性。
-
如果要查询的域名,不由本地DNS服务器区域解析,但该服务器已缓存了此网址映射关系,则调用这个IP地址映射,完成域名解析,此解析不具有权威性。
-
如果本地DNS服务器本地区域文件与缓存解析都失效,则根据本地DNS服务器的设置(是否设置转发器)进行查询,如果未用转发模式,本地DNS就把请求发至13台根DNS,根DNS服务器收到请求后会判断这个域名(.com)是谁来授权管理,并会返回一个负责该顶级域名服务器的一个IP。本地DNS服务器收到IP信息后,将会联系负责.com域的这台服务器。这台负责.com域的服务器收到请求后,如果自己无法解析,它就会找一个管理.com域的下一级DNS服务器地址(qq.com)给本地DNS服务器。当本地DNS服务器收到这个地址后,就会找qq.com域服务器,重复上面的动作,进行查询,直至找到www.qq.com主机。
-
如果用的是转发模式,此DNS服务器就会把请求转发至上一级DNS服务器,由上一级服务器进行解析,上一级服务器如果不能解析,或找根DNS或把转请求转至上上级,以此循环。不管是本地DNS服务器用是是转发,还是根提示,最后都是把结果返回给本地DNS服务器,由此DNS服务器再返回给客户机。
从客户端到本地DNS服务器是属于递归查询,而DNS服务器之间就是的交互查询就是迭代查询。
DNS服务器的类型:
主DNS服务器:维护所负责解析的域内解析库服务器
辅助DNS服务器:从主DNS服务器或其他从DNS服务器复制一份解析库
缓存DNS服务器:为客户端缓存DNS的记录,缓存DNS中没有的执行迭代查询
转发器:DNS记录不在自己负责的解析域内,转发器去迭代查询
4、搭建一套DNS服务器,负责解析magedu.com域名(自行设定主机名及IP)
(1)、能够对一些主机名进行正向解析和逆向解析;
(2)、对子域cdn.magedu.com进行子域授权,子域负责解析对应子域中的主机名;
(3)、为了保证DNS服务系统的高可用性,请设计一套方案,并写出详细的实施过程
正向解析和逆向解析
1.主域服务器上安装DNS
[root@ns1 ~]# yum install bind.x86_64 bind-utils.x86_64 -y
2.主域服务器上编辑主配置文件
/etc/named.conf[root@ns1 ~]# vim /etc/named.conf
options {
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
// dnssec-lookaside auto;
/* Path to ISC DLV key */
// bindkeys-file "/etc/named.iscdlv.key";
// managed-keys-directory "/var/named/dynamic";
};
3.主域服务器上在主配置文件中定义区域
[root@ns1 ~]# vim /etc/named.rfc1912.zones
zone "magedu.com" IN {
type master;
file "magedu.com.zone";
};
zone "200.168.192.in-addr.arpa" IN{
type master;
file "192.168.200.zone";
};
4.主域服务器上区域解析库文件
[root@ns1 ~]# vim /var/named/magedu.com.zone
$TTL 86400
$ORIGIN magedu.com.
@ IN SOA ns1.magedu.com. admin.magedu.com(
2016112901
1H
5M
7D
1D)
IN NS ns1
IN NS ns2
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 192.168.200.201
ns2 IN A 192.168.200.202
mx1 IN A 192.168.200.203
mx2 IN A 192.168.200.204
www IN A 192.16.200.201
ftp IN CNAME www
magedu.com. IN A 192.168.200.201
* IN A 192.168.200.201
[root@ns1 ~]# vim /var/named/192.168.200.zone
$TTL 86400
$ORIGIN 200.168.192.in-addr.arpa.
@ IN SOA ns1.magedu.com. admin.magedu.com.(
2016112901
1H
5M
7D
1D)
IN NS ns1.magedu.com.
IN NS ns2.magedu.com.
