TWO MAJOR CHANGES: Updated ROOT HINTS file from InterNIC as it was updated 4-29-2020. Also changed the permissions both build and entrypoint (run-time change) to match least permissions needed. This should tighten up the permissions for dynamically generated zones

container/Dockerfile

@@ -17,7 +17,7 @@ env BIND_LOG -g
 # NOTE: Per Dockerfile manual --> need to mkdir the mounted dir to chown
 # &
 # Get latest bind.keys
-RUN mkdir -m 0770 -p /etc/bind && chown -R root:named /etc/bind ; \
+RUN mkdir -m 0750 -p /etc/bind && chown -R root:named /etc/bind ; \
     mkdir -m 0770 -p /var/cache/bind && chown -R named:named /var/cache/bind ; \
     wget -q -O /etc/bind/bind.keys https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11 ; \
     rndc-confgen -a

container/configs/default-zones/db.root

@@ -9,8 +9,8 @@
 ;           on server           FTP.INTERNIC.NET
 ;       -OR-                    RS.INTERNIC.NET
 ; 
-;       last update:     January 30, 2018 
+;       last update:     April 29, 2020 
-;       related version of root zone:     2018013001
+;       related version of root zone:     2020042901
 ; 
 ; FORMERLY NS.INTERNIC.NET 
 ;

container/entrypoint.sh

@@ -1,8 +1,11 @@
 #!/bin/sh
 OPTIONS=$@
+# "Run Time" changes - needed for when creating a *new* directory/first-time volume map
+# A great example of this is "/var/cache/bind" for dynamic configs, and mapping it in
+# The first time around, it will not be owned by named:named, and thus it won't be writable
 chown -R root:named /etc/bind /var/run/named
 chown -R named:named /var/cache/bind
-chmod -R 770 /var/cache/bind /var/run/named
+chmod 770 /var/cache/bind /var/run/named
 chmod -R 750 /etc/bind
 # By default - run in foreground and log to STDERR (console)
 # can be changed by running container with: -e "BIND_LOG=-f"