dns-root-data: improve determinism, clear key status

Nitpicks:
- The timestamps there were useless.
- The generator now switched the two keys; I don't know why.

I intentionally remove the comments like "state=1 [ ADDPEND ]".
The problem is that keys e.g. in ADDPEND state are *not* immediately
usable for validation - see RFC5011 for details.  I verified that Unbound
does disregard this on the format we and Debian use ATM, presumably due
to removing parts of the comments, but it would be confusing nevertheless.

1 files changed, 5 insertions, 4 deletions

diff --git a/pkgs/data/misc/dns-root-data/update-root-key.sh b/pkgs/data/misc/dns-root-data/update-root-key.sh
index 5db179621a7..9a3141aef19 100755
--- a/pkgs/data/misc/dns-root-data/update-root-key.sh
+++ b/pkgs/data/misc/dns-root-data/update-root-key.sh
@@ -2,8 +2,9 @@
 #!nix-shell -i bash -p busybox unbound
 
 TMP=`mktemp`
-unbound-anchor -a $TMP
-grep -Ev "^($$|;)" $TMP | sed -e 's/ ;;count=.*//' > root.key
-rm $TMP
+unbound-anchor -a "$TMP"
+grep -Ev "^($$|;)" "$TMP" | sed -e 's/ ;;.*//' > root.key
 
-unbound-anchor -F -a root.ds
+unbound-anchor -F -a "$TMP"
+sed '/^;/d' < "$TMP" > root.ds
+rm $TMP