Merging debian version 2024041802.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

3 files changed, 29 insertions, 21 deletions

diff --git a/debian/changelog b/debian/changelog
index a4aed9a..dad7532 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+dns-root-data (2024041802) unstable; urgency=medium
+
+  * Stop installing root.hints.sig, since no package actually uses the file.
+  * Stop the package from FTBFS in the periods between when root-anchors.xml
+    is updated and the new root KSK is actually published in the DNS.
+
+ -- Marco d'Itri <md@linux.it>  Sun, 18 Aug 2024 02:18:32 +0200
+
 dns-root-data (2024041801-0.0~progress7.99u1) graograman-backports; urgency=medium
 
   * Initial reupload to graograman-backports.
diff --git a/debian/dns-root-data.install b/debian/dns-root-data.install
index c086801..0d84851 100644
--- a/debian/dns-root-data.install
+++ b/debian/dns-root-data.install
@@ -1 +1,3 @@
-root.* /usr/share/dns/
+root.hints /usr/share/dns/
+root.key /usr/share/dns/
+root.ds /usr/share/dns/
diff --git a/debian/rules b/debian/rules
index 778a960..20a8e88 100755
--- a/debian/rules
+++ b/debian/rules
@@ -12,33 +12,31 @@ override_dh_auto_configure override_dh_auto_install:
 
 override_dh_auto_build:
 	# Verify root-anchors.xml using OpenSSL
-	openssl smime -verify -noverify -inform DER -in root-anchors.p7s -content root-anchors.xml
+	openssl smime -verify -content signed-file -CAfile icannbundle.pem -inform DER -in root-anchors.p7s -content root-anchors.xml -out /dev/null
 
 	# Verify root.hints
-	gpgv --keyring $(CURDIR)/registry-admin.key $(CURDIR)/root.hints.sig $(CURDIR)/root.hints
+	gpgv --keyring `pwd`/registry-admin.key root.hints.sig root.hints
 
-	# Create key from validated root-anchors.xml
+	# Create the DS records from the validated root-anchors.xml
 	./parse-root-anchors.sh < root-anchors.xml | sort -k 4 -n > root-anchors.ds
 
-	# Create key from downloaded root.key
-	/usr/bin/ldns-key2ds -n -2 root.key | cut --fields=1,3- --output-delimiter=' ' | sort -k 4 -n > root.ds
+	# Create the DS records from the DNSKEY records
+	/usr/bin/ldns-key2ds -n -2 root.key | cut --fields=1,3- --output-delimiter=' ' | sort -k 4 -n > root-dns.ds
 
-	# Compare the DS from root.key and from root-anchors.xml
-	diff -u root-anchors.ds root.ds
+	# Keep the DS records from root-anchors.xml which had a corresponding
+	# DNSKEY record in the live DNS.
+	comm root-anchors.ds root-dns.ds -12 > root.ds
 
 override_dh_auto_clean:
-	rm -f root-anchors.ds root.ds
+	rm -f root-anchors.ds root-dns.ds root.ds
 
 get_orig_source:
-	# Create root.key and root.hints using wget and unbound-anchor
-	# This needs Internet connection
-	/usr/sbin/unbound-anchor \
-		-a $(CURDIR)/root-auto.key \
-		-c $(CURDIR)/icannbundle.pem || echo "Check the root-auto.key"
-	< $(CURDIR)/root-auto.key grep -Ev "^($$|;)" | sed -e 's/ ;;count=.*//' > $(CURDIR)/root.key
-	rm $(CURDIR)/root-auto.key
-	wget -O $(CURDIR)/root.hints "https://www.internic.net/domain/named.root"
-	wget -O $(CURDIR)/root.hints.sig "https://www.internic.net/domain/named.root.sig"
-	# get root-anchors.xml and root-anchors.p7s as well
-	wget -O $(CURDIR)/root-anchors.xml 'https://data.iana.org/root-anchors/root-anchors.xml'
-	wget -O $(CURDIR)/root-anchors.p7s 'https://data.iana.org/root-anchors/root-anchors.p7s'
+	# Obtain the DNSKEY records from the live DNS
+	/usr/sbin/unbound-anchor -v \
+		-a root-auto.key \
+		|| echo "Check the root-auto.key"
+	< root-auto.key grep -Ev "^($$|;)" | sed -e 's/ ;;count=.*//' > root.key
+	rm root-auto.key
+	./update-root-hints.sh
+	./update-root-anchors.sh
+