diff --git a/.drone.yml b/.drone.yml
new file mode 100644
index 0000000..0bf7cbd
--- /dev/null
+++ b/.drone.yml
@@ -0,0 +1,27 @@
+labels:
+ cpus: '1'
+ ram: '512'
+ mhz: '2000'
+clone:
+ git:
+ image: 'plugins/git'
+ tags: true
+pipeline:
+ edge:
+ image: 'plugins/docker'
+ context: 'container'
+ dockerfile: 'container/Dockerfile'
+ secrets: ["docker_username", "docker_password"]
+ repo: '${DRONE_REPO_OWNER}/${DRONE_REPO_NAME##docker-}'
+ tag: 'edge-droneci'
+ when:
+ branch: 'edge'
+ configs:
+ image: 'plugins/docker'
+ context: 'container'
+ dockerfile: 'container/Dockerfile'
+ secrets: ["docker_username", "docker_password"]
+ repo: '${DRONE_REPO_OWNER}/${DRONE_REPO_NAME##docker-}'
+ tag: 'configs-droneci'
+ when:
+ branch: 'config-changes'
diff --git a/.drone.yml.sig b/.drone.yml.sig
new file mode 100644
index 0000000..aafae16
--- /dev/null
+++ b/.drone.yml.sig
@@ -0,0 +1,27 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/container/Dockerfile b/container/Dockerfile
index 1307ecb..22099e7 100644
--- a/container/Dockerfile
+++ b/container/Dockerfile
@@ -1,21 +1,16 @@
-FROM alpine:latest
-EXPOSE 53 53/udp
+FROM tcely/alpine-stable
-RUN apk --update upgrade && apk add bind
+EXPOSE 53 53/udp
+COPY entrypoint.sh /
+ENTRYPOINT ["/entrypoint.sh"]
-# /etc/bind needs to be owned by root, group owned by "bind", and chmod 750
-# since we are mounting, do it manually
-# NOTE: Per Dockerfile manual --> need to mkdir the mounted dir to chown
-# &
-# /var/bind needs to be owned by root, group owned by "bind", and chmod 770
-# since we are mounting, do it manually
-# NOTE: Per Dockerfile manual --> need to mkdir the mounted dir to chown
-# &
-# Get latest bind.keys
-RUN mkdir -m 0770 -p /etc/bind && chown -R root:named /etc/bind ; \
- mkdir -m 0770 -p /var/bind && chown -R root:named /var/cache ; \
- wget -q -O /etc/bind/bind.keys https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11 ; \
- rndc-confgen -a -r /dev/urandom
+RUN apk --update upgrade && \
+ apk add bind ca-certificates curl gnupg && \
+ rm -rf /etc/bind/rndc.key /var/cache/apk/* && \
+ chmod g-w /var/bind && \
+ cp -p /etc/bind/bind.keys /var/bind/ && \
+ install -d -m 0770 -o named -g named /var/cache/bind && \
+ ln -s ../../var/run/named/rndc.key /etc/bind/rndc.key
COPY configs/. /etc/bind/
@@ -23,8 +18,5 @@ COPY configs/. /etc/bind/
# NOTE: Per Dockerfile manual -->
# "if any build steps change the data within the volume
# after it has been declared, those changes will be discarded."
-VOLUME ["/etc/bind"]
-VOLUME ["/var/bind"]
+VOLUME ["/etc/bind", "/var/cache/bind"]
-COPY entrypoint.sh /
-ENTRYPOINT ["/entrypoint.sh"]
diff --git a/container/configs/README b/container/configs/README
index 3e50e76..c3ec94b 100644
--- a/container/configs/README
+++ b/container/configs/README
@@ -1,2 +1,5 @@
You should add your zones to: named.conf.local
-Generally, that's the only file you will need to modify
+If you want to change server options edit: named.conf.options.local
+To add ACLs for use in either of the above files edit: named.conf.acls
+
+Generally, these are the only files you will need to modify
diff --git a/container/configs/default-zones/db.255 b/container/configs/default-zones/db.255
deleted file mode 100644
index e3aabdb..0000000
--- a/container/configs/default-zones/db.255
+++ /dev/null
@@ -1,12 +0,0 @@
-;
-; BIND reverse data file for broadcast zone
-;
-$TTL 604800
-@ IN SOA localhost. root.localhost. (
- 1 ; Serial
- 604800 ; Refresh
- 86400 ; Retry
- 2419200 ; Expire
- 604800 ) ; Negative Cache TTL
-;
-@ IN NS localhost.
