diff --git a/dnssec-trigger-0.12-nm-script-2.patch b/dnssec-trigger-0.12-nm-script-2.patch
deleted file mode 100644
index b690b58..0000000
--- a/dnssec-trigger-0.12-nm-script-2.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-commit 7c830e027a1b5c586ba66f1c1ff77fb79782bd6e
-Author: Pavel Šimerda <psimerda@redhat.com>
-Date:   Fri Jun 13 12:42:11 2014 +0200
-
-    fix bug that prevents calling dnssec-trigger-control submit
-
-diff --git a/dnssec-trigger-script.in b/dnssec-trigger-script.in
-index 297e36a..8f48dea 100644
---- a/dnssec-trigger-script.in
-+++ b/dnssec-trigger-script.in
-@@ -279,10 +279,16 @@ class Store:
-         log.debug(self)
- 
-     def update(self, zones):
--        """Commit a new zone list."""
-+        """Commit a new set of items and return True when it differs"""
- 
--        self.cache = set(zones)
--        log.debug(self)
-+        zones = set(zones)
-+
-+        if zones != self.cache:
-+            self.cache = set(zones)
-+            log.debug(self)
-+            return True
-+
-+        return False
- 
-     def remove(self, zone):
-         """Remove zone from the cache."""
diff --git a/dnssec-trigger-0.12-nm-script.patch b/dnssec-trigger-0.12-nm-script.patch
index 392318c..585f603 100644
--- a/dnssec-trigger-0.12-nm-script.patch
+++ b/dnssec-trigger-0.12-nm-script.patch
@@ -1,8 +1,13 @@
 diff --git a/dnssec-trigger-script.in b/dnssec-trigger-script.in
-index b572dd1..297e36a 100644
+index b572dd1..bc2bf01 100644
 --- a/dnssec-trigger-script.in
 +++ b/dnssec-trigger-script.in
-@@ -10,6 +10,8 @@ import os, sys, shutil, subprocess
+@@ -6,17 +6,18 @@
+ """
+ 
+ from gi.repository import NMClient
+-import os, sys, shutil, subprocess
++import os, sys, shutil, glob, subprocess
  import logging, logging.handlers
  import socket, struct
  
@@ -11,7 +16,29 @@ index b572dd1..297e36a 100644
  DEVNULL = open("/dev/null", "wb")
  
  log = logging.getLogger()
-@@ -190,7 +192,7 @@ class UnboundZoneConfig:
+ log.setLevel(logging.INFO)
+ log.addHandler(logging.handlers.SysLogHandler())
+-if sys.stderr.isatty():
+-    log.addHandler(logging.StreamHandler())
++log.addHandler(logging.StreamHandler())
+ 
+ # NetworkManager reportedly doesn't pass the PATH environment variable.
+ os.environ['PATH'] = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+@@ -53,11 +54,10 @@ class ConnectionList:
+ 
+     nm_connections = None
+ 
+-    def __init__(self, only_default=False, skip_wifi=False):
++    def __init__(self, client, only_default=False, skip_wifi=False):
+         # Cache the active connection list in the class
+         if self.nm_connections is None:
+-            self.__class__.client = NMClient.Client()
+-            self.__class__.nm_connections = self.client.get_active_connections()
++            self.__class__.nm_connections = client.get_active_connections()
+         self.skip_wifi = skip_wifi
+         self.only_default = only_default
+         log.debug(self)
+@@ -190,7 +190,7 @@ class UnboundZoneConfig:
                  if fields.pop(0) in ('forward', 'forward:'):
                      fields.pop(0)
                  secure = False
@@ -20,7 +47,7 @@ index b572dd1..297e36a 100644
                      secure = True
                      fields.pop(0)
                  self.cache[name] = set(fields[3:]), secure
-@@ -255,7 +257,7 @@ class Store:
+@@ -255,7 +255,7 @@ class Store:
                      line = line.strip()
                      if line:
                          self.cache.add(line)
@@ -29,7 +56,27 @@ index b572dd1..297e36a 100644
              pass
          log.debug(self)
  
-@@ -309,7 +311,7 @@ class GlobalForwarders:
+@@ -277,10 +277,16 @@ class Store:
+         log.debug(self)
+ 
+     def update(self, zones):
+-        """Commit a new zone list."""
++        """Commit a new set of items and return True when it differs"""
+ 
+-        self.cache = set(zones)
+-        log.debug(self)
++        zones = set(zones)
++
++        if zones != self.cache:
++            self.cache = set(zones)
++            log.debug(self)
++            return True
++
++        return False
+ 
+     def remove(self, zone):
+         """Remove zone from the cache."""
+@@ -309,7 +315,7 @@ class GlobalForwarders:
                      line = line.strip()
                      if line:
                          self.cache.add(line)
@@ -38,15 +85,81 @@ index b572dd1..297e36a 100644
              pass
  