201 IN PTR ns1.magedu.com.
201 IN PTR www.magedu.com.
202 IN PTR ns2.magedu.com.
203 IN PTR mx1.magedu.com.
204 IN PTR mx2.magedu.com.
5.主域服务器上检查主配置文件和区域解析库文件语法并赋予解析库文件对应的权限
[root@ns1 ~]# named-checkconf
[root@ns1 ~]# named-checkzone "magedu.com" /var/named/magedu.com.zone
[root@ns1 ~]# chmod 640 /var/named/magedu.com.zone
[root@ns1 ~]# chgrp named /var/named/magedu.com.zone
[root@ns1 ~]# named-checkzone "200.168.192.in-addr.arpa" /var/named/192.168.200.zone
[root@ns1 ~]# chmod 640 /var/named/192.168.200.zone
[root@ns1 ~]# chgrp named /var/named/192.168.200.zone
[root@ns1 ~]# service named start
6.主域服务器上使用dig命令测试
[root@ns1 ~]# dig -t A www.magedu.com @192.168.200.201
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>> -t A www.magedu.com @192.168.200.201
;; global options: +cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18673
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.magedu.com. IN A ;; ANSWER SECTION:
www.magedu.com. 86400 IN A 192.16.200.201
;; AUTHORITY SECTION:
magedu.com. 86400 IN NS ns2.magedu.com.
magedu.com. 86400 IN NS ns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 86400 IN A 192.168.200.201
ns2.magedu.com. 86400 IN A 192.168.200.202
;; Query time: 2 msec ;; SERVER: 192.168.200.201#53(192.168.200.201)
;; WHEN: Mon Nov 21 19:39:10 2016
;; MSG SIZE rcvd: 116[root@ns1 ~]# dig -x 192.168.200.201 @192.168.200.201
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>> -x 192.168.200.201 @192.168.200.201
;; global options: +cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64095
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;201.200.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION:
201.200.168.192.in-addr.arpa. 86400 IN PTR ns1.magedu.com.
201.200.168.192.in-addr.arpa. 86400 IN PTR www.magedu.com.
;; AUTHORITY SECTION:
200.168.192.in-addr.arpa. 86400 IN NS ns2.magedu.com.
200.168.192.in-addr.arpa. 86400 IN NS ns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 86400 IN A 192.168.200.201
ns2.magedu.com. 86400 IN A 192.168.200.202
;; Query time: 0 msec ;; SERVER: 192.168.200.201#53(192.168.200.201)
;; WHEN: Mon Nov 21 21:42:36 2016
;; MSG SIZE rcvd: 156
子域授权
1.子域服务器上安装DNS
[root@centos ~]# yum install bind.x86_64 bind-utils.x86_64 -y
2.子域服务器上编辑主配置文件/etc/named.conf
[root@centos ~]# vim /etc/named.conf
options {
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
// dnssec-lookaside auto;
/* Path to ISC DLV key */
// bindkeys-file "/etc/named.iscdlv.key";
// managed-keys-directory "/var/named/dynamic";
};
3.子域服务器上在主配置文件中定义区域
[root@centos ~]# vim /etc/named.rfc1912.zones
zone "cdn.magedu.com" IN {
type master;
file "cdn.magedu.com.zone";
};
zone "magedu.com" IN{
type forward;
forward only;
forwarders { 192.168.200.201; };
};
4.子域服务器上区域解析库文件
[root@centos ~]# cat /var/named/cdn.magedu.com.zone
$TTL 86400
$ORIGIN cdn.magedu.com.
@ IN SOA centos.cdn.magedu.com. admin.centos.cdn.magedu.com.(
2016112901
1H
5M
7D
1D)
IN NS centos
centos IN A 192.168.200.212
www IN A 192.168.200.215
cdn.magedu.com. IN A 192.168.200.212
* IN A 192.168.200.2125.