diff --git a/container/configs/default-zones/db.local b/container/configs/default-zones/db.localhost
similarity index 100%
rename from container/configs/default-zones/db.local
rename to container/configs/default-zones/db.localhost
diff --git a/container/configs/default-zones/db.root b/container/configs/default-zones/named.cache
similarity index 100%
rename from container/configs/default-zones/db.root
rename to container/configs/default-zones/named.cache
diff --git a/container/configs/default-zones/db.127 b/container/configs/default-zones/rev.127
similarity index 100%
rename from container/configs/default-zones/db.127
rename to container/configs/default-zones/rev.127
diff --git a/container/configs/default-zones/db.0 b/container/configs/default-zones/rev.broadcast
similarity index 100%
rename from container/configs/default-zones/db.0
rename to container/configs/default-zones/rev.broadcast
diff --git a/container/configs/example-configs/README b/container/configs/example-configs/README
deleted file mode 100644
index f9f63ee..0000000
--- a/container/configs/example-configs/README
+++ /dev/null
@@ -1,20 +0,0 @@
-1.) Start with the FULL directory contents of "configs" which has a
-fully functioning recurive resolver/forwarding cacher AND an
-authoritative config at the same time.
-
-The "configs" directory contains:
-
-* README
-* named.conf
-* named.conf.default-zones
-* named.conf.rfc1918
-* named.conf.local -> modify this for all of your authoritative zones
-* named.conf.options -> feel free to overwrite this with one fr
-
-default-zones:
-db.0 db.127 db.255 db.empty db.local db.root
-
-
-2.) and then feel free to use the "named.conf.options" provided in the
-"example-configs" to override the default with a more "specific
-'named.conf.options' as needed for a more
diff --git a/container/configs/example-configs/authoritative/named.conf.options b/container/configs/example-configs/authoritative/named.conf.options
deleted file mode 100644
index da2f936..0000000
--- a/container/configs/example-configs/authoritative/named.conf.options
+++ /dev/null
@@ -1,56 +0,0 @@
-// Copy this file to /etc/bind/named.conf.options if you want to run bind as an
-// authoritative nameserver. If you want to run a recursive DNS resolver
-// instead, see Ventz's "example-configs/recursive-resolver/named.conf.options"
-//
-// BIND supports using the same daemon as both authoritative nameserver and
-// recursive resolver; it supports this because it is the oldest and original
-// nameserver and so was designed before it was realized that combining these
-// functions is inadvisable.
-//
-// In actual fact, combining these functions is a very bad idea. It is thus
-// recommended that you run a given instance of BIND as either an authoritative
-// nameserver or recursive resolver, not both. The example configuration herein
-// provides a secure starting point for running an authoritative nameserver.
-
-options {
- directory "/var/bind";
-
- // Configure the IPs to listen on here.
- listen-on { 127.0.0.1; };
- listen-on-v6 { none; };
-
- // If you want to allow only specific hosts to use the DNS server:
- //allow-query {
- // 127.0.0.1;
- //};
-
- // Specify a list of IPs/masks to allow zone transfers to here.
- //
- // You can override this on a per-zone basis by specifying this inside a zone
- // block.
- //
- // Warning: Removing this block will cause BIND to revert to its default
- // behaviour of allowing zone transfers to any host (!).
- allow-transfer {
- none;
- };
-
- // If you have problems and are behind a firewall:
- //query-source address * port 53;
-
- pid-file "/var/run/named/named.pid";
-
- // Changing this is NOT RECOMMENDED; see the notes above and in
- // named.conf.recursive.
- allow-recursion { none; };
- recursion no;
-};
-
-// Example of how to configure a zone for which this server is the master:
-//zone "example.com" IN {
-// type master;
-// file "/etc/bind/master/example.com";
-//};
-
-// You can include files:
-//include "/etc/bind/example.conf";
diff --git a/container/configs/example-configs/recursive-resolver/named.conf.options b/container/configs/example-configs/recursive-resolver/named.conf.options
deleted file mode 100644
index d9c164f..0000000
--- a/container/configs/example-configs/recursive-resolver/named.conf.options
+++ /dev/null
@@ -1,104 +0,0 @@
-// Copy this file to /etc/bind/named.conf.options if you want to run bind as a
-// recursive DNS resolver. If you want to run an authoritative nameserver
-// instead, see Ventz's "example-configs/authoritative/named.conf.options"
-//
-// BIND supports using the same daemon as both authoritative nameserver and
-// recursive resolver; it supports this because it is the oldest and original
-// nameserver and so was designed before it was realized that combining these
-// functions is inadvisable.