  class Application:
-@@ -335,7 +337,7 @@ class Application:
+@@ -328,17 +334,24 @@ class Application:
+         except AttributeError:
+             self.usage()
+         self.config = Config()
++        self.client = NMClient.Client()
++
++        self.resolvconf = "/etc/resolv.conf"
++        self.resolvconf_backup = "/var/run/dnssec-trigger/resolv.conf.bak"
+ 
+     def nm_handles_resolv_conf(self):
+-        if subprocess.call(["pidof", "NetworkManager"], stdout=DEVNULL, stderr=DEVNULL) != 0:
++        if not self.client.get_manager_running():
++            log.debug("NetworkManager is not running")
+             return False
          try:
              with open("/etc/NetworkManager/NetworkManager.conf") as nm_config_file:
                  for line in nm_config_file:
 -                    if line.strip == "dns=none":
 +                    if line.strip() in ("dns=none", "dns=unbound"):
++                        log.debug("NetworkManager doesn't handle /etc/resolv.conf")
                          return False
          except IOError:
              pass
--- 
-1.8.3.2
-
++        log.debug("NetworkManager handles /etc/resolv.conf")
+         return True
+ 
+     def usage(self):
+@@ -351,9 +364,19 @@ class Application:
+     def run_prepare(self):
+         """Prepare for dnssec-trigger."""
+ 
++        old_zones = glob.glob("/var/run/dnssec-trigger/????????-????-????-????-????????????")
++        if old_zones:
++            log.info("Converting to new zone cache format")
++            with open("/var/run/dnssec-trigger/zones", "a") as target:
++                for filename in old_zones:
++                    with open(filename) as source:
++                        for line in source:
++                            print(line.strip(), file=target)
++                    os.remove(filename)
++
+         if not self.nm_handles_resolv_conf():
+             log.info("Backing up /etc/resolv.conf")
+-            shutil.copy("/etc/resolv.conf", "/var/run/dnssec-trigger/resolv.conf.bak")
++            shutil.copy(self.resolvconf, self.resolvconf_backup)
+ 
+     def run_cleanup(self):
+         """Clean up after dnssec-trigger."""
+@@ -370,7 +393,10 @@ class Application:
+         log.debug("recovering /etc/resolv.conf")
+         subprocess.check_call(["chattr", "-i", "/etc/resolv.conf"])
+         if not self.nm_handles_resolv_conf():
+-            shutil.copy("/var/run/dnssec-trigger/resolv.conf.bak", "/etc/resolv.conf")
++            try:
++                shutil.copy(self.resolvconf_backup, self.resolvconf)
++            except IOError as error:
++                log.warning("Cannot restore resolv.conf from {!r}: {}".format(self.resolvconf_backup, error.strerror))
+         # NetworkManager currently doesn't support explicit /etc/resolv.conf
+         # write out. For now we simply restart the daemon.
+         elif os.path.exists("/sys/fs/cgroup/systemd"):
+@@ -387,7 +413,7 @@ class Application:
+ 
+         subprocess.check_call(["dnssec-trigger-control", "status"], stdout=DEVNULL, stderr=DEVNULL)
+ 
+-        default_connections = ConnectionList(only_default=True)
++        default_connections = ConnectionList(self.client, only_default=True)
+         servers = Store('servers')
+ 
+         if servers.update(sum((connection.servers for connection in default_connections), [])):
+@@ -399,7 +425,7 @@ class Application:
+     def run_update_connection_zones(self):
+         """Configures forward zones in the unbound using unbound-control."""
+ 
+-        connections = ConnectionList(skip_wifi=not self.config.add_wifi_provided_zones).get_zone_connection_mapping()
++        connections = ConnectionList(self.client, skip_wifi=not self.config.add_wifi_provided_zones).get_zone_connection_mapping()
+         unbound_zones = UnboundZoneConfig()
+         stored_zones = Store('zones')
+ 
diff --git a/dnssec-trigger.spec b/dnssec-trigger.spec
index b8b866b..d94e2c2 100644
--- a/dnssec-trigger.spec
+++ b/dnssec-trigger.spec
@@ -3,7 +3,7 @@
 Summary: NetworkManager plugin to update/reconfigure DNSSEC resolving
 Name: dnssec-trigger
 Version: 0.12
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: BSD
 Url: http://www.nlnetlabs.nl/downloads/dnssec-trigger/
 Source0: http://www.nlnetlabs.nl/downloads/dnssec-trigger/%{name}-%{version}.tar.gz
@@ -14,13 +14,18 @@ Source2: dnssec-trigger.tmpfiles.d
 #
 # https://bugzilla.redhat.com/show_bug.cgi?id=842455
 Patch1: dnssec-trigger-842455.patch
-# Fix dnssec-trigger-script (upstream patch after 0.12 release)
+# Fix dnssec-trigger-script (diff between 0.12 and what has been submitted to
+# upstream)
+#
+# Upstream often squashes our patches so it's more practical to use just one
+# patch. Please don't forget to submit the changes to upstream before
+# updating the patch.
 #
 # https://bugzilla.redhat.com/show_bug.cgi?id=1100794
 # https://bugzilla.redhat.com/show_bug.cgi?id=1100794
-Patch2: dnssec-trigger-0.12-nm-script.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1105896
-Patch3: dnssec-trigger-0.12-nm-script-2.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1111143
+Patch2: dnssec-trigger-0.12-nm-script.patch
 
 Requires(postun): initscripts
 Requires: ldns >= 1.6.10, NetworkManager, NetworkManager-glib, unbound, xdg-utils
@@ -48,7 +53,6 @@ sed -i "s/-panel//" panel/dnssec-trigger-panel.desktop.in
 
 %patch1 -p1
 %patch2 -p1
-%patch3 -p1
 
 # change default RSA key between deamon/control from 1536 to 3072
 sed -i "s/BITS=1536/BITS=3072/" dnssec-trigger-control-setup.sh.in
@@ -127,6 +131,9 @@ fi
 %systemd_postun_with_restart %{name}d.service
 
 %changelog
+* Fri Jun 20 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-4
+- update dnssec-trigger-script to current development submitted upstream
+
 * Wed Jun 18 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-3
 - Resolves: #1105896 - the new script doesn't call dnssec-trigger-control submit