- Home
- Server Administration
- Windows
- Networking with Windows server 2016 (70-741)
41.
What are two core functionalities of DANE? (Choose two.)
- A.Enables you to specify which CA is allowed to issue certificates for a resource
- B.Authenticates TLS client and server entities without a Certificate Authority
- C.Improves DNS response performance from Windows Server 2016 DNS servers
- D.Simplifies certificate validation in a mixed IPv4/IPv6 environment
- Answer & Explanation
- Report
Answer : [A, B]
Explanation :
Explanation :
| DANE enables you to specify which CA is allowed to issue certificates for a resource and can authenticate TLS client or server entities without the use of a CA. DANE increases DNS response performance from Windows Server 2016 DNS servers because of the DNSSEC validation. DANE does not simplify certificate validation in a mixed IPv4/IPv6 environment because one domain name normally has one associated TLSA record; in this case, one TLSA record cannot match two different certificates. |
42.
Which of the following is not a DANE operation mode?
- A.CA Constraints
- B.Service Certificate Constraints
- C.Trust anchor assertion
- D.Self-Signed Certificate Constraint
- E.Domain-issued certificate
- Answer & Explanation
- Report
Answer : [D]
Explanation :
Explanation :
| Self-Signed Certificate Constraint is not a DANE operation mode. Instead, DANE can work in four different operation modes: 0, 1, 2, and 3. Mode 0 stands for CA specification: DANE accepts TLS certificates from only a specific CA. Mode 1 is for the Specific TLS certificate; only the exact TLS certificate can be used for the domain. This certificate must be issued by a valid CA. Mode 2 is for trust anchor assertion, which specifies the trust anchor to be used for validating the TLS certificates for the domain. Mode 3 is for domain-issued certificates, which specifies the exact TLS certificate that should be used for the domain; the TLS certificate does not need to be signed by a valid CA. This allows for the use of self-signed certificates. |
43.
You have three web servers deployed on your DMZ. You also use Exchange Server 2016. All your servers are Windows Server 2016 servers. They are reachable from the Internet and are secured through SSL certificates delivered from a public CA. You want to prevent your environment against man-in-the-middle attacks. Which kinds of records should you use if you want to add certificate validation to your solution? (Choose two.)
- A.RRSIG
- B.DNSKEY
- C.TLSA
- D.DS records
- Answer & Explanation
- Report
Answer : [A, C]
Explanation :
Explanation :
| You can use TLSA records to associate a TLS server certificate with the domain name where the record is found, thus forming a TLSA certificate association. TLSA records can be used to validate self-signed certificates and X.509 certificates from certification authorities (Symantec, Comodo, StartSSL, CACert, and so on). Normally, you use TLSA records together with DNSSEC and RRSIG records to protect the TLSA record. |
44.
You want to test DANE and TLSA records in your testing environment. You want to use only certificates that do not have to be signed by a valid CA. Which value should you use for the CertificateUsage parameter when you create your TLSA records with the PowerShell cmdlet Add-DnsServerRecourseRecord?
- A.ServiceCertificateConstraint
- B.DomainIssuedCertificates
- C.CAConstraint
- D.TrustAnchor Assertion
- Answer & Explanation
- Report
Answer : [B]
Explanation :
Explanation :
| You must use DomainIssuedCertificates because only with that value can you use TLSA records for self-signed certificates. |
45.
You are the administrator of pearson.com. You want to specify to your DNS clients the CA from which they should expect certificates for usa.pearson.com. You want to prevent man-in-the-middle attacks. The client has to trust only the referenced SHA-256 certificate in the TLSA record. Which TLSA record is correct?
- A._443._tcp.usa.nutex.com. IN TLSA 0 1 1 ea0fccb0f5a7f7a4c67…
- B._443._tcp.usa.nutex.com. IN TLSA 1 1 1 ea0fccb0f5a7f7a4c67…
- C._443._tcp.usa.nutex.com. IN TLSA 2 1 2 ea0fccb0f5a7f7a4c67…
- D._443._tcp.usa.nutex.com. IN TLSA 3 1 1 ea0fccb0f5a7f7a4c67…
- Answer & Explanation
- Report
Answer : [D]
Explanation :
Explanation :
| You should use the _443._tcp.usa.nutex.com. IN TLSA 3 1 1 TLSA record because it uses the TLSA Usage Field parameter 3 - DANE-EE: Domain Issued Certificate. This value disables the trust hierarchy inspection. The client has to trust only the referenced certificate in the TLSA record. The Matching-Type field has a value of 1, which means that the SHA-256 hash is used. You should not use _443._tcp.usa.nutex.com. IN TLSA 0 1 1 because this TLSA record uses the TLSA Usage Field parameter 0 - PKIX-TA: Certificate Authority Constraint. With this value, the client is invited to accept only defined certificate authorities. The certificate also must pass the trust hierarchy inspection. You should not use _443._tcp.usa.nutex.com. IN TLSA 1 1 1 because this TLSA record uses the TLSA Usage Field parameter 1 - PKIX-EE: Service Certificate Constraint. With this value, the client is invited to accept only defined certificates. You should not use _443._tcp.usa.nutex.com. IN TLSA 2 1 2 because this TLSA record uses the TLSA Usage Field parameter 2 - DANE-TA: Trust Anchor Assertion. With this value, the client must use a validated trust anchor. |
|
|
||||||||||||||||||||||||||||