-//
-// In actual fact, combining these functions is a very bad idea. It is thus
-// recommended that you run a given instance of BIND as either an authoritative
-// nameserver or recursive resolver, not both. The example configuration herein
-// provides a starting point for running a recursive resolver.
-//
-//
-// *** IMPORTANT ***
-// You should note that running an open DNS resolver (that is, a resolver which
-// answers queries from any globally routable IP) makes the resolver vulnerable
-// to abuse in the form of reflected DDoS attacks.
-//
-// These attacks are now widely prevalent on the open internet. Even if
-// unadvertised, attackers can and will find your resolver by portscanning the
-// global IPv4 address space.
-//
-// In one case the traffic generated using such an attack reached 300 Gb/s (!).
-//
-// It is therefore imperative that you take care to configure the resolver to
-// only answer queries from IP address space you trust or control. See the
-// "allow-recursion" directive below.
-//
-// Bear in mind that with these attacks, the "source" of a query will actually
-// be the intended target of a DDoS attack, so this only protects other networks
-// from attack, not your own; ideally therefore you should firewall DNS traffic
-// at the borders of your network to eliminate spoofed traffic.
-//
-// This is a complex issue and some level of understanding of these attacks is
-// advisable before you attempt to configure a resolver.
-
-options {
- directory "/var/bind";
-
- // Specify a list of CIDR masks which should be allowed to issue recursive
- // queries to the DNS server. Do NOT specify 0.0.0.0/0 here; see above.
- allow-recursion {
- 127.0.0.1/32;
- };
-
- // If you want this resolver to itself resolve via means of another recursive
- // resolver, uncomment this block and specify the IP addresses of the desired
- // upstream resolvers.
- //forwarders {
- // 8.8.8.8;
- // 8.8.4.4;
- //};
-
- // By default the resolver will attempt to perform recursive resolution itself
- // if the forwarders are unavailable. If you want this resolver to fail outright
- // if the upstream resolvers are unavailable, uncomment this directive.
- //forward only;
-
- // Configure the IPs to listen on here.
- listen-on { 127.0.0.1; };
- listen-on-v6 { none; };
-
- // If you have problems and are behind a firewall:
- //query-source address * port 53;
-
- pid-file "/var/run/named/named.pid";
-
- // Removing this block will cause BIND to revert to its default behaviour
- // of allowing zone transfers to any host (!). There is no need to allow zone
- // transfers when operating as a recursive resolver.
- allow-transfer { none; };
-};
-
-// Briefly, a zone which has been declared delegation-only will be effectively
-// limited to containing NS RRs for subdomains, but no actual data beyond its
-// own apex (for example, its SOA RR and apex NS RRset). This can be used to
-// filter out "wildcard" or "synthesized" data from NAT boxes or from
-// authoritative name servers whose undelegated (in-zone) data is of no
-// interest.
-// See http://www.isc.org/products/BIND/delegation-only.html for more info
-
-//zone "COM" { type delegation-only; };
-//zone "NET" { type delegation-only; };
-
-zone "." IN {
- type hint;
- file "named.ca";
-};
-
-zone "localhost" IN {
- type master;
- file "pri/localhost.zone";
- allow-update { none; };
- notify no;
-};
-
-zone "127.in-addr.arpa" IN {
- type master;
- file "pri/127.zone";
- allow-update { none; };
- notify no;
-};
diff --git a/container/configs/named.conf b/container/configs/named.conf
index 2e9defb..bf96baa 100644
--- a/container/configs/named.conf
+++ b/container/configs/named.conf
@@ -1,9 +1,5 @@
// This is the primary configuration file for the BIND DNS server named.
//
-// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
-// structure of BIND configuration files in Debian, *BEFORE* you customize
-// this configuration file.
-//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
controls {
@@ -11,6 +7,7 @@ controls {
};
include "/etc/bind/rndc.key";
+include "/etc/bind/named.conf.acls";
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
diff --git a/container/configs/named.conf.acls b/container/configs/named.conf.acls
new file mode 100644
index 0000000..086781c
--- /dev/null
+++ b/container/configs/named.conf.acls
@@ -0,0 +1,10 @@
+// Default ACLs defined by bind
+//
+// any - Matches all hosts.
+// none - Matches no hosts.
+// localhost - Matches the IPv4 and IPv6 addresses of all network interfaces on the system.
+// localnets - Matches any host on an IPv4 or IPv6 network for which the system has an interface.
