diff --git a/distro/deb/debian/patches/0002-Update-documentation-of-keyfile-ro.patch b/distro/deb/debian/patches/0001-Update-documentation-of-keyfile-ro.patch
similarity index 73%
rename from distro/deb/debian/patches/0002-Update-documentation-of-keyfile-ro.patch
rename to distro/deb/debian/patches/0001-Update-documentation-of-keyfile-ro.patch
index 3618840abfa78b1871b2c953c6d8851ee2712efa..53e6bb3b11912342e3d987c1fc03650db92a2352 100644
--- a/distro/deb/debian/patches/0002-Update-documentation-of-keyfile-ro.patch
+++ b/distro/deb/debian/patches/0001-Update-documentation-of-keyfile-ro.patch
@@ -1,17 +1,16 @@
-From fff3b5513a48e225fa8fa49899ba1f376552fa99 Mon Sep 17 00:00:00 2001
-From: Tomas Krizek <tomas.krizek@nic.cz>
-Date: Tue, 27 Feb 2018 18:05:08 +0100
-Subject: [PATCH] Update documentation of --keyfile-ro
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Sat, 17 Feb 2018 15:52:20 -0500
+Subject: Update documentation of --keyfile-ro
 
 On Debian systems, we depend on the OS package management to update
 the dns root data.  Make the documentation for running with this
 option less scary-sounding, as it is the default.
 ---
- doc/kresd.8.in | 9 ++++++---
- 1 file changed, 6 insertions(+), 3 deletions(-)
+ doc/kresd.8.in | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
 
 diff --git a/doc/kresd.8.in b/doc/kresd.8.in
-index 266e9f05..05a9dd67 100644
+index 266e9f0..6c5195b 100644
 --- a/doc/kresd.8.in
 +++ b/doc/kresd.8.in
 @@ -123,7 +123,7 @@ file at the default location (\fIconfig\fR). The syntax is
@@ -23,21 +22,20 @@ index 266e9f05..05a9dd67 100644
  Root trust anchors in this file are managed using standard RFC 5011 (Automated Updates of DNS Security Trust Anchors).
  Kresd needs write access to the directory containing the keyfile.
  
-@@ -134,9 +134,12 @@ The file contains DNSKEY/DS records in presentation format,
+@@ -134,9 +134,14 @@ The file contains DNSKEY/DS records in presentation format,
  and is compatible with Unbound and BIND 9 root key files.
  .TP
  .B \-K\fI keyfile\fR, \fB\-\-keyfile\-ro=\fI<keyfile>
 -(Discouraged) Static root trust anchors file. The file is not updated by kresd. Use of this option is discouraged because it will break your installation when the trust anchor key changes!
 +Static root trust anchors file. The file is not updated by
 +kresd. Please ensure that any running kresd instances are restarted if
-+the trust anchors change. (On Debian, this should happen automatically
-+on upgrade of the dns-root-data package).
++the trust anchors change. (On Debian, kresd will be restarted
++automatically when the dns-root-data package updates
++/usr/share/dns/root.key, so nothing extra needs to be done unless you
++diverge from the default here.)
  
 -Default: "@KEYFILE_DEFAULT@" (can be empty if your distribution did not provide one)
 +Default: "@KEYFILE_DEFAULT@"
  .TP
  .B \-m\fI path\fR, \fB\-\-moduledir=\fI<path>
  Override the directory that is searched for modules.  Default: @MODULEDIR@
--- 
-2.14.3
-
diff --git a/distro/deb/debian/patches/0001-avoid-shipping-duplicate-root.hints-and-icann-ca.pem.patch b/distro/deb/debian/patches/0001-avoid-shipping-duplicate-root.hints-and-icann-ca.pem.patch
deleted file mode 100644
index 1012e1076120c6f8e2999e3b1b19bf4e0ba9785d..0000000000000000000000000000000000000000
--- a/distro/deb/debian/patches/0001-avoid-shipping-duplicate-root.hints-and-icann-ca.pem.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-Date: Sun, 12 Nov 2017 14:03:31 +0800
-Subject: avoid shipping duplicate root.hints and icann-ca.pem
-
----
- etc/etc.mk | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-Index: knot-resolver/etc/etc.mk
-===================================================================
---- knot-resolver.orig/etc/etc.mk
-+++ knot-resolver/etc/etc.mk
-@@ -1,9 +1,9 @@
--etc_SOURCES := icann-ca.pem \
-+etc_SOURCES := \
- 	config.cluster \
- 	config.isp \
- 	config.personal \
--	config.splitview \
--	root.hints
-+	config.splitview
-+
- 
- etc-install: $(DESTDIR)$(ETCDIR)
- 	$(INSTALL) -m 0644 $(addprefix etc/,$(etc_SOURCES)) $(DESTDIR)$(ETCDIR)
diff --git a/distro/deb/debian/patches/series b/distro/deb/debian/patches/series
index e1032653c418d0cf7a497de04b4c84ca0942c412..5f6f9b54adb6b6947b6a19f1a35ee0314254410f 100644
--- a/distro/deb/debian/patches/series
+++ b/distro/deb/debian/patches/series
@@ -1,2 +1 @@
-0001-avoid-shipping-duplicate-root.hints-and-icann-ca.pem.patch
-0002-Update-documentation-of-keyfile-ro.patch
+0001-Update-documentation-of-keyfile-ro.patch
diff --git a/distro/deb/debian/rules b/distro/deb/debian/rules
index ece2a77b3b5e4177a7a28278ed1845cbce0f534a..8f6091317ca570caf5a63e18276ad8b57cb13873 100755
--- a/distro/deb/debian/rules
+++ b/distro/deb/debian/rules
@@ -43,6 +43,8 @@ override_dh_auto_build-indep:
 
 override_dh_auto_install-arch:
 	dh_auto_install --destdir=debian/tmp -- V=1
+	rm debian/tmp/etc/knot-resolver/icann-ca.pem
+	rm debian/tmp/etc/knot-resolver/root.hints
 
 override_dh_auto_install-indep:
 # install just the http/2 module