1、详细描述一次加密通讯的过程,结合图示最佳。
加密过程
- 1.使用单向加密算法,提取A的文件的特征码。
- 2.使用A的私钥对提取出来的特征码进行加密,把加密后的特征码附加在A的文件的后面。
- 3.使用对称加密对刚刚的A的文件和加密后的特征码进行加密,生成对称加密密钥
- 4.使用B的公钥对第3步骤的对称加密的密钥进行加密,加密后附加在文件的后面。
解密过程
- 1.使用B的私钥对传输过来的文件进行解密,得出来文件的对称密钥。
- 2.使用解密出来的对称密钥进行解密,得出来A发来的文件和加密后的特征码。
- 3.使用A的公钥对加密后的特征码进行解密,得到特征码。
- 4.使用形同的单向加密算法提取原文件的特征码,与解密后得到的特征码进行对比,验证数据完整性。
2、描述创建私有CA的过程,以及为客户端发来的证书请求进行颁发证书。
构建私有CA
1.为CA提供所需目录和文件
[root@CA ~]# yum install openssl -y
[root@CA ~]# mkdir /etc/pki/CA/{certs,crl,newcerts}
[root@CA ~]# touch /etc/pki/CA/{serial,index.txt}
[root@CA ~]# echo 01>/etc/pki/CA/serial
2.生成CA的私钥
[root@CA ~]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
3.CA自签证书
[root@CA ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem
-out /etc/pki/CA/cacert.pem -days 365
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:DevOps
Organizational Unit Name (eg, section) []:DevOps
Common Name (eg, your name or your server's hostname) []:CA.example.com
Email Address []:caadmin@example.com
为客户端颁发证书
1.客户端生成一个私钥
[root@HOST ~]# (umask 077;openssl genrsa -out /etc/pki/tls/private/http.key 2048)
2.生成一个证书请求
[root@HOST ~]# openssl req -new -key /etc/pki/tls/private/http.key
-out /etc/pki/tls/certs/http.csr -days 365
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:DevOps
Organizational Unit Name (eg, section) []:DevOps
Common Name (eg, your name or your server's hostname) []:www.example.com
Email Address []:webadmin@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3.将HOST上的证书请求文件传输到CA上
[root@HOST ~]# scp /etc/pki/tls/certs/http.csr CA:/etc/pki/CA/certs/
4.CA签署HOST的证书请求文件
[root@CA ~]# openssl ca -in /etc/pki/CA/certs/http.csr
-out /etc/pki/CA/certs/http.key -days 365
5.将CA上的签署的证书传输到HOST上
[root@CA ~]# scp /etc/pki/CA/certs/http.key HOST:/etc/pki/tls/certs/
3、描述DNS查询过程以及DNS服务器类别。
DNS查询类型: 递归查询:发出一次请求,一定能得到最终的查询结果。 迭代查询:需要经过多次查询才能获得最终的结果。 DNS查询过程: Client --> hosts文件 --> DNS Service --> Local Cache --> DNS Server (recursion) --> Server Cache --> iteration(迭代) DNS服务器的类型: 主DNS服务器:维护所负责解析的域内解析库服务器 辅助DNS服务器:从主DNS服务器或其他从DNS服务器复制一份解析库 缓存DNS服务器:为客户端缓存DNS的记录,缓存DNS中没有的执行迭代查询 转发器:DNS记录不在自己负责的解析域内,转发器去迭代查询
4、搭建一套DNS服务器,负责解析magedu.com域名(自行设定主机名及IP)
- (1)、能够对一些主机名进行正向解析和逆向解析;
- (2)、对子域cdn.magedu.com进行子域授权,子域负责解析对应子域中的主机名;
- (3)、为了保证DNS服务系统的高可用性,请设计一套方案,并写出详细的实施过程
正向解析和逆向解析
1.主域服务器上安装DNS
[root@ns1 ~]# yum install bind.x86_64 bind-utils.x86_64 -y
2.主域服务器上编辑主配置文件/etc/named.conf
[root@ns1 ~]# vim /etc/named.conf
options {
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
// dnssec-lookaside auto;
/* Path to ISC DLV key */
// bindkeys-file "/etc/named.iscdlv.key";
// managed-keys-directory "/var/named/dynamic";
};
3.主域服务器上在主配置文件中定义区域
[root@ns1 ~]# vim /etc/named.rfc1912.zones
zone "magedu.com" IN {
type master;
file "magedu.com.zone";
};
zone "200.168.192.in-addr.arpa" IN{
type master;
file "192.168.200.zone";
};
4.主域服务器上区域解析库文件
[root@ns1 ~]# vim /var/named/magedu.com.zone
$TTL 86400
$ORIGIN magedu.com.