+
+acl "recursors" {
+ 127.0.0.1;
+};
diff --git a/container/configs/named.conf.default-zones b/container/configs/named.conf.default-zones
index 67409fb..adf153e 100644
--- a/container/configs/named.conf.default-zones
+++ b/container/configs/named.conf.default-zones
@@ -1,7 +1,7 @@
// prime the server with knowledge of the root servers
zone "." {
type hint;
- file "/etc/bind/default-zones/db.root";
+ file "/etc/bind/default-zones/named.cache";
};
// be authoritative for the localhost forward and reverse zones, and for
@@ -9,20 +9,28 @@ zone "." {
zone "localhost" {
type master;
- file "/etc/bind/default-zones/db.local";
+ file "/etc/bind/default-zones/db.localhost";
+ allow-update { none; };
+ notify no;
};
zone "127.in-addr.arpa" {
type master;
- file "/etc/bind/default-zones/db.127";
+ file "/etc/bind/default-zones/rev.127";
+ allow-update { none; };
+ notify no;
};
zone "0.in-addr.arpa" {
type master;
- file "/etc/bind/default-zones/db.0";
+ file "/etc/bind/default-zones/rev.broadcast";
+ allow-update { none; };
+ notify no;
};
zone "255.in-addr.arpa" {
type master;
- file "/etc/bind/default-zones/db.255";
+ file "/etc/bind/default-zones/rev.broadcast";
+ allow-update { none; };
+ notify no;
};
diff --git a/container/configs/named.conf.local b/container/configs/named.conf.local
index 124494a..b5a43ea 100644
--- a/container/configs/named.conf.local
+++ b/container/configs/named.conf.local
@@ -10,7 +10,7 @@ include "/etc/bind/named.conf.default-zones";
// Consider adding the 1918 zones here, if they are not used in your
// organization
-include "/etc/bind/named.conf.rfc1918";
+//include "/etc/bind/named.conf.rfc1918";
///////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////
@@ -22,7 +22,7 @@ include "/etc/bind/named.conf.rfc1918";
# example reverse zone: 1.2.3.4/24
//zone "4.3.2.1.in-addr.arpa" {
// type master;
-// file "/var/bind/1.2.3.4.rev";
+// file "/etc/bind/zones/rev.1.2.3.4";
// notify yes;
//};
@@ -33,7 +33,7 @@ include "/etc/bind/named.conf.rfc1918";
# example "forward" (domain) zone: domain.tld
//zone "domain.tld" {
// type master;
-// file "/var/bind/domain.tld";
+// file "/etc/bind/zones/db.domain.tld";
// notify yes;
// #also-notify { a.b.c.d; };
// #allow-transfer { localhost; a.b.c.d; };
diff --git a/container/configs/named.conf.options b/container/configs/named.conf.options
index de586f0..9de0231 100644
--- a/container/configs/named.conf.options
+++ b/container/configs/named.conf.options
@@ -1,27 +1,20 @@
options {
- directory "/var/bind";
+ directory "/var/cache/bind";
+ managed-keys-directory "/var/bind/dyn";
+
+ lock-file none;
+ pid-file "/var/run/named/named.pid";
+ random-device "/dev/urandom";
+ automatic-interface-scan no;
+
+ // statistics-file "named.stats";
+ // zone-statistics: (full|terse|none);
+ // zone-statistics terse;
+ zone-statistics full;
// Remove (hide) our bind version - no reason to disclose it
version "";
-
- // Configure the IPs to listen on here.
- listen-on { any; };
- listen-on-v6 { none; };
- // QUERY SOURCE - Useful for caching servers behind a firewall
- // Default: address * port *
- // Values : The IP address and port to use as the source of queries to other servers
- // If you have problems and are behind a firewall, uncomment:
- //query-source address * port *;
-
- pid-file "/var/run/named/named.pid";
-
- // statistics-file "/var/cache/bind/named.stats";
- // zone-statistics yes;
-
- // If you want to allow only specific hosts to use the DNS server:
- allow-query { 127.0.0.1; };
-
// Specify a list of IPs/masks to allow zone transfers to here.
