From 9eaa8597106de33c29b240e45f156b146e6d5134 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Mon, 26 Aug 2024 12:28:58 +0200
Subject: Merging debian version 2024041802.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 debian/rules | 38 ++++++++++++++++++--------------------
 1 file changed, 18 insertions(+), 20 deletions(-)

(limited to 'debian/rules')

diff --git a/debian/rules b/debian/rules
index 778a960..20a8e88 100755
--- a/debian/rules
+++ b/debian/rules
@@ -12,33 +12,31 @@ override_dh_auto_configure override_dh_auto_install:
 
 override_dh_auto_build:
 	# Verify root-anchors.xml using OpenSSL
-	openssl smime -verify -noverify -inform DER -in root-anchors.p7s -content root-anchors.xml
+	openssl smime -verify -content signed-file -CAfile icannbundle.pem -inform DER -in root-anchors.p7s -content root-anchors.xml -out /dev/null
 
 	# Verify root.hints
-	gpgv --keyring $(CURDIR)/registry-admin.key $(CURDIR)/root.hints.sig $(CURDIR)/root.hints
+	gpgv --keyring `pwd`/registry-admin.key root.hints.sig root.hints
 
-	# Create key from validated root-anchors.xml
+	# Create the DS records from the validated root-anchors.xml
 	./parse-root-anchors.sh < root-anchors.xml | sort -k 4 -n > root-anchors.ds
 
-	# Create key from downloaded root.key
-	/usr/bin/ldns-key2ds -n -2 root.key | cut --fields=1,3- --output-delimiter=' ' | sort -k 4 -n > root.ds
+	# Create the DS records from the DNSKEY records
+	/usr/bin/ldns-key2ds -n -2 root.key | cut --fields=1,3- --output-delimiter=' ' | sort -k 4 -n > root-dns.ds
 
-	# Compare the DS from root.key and from root-anchors.xml
-	diff -u root-anchors.ds root.ds
+	# Keep the DS records from root-anchors.xml which had a corresponding
+	# DNSKEY record in the live DNS.
+	comm root-anchors.ds root-dns.ds -12 > root.ds
 
 override_dh_auto_clean:
-	rm -f root-anchors.ds root.ds
+	rm -f root-anchors.ds root-dns.ds root.ds
 
 get_orig_source:
-	# Create root.key and root.hints using wget and unbound-anchor
-	# This needs Internet connection
-	/usr/sbin/unbound-anchor \
-		-a $(CURDIR)/root-auto.key \
-		-c $(CURDIR)/icannbundle.pem || echo "Check the root-auto.key"
-	< $(CURDIR)/root-auto.key grep -Ev "^($$|;)" | sed -e 's/ ;;count=.*//' > $(CURDIR)/root.key
-	rm $(CURDIR)/root-auto.key
-	wget -O $(CURDIR)/root.hints "https://www.internic.net/domain/named.root"
-	wget -O $(CURDIR)/root.hints.sig "https://www.internic.net/domain/named.root.sig"
-	# get root-anchors.xml and root-anchors.p7s as well
-	wget -O $(CURDIR)/root-anchors.xml 'https://data.iana.org/root-anchors/root-anchors.xml'
-	wget -O $(CURDIR)/root-anchors.p7s 'https://data.iana.org/root-anchors/root-anchors.p7s'
+	# Obtain the DNSKEY records from the live DNS
+	/usr/sbin/unbound-anchor -v \
+		-a root-auto.key \
+		|| echo "Check the root-auto.key"
+	< root-auto.key grep -Ev "^($$|;)" | sed -e 's/ ;;count=.*//' > root.key
+	rm root-auto.key
+	./update-root-hints.sh
+	./update-root-anchors.sh
+
-- 
cgit v1.2.3