@ IN SOA ns1.magedu.com. admin.magedu.com(
2016112901
1H
5M
7D
1D)
IN NS ns1
IN NS ns2
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 192.168.200.201
ns2 IN A 192.168.200.202
mx1 IN A 192.168.200.203
mx2 IN A 192.168.200.204
www IN A 192.16.200.201
ftp IN CNAME www
magedu.com. IN A 192.168.200.201
* IN A 192.168.200.201
[root@ns1 ~]# vim /var/named/192.168.200.zone
$TTL 86400
$ORIGIN 200.168.192.in-addr.arpa.
@ IN SOA ns1.magedu.com. admin.magedu.com.(
2016112901
1H
5M
7D
1D)
IN NS ns1.magedu.com.
IN NS ns2.magedu.com.
201 IN PTR ns1.magedu.com.
201 IN PTR www.magedu.com.
202 IN PTR ns2.magedu.com.
203 IN PTR mx1.magedu.com.
204 IN PTR mx2.magedu.com.
5.主域服务器上检查主配置文件和区域解析库文件语法并赋予解析库文件对应的权限
[root@ns1 ~]# named-checkconf
[root@ns1 ~]# named-checkzone "magedu.com" /var/named/magedu.com.zone
[root@ns1 ~]# chmod 640 /var/named/magedu.com.zone
[root@ns1 ~]# chgrp named /var/named/magedu.com.zone
[root@ns1 ~]# named-checkzone "200.168.192.in-addr.arpa" /var/named/192.168.200.zone
[root@ns1 ~]# chmod 640 /var/named/192.168.200.zone
[root@ns1 ~]# chgrp named /var/named/192.168.200.zone
[root@ns1 ~]# service named start
6.主域服务器上使用dig命令测试
[root@ns1 ~]# dig -t A www.magedu.com @192.168.200.201
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>> -t A www.magedu.com @192.168.200.201
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18673
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.magedu.com. IN A
;; ANSWER SECTION:
www.magedu.com. 86400 IN A 192.16.200.201
;; AUTHORITY SECTION:
magedu.com. 86400 IN NS ns2.magedu.com.
magedu.com. 86400 IN NS ns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 86400 IN A 192.168.200.201
ns2.magedu.com. 86400 IN A 192.168.200.202
;; Query time: 2 msec
;; SERVER: 192.168.200.201#53(192.168.200.201)
;; WHEN: Mon Nov 21 19:39:10 2016
;; MSG SIZE rcvd: 116
[root@ns1 ~]# dig -x 192.168.200.201 @192.168.200.201
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>> -x 192.168.200.201 @192.168.200.201
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64095
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;201.200.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
201.200.168.192.in-addr.arpa. 86400 IN PTR ns1.magedu.com.
201.200.168.192.in-addr.arpa. 86400 IN PTR www.magedu.com.
;; AUTHORITY SECTION:
200.168.192.in-addr.arpa. 86400 IN NS ns2.magedu.com.
200.168.192.in-addr.arpa. 86400 IN NS ns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 86400 IN A 192.168.200.201
ns2.magedu.com. 86400 IN A 192.168.200.202
;; Query time: 0 msec
;; SERVER: 192.168.200.201#53(192.168.200.201)
;; WHEN: Mon Nov 21 21:42:36 2016
;; MSG SIZE rcvd: 156
子域授权
1.子域服务器上安装DNS
[root@centos ~]# yum install bind.x86_64 bind-utils.x86_64 -y
2.子域服务器上编辑主配置文件/etc/named.conf
[root@centos ~]# vim /etc/named.conf
options {
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
// dnssec-lookaside auto;
/* Path to ISC DLV key */
// bindkeys-file "/etc/named.iscdlv.key";
// managed-keys-directory "/var/named/dynamic";
};
3.子域服务器上在主配置文件中定义区域
[root@centos ~]# vim /etc/named.rfc1912.zones
zone "cdn.magedu.com" IN {
type master;
file "cdn.magedu.com.zone";
};
zone "magedu.com" IN{
type forward;
forward only;
forwarders { 192.168.200.201; };
};
4.子域服务器上区域解析库文件
[root@centos ~]# cat /var/named/cdn.magedu.com.zone
$TTL 86400
$ORIGIN cdn.magedu.com.