//
// You can override this on a per-zone basis by specifying this inside a zone
@@ -30,71 +23,7 @@ options {
// Warning: Removing this block will cause BIND to revert to its default
// behaviour of allowing zone transfers to any host (!).
allow-transfer { none; };
-
-
- // If there is a firewall between you and nameservers you want
- // to talk to, you may need to fix the firewall to allow multiple
- // ports to talk. See http://www.kb.cert.org/vuls/id/800113
-
- // RECURSION - Required for caching servers
- // Default: yes
- // Values : yes, no
- //
- // yes: Attempt to resolve requests we are not authoritative for
- // no : Do not resolve requests we are not authoritative for
- //
- // NOTE: Commented out because specified in each zone/view
- recursion yes;
- //recursion no;
-
-
- // ALLOW-RECURSION - Who may use our caching server?
- // Default: any;
- // Values : any, none, (addresslist)
- //
- // any : anybody may use the caching server
- // none : noone may use the caching server
- // address: List of IP addresses that may use the caching server.
- // allow-recursion { localhost; localnets; };
- //
- // NOTE: Commented out because specified in each zone/view
- // allow-recursion { clients; servers; lan; };
- //allow-recursion { none; };
- allow-recursion { 127.0.0.1; };
-
- // If your ISP provided one or more IP addresses for stable
- // nameservers, you probably want to use them as forwarders.
- // Uncomment the following block, and insert the addresses replacing
- // the all-0's placeholder.
-
- forwarders {
- 8.8.8.8;
- 8.8.4.4;
- };
-
- // FORWARD - Recommended for caching servers
- // Default: first
- // Values : first, only
- //
- // first: Query "forwarders" first, then resolve request ourself
- // only : Only query the "forwarders" to resolve requests
- //
- forward first;
-
-
- // NOTIFY - Relevant to authoritative servers
- // Default: yes
- // Values : yes, explicit, no
- //
- // yes : Send DNS NOTIFY messages to slave servers in zone NS records when zone changes
- // explicit: Only send DNS NOTIFY messages to "also-notify" hosts
- // no : Never automatically send DNS NOTIFY messages
- //
- notify yes;
-
- // Need this for SRV records
- check-names master ignore;
-
+
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
@@ -102,4 +31,9 @@ options {
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
+
+ // Need this for SRV records
+ check-names master ignore;
+
+ include "/etc/bind/named.conf.options.local";
};
diff --git a/container/configs/named.conf.options.authoritative b/container/configs/named.conf.options.authoritative
new file mode 100644
index 0000000..c9ceef3
--- /dev/null
+++ b/container/configs/named.conf.options.authoritative
@@ -0,0 +1,30 @@
+// Configure the IPs to listen on here.
+listen-on { 127.0.0.1; };
+listen-on-v6 { none; };
+
+// RECURSION - Required for caching servers
+// Default: yes
+// Values : yes, no
+//
+// yes: Attempt to resolve requests we are not authoritative for
+// no : Do not resolve requests we are not authoritative for
+//
+// NOTE: Commented out because specified in each zone/view
+//recursion yes;
+recursion no;
+
+// ALLOW-RECURSION - Who may use our caching server?
+// Default: any;
+// Values : any, none, (addresslist)
+//
+// any : anybody may use the caching server
+// none : noone may use the caching server
+// address: List of IP addresses that may use the caching server.
+// allow-recursion { localhost; localnets; };
+//
+// NOTE: Commented out because specified in each zone/view
+// allow-recursion { clients; servers; lan; };
+//allow-recursion { recursors; };
+allow-recursion { none; };
+
+allow-query-cache { none; };
diff --git a/container/configs/named.conf.options.local b/container/configs/named.conf.options.local
new file mode 100644
index 0000000..9140b7a
--- /dev/null
+++ b/container/configs/named.conf.options.local
@@ -0,0 +1,6 @@
+//
+// Do any local options configuration here
+//
+
+include "/etc/bind/named.conf.options.recursive";
+//include "/etc/bind/named.conf.options.authoritative";
diff --git a/container/configs/named.conf.options.recursive b/container/configs/named.conf.options.recursive
new file mode 100644
index 0000000..37055be
--- /dev/null
+++ b/container/configs/named.conf.options.recursive
@@ -0,0 +1,58 @@
+// Configure the IPs to listen on here.
+//listen-on { any; };
+listen-on-v6 { none; };
+
+// QUERY SOURCE - Useful for caching servers behind a firewall
+// Default: address * port *
+// Values : The IP address and port to use as the source of queries to other servers
+// If you have problems and are behind a firewall, uncomment:
+//query-source address * port *;
+
+// If there is a firewall between you and nameservers you want
+// to talk to, you may need to fix the firewall to allow multiple
+// ports to talk. See http://www.kb.cert.org/vuls/id/800113
+
+// RECURSION - Required for caching servers
+// Default: yes
+// Values : yes, no
+//
+// yes: Attempt to resolve requests we are not authoritative for
+// no : Do not resolve requests we are not authoritative for
+//
+// NOTE: Commented out because specified in each zone/view
+//recursion yes;
+//recursion no;
+
+// ALLOW-RECURSION - Who may use our caching server?
