diff --git a/Dockerfile b/Dockerfile
index aebd1f7..d73e903 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,23 +1,65 @@
 FROM ubuntu:focal
-MAINTAINER BIND 9 Developers <bind9-dev@isc.org>
+LABEL maintainer="BIND 9 Developers <bind9-dev@isc.org>"
 
-ENV DEBIAN_FRONTEND noninteractive
-ENV LC_ALL C.UTF-8
+ARG DEB_VERSION="1:9.16.19-1+ubuntu20.04.1+isc+1"
+ARG ISC_SIGNING_KEY="66150059ED19A2882208E278A36654A4FDD4630D"
 
-RUN apt-get -qqqy update
-RUN apt-get -qqqy install apt-utils software-properties-common dctrl-tools
+ENV LC_ALL C.UTF-8
 
-ARG DEB_VERSION=1:9.16.19-1+ubuntu21.04.1+isc+1
-RUN add-apt-repository -y ppa:isc/bind
-RUN apt-get -qqqy update && apt-get -qqqy dist-upgrade && apt-get -qqqy install bind9=$DEB_VERSION bind9-utils=$DEB_VERSION
+RUN set -eux; \
+    export DEBIAN_FRONTEND="noninteractive"; \
+    apt-get -qqqy update; \
+    # install the isc ppa (manually)
+    apt-get -qqqy install --no-install-recommends \
+        dirmngr \
+        gpg \
+        gpg-agent \
+    ; \
+    export GPGHOME="$(mktemp -d)"; \
+    apt-key adv --keyserver keyserver.ubuntu.com --recv-keys "$ISC_SIGNING_KEY"; \
+    gpgconf --kill all; \
+    rm -rf "$GPGHOME"; \
+    apt-key list >/dev/null; \
+    . /etc/os-release; \
+    printf 'deb http://ppa.launchpad.net/isc/bind/ubuntu %s main' \
+        "$UBUNTU_CODENAME" \
+        > /etc/apt/sources.list.d/isc.list; \
+    apt-get -qqqy update; \
+    # install bind
+    apt-get -qqqy install --no-install-recommends \
+        bind9=$DEB_VERSION \
+        bind9-utils=$DEB_VERSION \
+    ; \
+    # cleanup
+    apt-get -qqqy purge \
+        dirmngr \
+        gpg \
+        gpg-agent \
+    ; \
+    apt-get -qqqy autoremove; \
+    apt-get -qqqy clean; \
+    rm -rf /var/lib/apt/lists/*;
 
-VOLUME ["/etc/bind", "/var/cache/bind", "/var/lib/bind", "/var/log"]
+RUN set -eux; \
+    for dir in \
+        /etc/bind \
+        /run/named \
+        /var/cache/bind \
+        /var/lib/bind \
+        /var/log/bind \
+    ; do \
+        mkdir -p "$dir"; \
+        chown bind:bind "$dir"; \
+        chmod 755 "$dir"; \
+    done; \
+    chown root:bind /etc/bind
 
-RUN mkdir -p /etc/bind && chown root:bind /etc/bind/ && chmod 755 /etc/bind
-RUN mkdir -p /var/cache/bind && chown bind:bind /var/cache/bind && chmod 755 /var/cache/bind
-RUN mkdir -p /var/lib/bind && chown bind:bind /var/lib/bind && chmod 755 /var/lib/bind
-RUN mkdir -p /var/log/bind && chown bind:bind /var/log/bind && chmod 755 /var/log/bind
-RUN mkdir -p /run/named && chown bind:bind /run/named && chmod 755 /run/named
+VOLUME [ \
+    "/etc/bind", \
+    "/var/cache/bind", \
+    "/var/lib/bind", \
+    "/var/log" \
+]
 
 EXPOSE 53/udp 53/tcp 953/tcp