@ IN SOA centos.cdn.magedu.com. admin.centos.cdn.magedu.com.(
2016112901
1H
5M
7D
1D)
IN NS centos
centos IN A 192.168.200.212
www IN A 192.168.200.215
cdn.magedu.com. IN A 192.168.200.212
* IN A 192.168.200.212
5.子域服务器上检查主配置文件和区域解析库文件语法并赋予解析库文件对应的权限
[root@centos ~]# named-checkconf
[root@centos ~]# named-checkzone "cdn.magedu.com" /var/named/cdn.magedu.com.zone
[root@centos ~]# chmod 640 /var/named/cdn.magedu.com.zone
[root@centos ~]# chgrp named /var/named/cdn.magedu.com.zone
[root@centos ~]# service named start
注:出现Generating /etc/rndc.key的解决方法,[root@centos ~]# rndc-confgen -r /dev/urandom -a
6.子域服务器上使用dig命令测试
[root@centos ~]# dig -t A mx1.magedu.com @192.168.200.212
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> -t A mx1.magedu.com @192.168.200.202
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42191
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;mx1.magedu.com. IN A
;; ANSWER SECTION:
mx1.magedu.com. 86388 IN A 192.168.200.203
;; AUTHORITY SECTION:
magedu.com. 85483 IN NS ns2.magedu.com.
magedu.com. 85483 IN NS ns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 85483 IN A 192.168.200.201
ns2.magedu.com. 85483 IN A 192.168.200.202
;; Query time: 0 msec
;; SERVER: 192.168.200.202#53(192.168.200.212)
;; WHEN: Thu Jun 9 20:14:01 2016
;; MSG SIZE rcvd: 116
[root@centos ~]# dig -t A mx2.cdn.magedu.com @192.168.200.212
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> -t A mx2.cdn.magedu.com @192.168.200.202
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18318
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;mx2.cdn.magedu.com. IN A
;; ANSWER SECTION:
mx2.cdn.magedu.com. 86400 IN A 192.168.200.212
;; AUTHORITY SECTION:
cdn.magedu.com. 86400 IN NS centos.cdn.magedu.com.
;; ADDITIONAL SECTION:
centos.cdn.magedu.com. 86400 IN A 192.168.200.212
;; Query time: 0 msec
;; SERVER: 192.168.200.202#53(192.168.200.212)
;; WHEN: Thu Jun 9 20:15:02 2016
;; MSG SIZE rcvd: 89
DNS高可用
DNS采取主从DNS服务器方式
1.在从域服务器上安装DNS
[root@ns2 ~]# yum install bind.x86_64 bind-utils.x86_64 -y
2.在从域服务器上编辑主配置文件/etc/named.conf
[root@centos ~]# vim /etc/named.conf
options {
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
// dnssec-lookaside auto;
/* Path to ISC DLV key */
// bindkeys-file "/etc/named.iscdlv.key";
// managed-keys-directory "/var/named/dynamic";
};
3.在从域服务器上在主配置文件中定义区域
zone "magedu.com" IN{
type slave;
file "slaves/magedu.com.zone";
masters { 192.168.200.201; };
};
zone "200.168.192.in-addr.arpa"{
type slave;
file "slaves/192.l68.200.zone";
masters { 192.168.200.201; };
};
4.在从域服务器上检查主配置文件和区域解析库文件语法并赋予解析库文件对应的权限
[root@centos ~]# named-checkconf
[root@centos ~]# service named start
5.子域服务器上使用dig命令测试
[root@ns2 ~]# dig -t A www.magedu.com @192.168.200.202
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> -t A www.magedu.com @192.168.200.202
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18749
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.magedu.com. IN A
;; ANSWER SECTION:
www.magedu.com. 86400 IN A 192.16.200.202
www.magedu.com. 86400 IN A 192.16.200.201
;; AUTHORITY SECTION:
magedu.com. 86400 IN NS ns1.magedu.com.
magedu.com. 86400 IN NS ns2.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 86400 IN A 192.168.200.201
ns2.magedu.com. 86400 IN A 192.168.200.202
;; Query time: 0 msec
;; SERVER: 192.168.200.202#53(192.168.200.202)
;; WHEN: Thu Jun 9 20:43:23 2016
;; MSG SIZE rcvd: 132
主从复制:
1.应该为一台独立的名称服务器
2.主服务器的区域解析库文件中必须有一条NS记录指向从服务器
3.从服务器只需要定义区域,无需提供解析库文件,只需指定目录/var/named/slaves/
4.主服务器必须允许从服务器作区域传送
5.主从服务器的时间应该保持同步
6.bind程序的版本应该保持一致,如果不一致必须保证主服务器的版本高
本文来自投稿,不代表Linux运维部落立场,如若转载,请注明出处:http://www.178linux.com/87435