+// Default: any;
+// Values : any, none, (addresslist)
+//
+// any : anybody may use the caching server
+// none : noone may use the caching server
+// address: List of IP addresses that may use the caching server.
+// allow-recursion { localhost; localnets; };
+//
+// NOTE: Commented out because specified in each zone/view
+// allow-recursion { clients; servers; lan; };
+allow-recursion { recursors; };
+//allow-recursion { none; };
+
+// FORWARD - Recommended for caching servers
+// Default: first
+// Values : first, only
+//
+// first: Query "forwarders" first, then resolve request ourself
+// only : Only query the "forwarders" to resolve requests
+//
+//forward first;
+
+// If your ISP provided one or more IP addresses for stable
+// nameservers, you probably want to use them as forwarders.
+// Uncomment the following block, and insert the addresses replacing
+// the all-0's placeholder.
+
+forwarders {
+ 9.9.9.9;
+ 8.8.8.8;
+ 8.8.4.4;
+};
diff --git a/container/configs/named.conf.rfc1918 b/container/configs/named.conf.rfc1918
index 937d6a5..402399e 100644
--- a/container/configs/named.conf.rfc1918
+++ b/container/configs/named.conf.rfc1918
@@ -1,20 +1,20 @@
-zone "10.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
+zone "10.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; };
-zone "16.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
-zone "17.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
-zone "18.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
-zone "19.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
-zone "20.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
-zone "21.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
-zone "22.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
-zone "23.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
-zone "24.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
-zone "25.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
-zone "26.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
-zone "27.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
-zone "28.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
-zone "29.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
-zone "30.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
-zone "31.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
+zone "16.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; };
+zone "17.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; };
+zone "18.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; };
+zone "19.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; };
+zone "20.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; };
+zone "21.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; };
+zone "22.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; };
+zone "23.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; };
+zone "24.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; };
+zone "25.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; };
+zone "26.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; };
+zone "27.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; };
+zone "28.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; };
+zone "29.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; };
+zone "30.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; };
+zone "31.172.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; };
-zone "168.192.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; };
+zone "168.192.in-addr.arpa" { type master; file "/etc/bind/default-zones/db.empty"; notify no; allow-update { none; }; };
diff --git a/container/entrypoint.sh b/container/entrypoint.sh
index c5f4364..f9e7f92 100755
--- a/container/entrypoint.sh
+++ b/container/entrypoint.sh
@@ -1,6 +1,37 @@
#!/bin/sh
-chown -R root:named /etc/bind /var/bind /var/run/named
-chmod -R 770 /var/bind /var/run/named
-chmod -R 750 /etc/bind
+
+# Generate rndc.key file
+rndc-confgen -a -b 512 -u named -r /dev/urandom -c /var/run/named/rndc.key
+
+# Update bind.keys file
+(
+ cd /dev/shm
+ curl -JLRO 'https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11{,.sha512.asc}'
+ curl 'https://www.isc.org/downloads/software-support-policy/openpgp-key/' | sed -e 's/-----BEGIN/\n&/' | gpg --import
+ trap "rm -f bind.keys*" EXIT
+ gpg --verify bind.keys.v9_11.sha512.asc bind.keys.v9_11 || exit $?
+ cmp -s bind.keys.v9_11 /var/bind/bind.keys && exit 0
+ cp -p /var/bind/bind.keys . && \
+ cp bind.keys.v9_11 bind.keys && \
+ mv -v bind.keys /var/bind/bind.keys
+) >/dev/null 2>&1
+
+# Ensure bind.keys file
+test -s /etc/bind/bind.keys || cp -p /var/bind/bind.keys /etc/bind/
+
+# Fix up permissions on mounts
+chgrp -R named /etc/bind /var/cache/bind
+
+chmod -R g+r /etc/bind
+chown root:named /etc/bind
+chmod 0750 /etc/bind
+
+chmod -R g+rw /var/cache/bind
+chown named:named /var/cache/bind
+chmod 0770 /var/cache/bind
+
+# Check for configuration errors before running named
+named-checkconf -z /etc/bind/named.conf || exit $?
+
# Run in foreground and log to STDERR (console):
exec /usr/sbin/named -c /etc/bind/named.conf -g -u named