From b2983bd53f9aee1b4bd9fe48700ab9f55a43fe56 Mon Sep 17 00:00:00 2001
From: Ventz Petkov <ventz@vpetkov.net>
Date: Wed, 29 Apr 2020 23:04:40 -0400
Subject: [PATCH] TWO MAJOR CHANGES: Updated ROOT HINTS file from InterNIC as
 it was updated 4-29-2020. Also changed the permissions both build and
 entrypoint (run-time change) to match least permissions needed. This should
 tighten up the permissions for dynamically generated zones

---
 container/Dockerfile                    | 2 +-
 container/configs/default-zones/db.root | 4 ++--
 container/entrypoint.sh                 | 5 ++++-
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/container/Dockerfile b/container/Dockerfile
index 4a0ef75..bf2b2b1 100644
--- a/container/Dockerfile
+++ b/container/Dockerfile
@@ -17,7 +17,7 @@ env BIND_LOG -g
 # NOTE: Per Dockerfile manual --> need to mkdir the mounted dir to chown
 # &
 # Get latest bind.keys
-RUN mkdir -m 0770 -p /etc/bind && chown -R root:named /etc/bind ; \
+RUN mkdir -m 0750 -p /etc/bind && chown -R root:named /etc/bind ; \
     mkdir -m 0770 -p /var/cache/bind && chown -R named:named /var/cache/bind ; \
     wget -q -O /etc/bind/bind.keys https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11 ; \
     rndc-confgen -a
diff --git a/container/configs/default-zones/db.root b/container/configs/default-zones/db.root
index 3d6b3ba..6221e91 100644
--- a/container/configs/default-zones/db.root
+++ b/container/configs/default-zones/db.root
@@ -9,8 +9,8 @@
 ;           on server           FTP.INTERNIC.NET
 ;       -OR-                    RS.INTERNIC.NET
 ; 
-;       last update:     January 30, 2018 
-;       related version of root zone:     2018013001
+;       last update:     April 29, 2020 
+;       related version of root zone:     2020042901
 ; 
 ; FORMERLY NS.INTERNIC.NET 
 ;
diff --git a/container/entrypoint.sh b/container/entrypoint.sh
index 922db1d..04796a3 100755
--- a/container/entrypoint.sh
+++ b/container/entrypoint.sh
@@ -1,8 +1,11 @@
 #!/bin/sh
 OPTIONS=$@
+# "Run Time" changes - needed for when creating a *new* directory/first-time volume map
+# A great example of this is "/var/cache/bind" for dynamic configs, and mapping it in
+# The first time around, it will not be owned by named:named, and thus it won't be writable
 chown -R root:named /etc/bind /var/run/named
 chown -R named:named /var/cache/bind
-chmod -R 770 /var/cache/bind /var/run/named
+chmod 770 /var/cache/bind /var/run/named
 chmod -R 750 /etc/bind
 # By default - run in foreground and log to STDERR (console)
 # can be changed by running container with: -e "BIND_LOG=-f"