Random DNSSEC / DANE / TLSA resources and infos

Having recently thrown the switch on DNSSEC and DANE/TLSA for a couple of domains, here are some random infos.


The setup of DNSSEC with Bind9 (Debian package bind9) is pretty well covered in various HowTos, so I won't repeat them here. One rather official one is at ("ISC does BIND" may sound like a movie title to you, but it's not).

Checking if you're running the currently installed Debian kernel

Note: this doesn't work across ABI changes, i.e. when 3.2.0-4-amd64 becomes 3.2.0-5-amd64

Find the package version for the most recently installed kernel:

dpkg -l linux-image-$(uname -r) | awk '/^ii/{ print $3 }'

Get the same information from the running kernel:

uname --kernel-version  | awk '{ print $NF }'


Finding Debian packages installed from

Using backports is a nice way to get newer versions of software while continuing to use Debian stable. If you ever want to list the packages installed from the backports repository, aptitude can help:

aptitude search '~S ~i ~O"Debian Backports"'

You get the search term "Debian Backports" (the so-called origin) for the backports packages from the output of

apt-cache policy

For a list of valid origins depending on your APT sources, we can filter this by using grep and sort:

apt-cache policy | grep -o o=[^,]* | sort -u

So of course this also works to find out which packages got installed from other repositories.

Forcing gzip compression when building Debian packages

If you're building packages on a recent Debian-based distribution and are getting

dpkg-deb: file `blah.deb' contains ununderstood data member data.tar.xz     , giving up

when trying to install the package on an old system with dpkg version < 1.15.6, you can force the usage of the gzip compression algorithm by changing the dh_builddeb in debian/rules to:

dh_builddeb -- -Z gzip

If you do not have an old-style debian/rules files where all the dh_* calls are listed but only one generic stanza like

        dh $@

then you can add

        dh_builddeb -- -Zgzip

below that to set the option for dh_builddeb.

mysql-server while upgrading Debian 5.0 (lenny) to 6.0 (squeeze)

I'm currently doing plenty of upgrades to Debian 6.0 for customers who tried to wait till the last moment, after all Lenny's security support ended on 9th of February, see


Subscribe to RSS - debian