Wolfgang Karall-Ahlborn's blog

Random DNSSEC / DANE / TLSA resources and infos

Having recently thrown the switch on DNSSEC and DANE/TLSA for a couple of domains, here are some random infos.


The setup of DNSSEC with Bind9 (Debian package bind9) is pretty well covered in various HowTos, so I won't repeat them here. One rather official one is at https://dlv.isc.org/about/using ("ISC does BIND" may sound like a movie title to you, but it's not).

Checking if you're running the currently installed Debian kernel

Note: this doesn't work across ABI changes, i.e. when 3.2.0-4-amd64 becomes 3.2.0-5-amd64

Find the package version for the most recently installed kernel:

dpkg -l linux-image-$(uname -r) | awk '/^ii/{ print $3 }'

Get the same information from the running kernel:

uname --kernel-version  | awk '{ print $NF }'


Caveats when switching Xen domUs to pygrub

When switching some old Xen guests (domUs) to pygrub, some things to remember:

  • using the bootloader config setting, you must remove the config settings kernel, extra, ramdisk and root, otherwise the domU will not boot.
  • if you happen to use multiple disk devices, make sure the one with the kernel/initrd is listed first, otherwise you'll get the error

    Error: Boot loader didn't return any data

Finding Debian packages installed from backports.debian.org

Using backports is a nice way to get newer versions of software while continuing to use Debian stable. If you ever want to list the packages installed from the backports repository, aptitude can help:

aptitude search '~S ~i ~O"Debian Backports"'

You get the search term "Debian Backports" (the so-called origin) for the backports packages from the output of

apt-cache policy

For a list of valid origins depending on your APT sources, we can filter this by using grep and sort:

apt-cache policy | grep -o o=[^,]* | sort -u

So of course this also works to find out which packages got installed from other repositories.

Forcing gzip compression when building Debian packages

If you're building packages on a recent Debian-based distribution and are getting

dpkg-deb: file `blah.deb' contains ununderstood data member data.tar.xz     , giving up

when trying to install the package on an old system with dpkg version < 1.15.6, you can force the usage of the gzip compression algorithm by changing the dh_builddeb in debian/rules to:

dh_builddeb -- -Z gzip

If you do not have an old-style debian/rules files where all the dh_* calls are listed but only one generic stanza like

        dh $@

then you can add

        dh_builddeb -- -Zgzip

below that to set the option for dh_builddeb.


Subscribe to RSS - Wolfgang Karall-Ahlborn's blog