子域服务器上检查主配置文件和区域解析库文件语法并赋予解析库文件对应的权限
[root@centos ~]# named-checkconf
[root@centos ~]# named-checkzone "cdn.magedu.com" /var/named/cdn.magedu.com.zone
[root@centos ~]# chmod 640 /var/named/cdn.magedu.com.zone
[root@centos ~]# chgrp named /var/named/cdn.magedu.com.zone
[root@centos ~]# service named start
6.子域服务器上使用dig命令测试
[root@centos ~]# dig -t A mx1.magedu.com @192.168.200.212
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> -t A mx1.magedu.com @192.168.200.202
;; global options: +cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42191
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;mx1.magedu.com. IN A ;; ANSWER SECTION:
mx1.magedu.com. 86388 IN A 192.168.200.203
;; AUTHORITY SECTION:
magedu.com. 85483 IN NS ns2.magedu.com.
magedu.com. 85483 IN NS ns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 85483 IN A 192.168.200.201
ns2.magedu.com. 85483 IN A 192.168.200.202
;; Query time: 0 msec ;; SERVER: 192.168.200.202#53(192.168.200.212)
;; WHEN: Thu Jun 9 20:14:01 2016
;; MSG SIZE rcvd: 116[root@centos ~]# dig -t A mx2.cdn.magedu.com @192.168.200.212
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> -t A mx2.cdn.magedu.com @192.168.200.202
;; global options: +cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18318
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;mx2.cdn.magedu.com. IN A ;; ANSWER SECTION:
mx2.cdn.magedu.com. 86400 IN A 192.168.200.212
;; AUTHORITY SECTION:
cdn.magedu.com. 86400 IN NS centos.cdn.magedu.com.
;; ADDITIONAL SECTION:
centos.cdn.magedu.com. 86400 IN A 192.168.200.212
;; Query time: 0 msec ;; SERVER: 192.168.200.202#53(192.168.200.212)
;; WHEN: Thu Jun 9 20:15:02 2016
;; MSG SIZE rcvd: 89
DNS高可用
DNS采取主从DNS服务器方式
1.在从域服务器上安装DNS
[root@ns2 ~]# yum install bind.x86_64 bind-utils.x86_64 -y
2.在从域服务器上编辑主配置文件/etc/named.conf
[root@centos ~]# vim /etc/named.conf
options {
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
// dnssec-lookaside auto;
/* Path to ISC DLV key */
// bindkeys-file "/etc/named.iscdlv.key";
// managed-keys-directory "/var/named/dynamic";
};
3.在从域服务器上在主配置文件中定义区域
zone "magedu.com" IN{
type slave;
file "slaves/magedu.com.zone";
masters { 192.168.200.201; };
};
zone "200.168.192.in-addr.arpa"{
type slave;
file "slaves/192.l68.200.zone";
masters { 192.168.200.201; };
};
4.在从域服务器上检查主配置文件和区域解析库文件语法并赋予解析库文件对应的权限
[root@centos ~]# named-checkconf
[root@centos ~]# service named start
5.子域服务器上使用dig命令测试
[root@ns2 ~]# dig -t A www.magedu.com @192.168.200.202
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> -t A www.magedu.com @192.168.200.202
;; global options: +cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18749
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.magedu.com. IN A ;; ANSWER SECTION:
www.magedu.com. 86400 IN A 192.16.200.202
www.magedu.com. 86400 IN A 192.16.200.201
;; AUTHORITY SECTION:
magedu.com. 86400 IN NS ns1.magedu.com.
magedu.com. 86400 IN NS ns2.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 86400 IN A 192.168.200.201
ns2.magedu.com. 86400 IN A 192.168.200.202
;; Query time: 0 msec ;; SERVER: 192.168.200.202#53(192.168.200.202)
;; WHEN: Thu Jun 9 20:43:23 2016
;; MSG SIZE rcvd: 132
主从复制:
1.应该为一台独立的名称服务器
2.主服务器的区域解析库文件中必须有一条NS记录指向从服务器
3.从服务器只需要定义区域,无需提供解析库文件,只需指定目录/var/named/slaves/
4.主服务器必须允许从服务器作区域传送
5.主从服务器的时间应该保持同步
6.bind程序的版本应该保持一致,如果不一致必须保证主服务器的版本高
原创文章,作者:victorli88,如若转载,请注明出处:http://www.178linux.com/68825
评论列表(1条)
简洁明了,非常棒的文档归纳。