diff --git a/README.md b/README.md
index 2099754..ccbd614 100644
--- a/README.md
+++ b/README.md
@@ -10,12 +10,12 @@ It *was* the revamped DNS service for `zeke.ecotroph.net`, and thus served zones
 
 ## Overview
 
-In the past, we just ran the version of BIND that came with our distribution (at this moment, that is CentOS 7, which translates to bind 9.11.)  This new configuration runs a very recent version of BIND 9 via a docker image produced by ISC themselves.  We started with 9.18.12 and now are up to 9.18.20.
+In the past, we just ran the version of BIND that came with our distribution (at this moment, that is CentOS 7, which translates to bind 9.11.)  This new configuration runs a very recent version of BIND 9 via a docker image produced by ISC themselves.  We started with 9.18.12 and now are up to 9.18.43.
 
 This docker image imposes a few requirements:
 
-* Internally, the image runs `named` as the `bind` user (104:105).  Since we bind-mount directories, we do need those directories owned by whatever internal UID it is using.
-* We need some way to ensure that our container is run on system reboots, etc.  Here we chose to use `systemd` to do this, although that is not ideal.
+* Internally, the image runs `named` as the `bind` user (53:53).  Since we bind-mount directories, we do need those directories owned by whatever internal UID it is using.
+* We need some way to ensure that our container is run on system reboots, etc.  Here we chose to use `systemd` to do this.
 * Presumably the normal way to do logging for a docker container is to use the standard journal service, although this image is set up to bind-mount `/var/log`.  On the other hand, the standard command uses the `-g` flag, which is "debug" mode, and causes all of the logs to go to stderr.
 * We do want named to stay in the foreground here.  Fortunately, there have always been command line options that do this (`-g` and `-f`).  Thus, in order to log to `/var/log`, we supply a different command: `/usr/sbin/named -f -u bind`.  This will run in the foreground, and run as the internal `bind` user.
 
@@ -86,4 +86,3 @@ named-compilezone -f raw -F text -o - blacka.com /etc/bind/zones/blacka.com.sign
 If using the script that runs the version in our container, note that you may have to use the paths that work *inside the container*.  The current script mounts your current working directory, so you can use `run_named_compilezone.sh ./some.zone`, but not `run_named_compilezone.sh /etc/named/zones/blacka.com`.
 
 That said, we are probably better off just using the version that comes with our OS, and not using the container.
-
diff --git a/setup.sh b/setup.sh
index 8b5448b..646db4a 100755
--- a/setup.sh
+++ b/setup.sh
@@ -11,16 +11,21 @@ IMAGE="docker.io/internetsystemsconsortium/bind9:9.18"
 uidgid=$(podman run --rm --entrypoint=/bin/sh "$IMAGE" -c "/usr/bin/id -u bind; /usr/bin/id -g bind")
 read -d '' -r uid gid <<< "$uidgid" || :
 
-# create the group and user
-id -g bind >/dev/null 2>&1 || groupadd -f -g "$gid" bind
-id -u bind >/dev/null 2>&1 || useradd -u "$uid" -g "$gid" -M --no-log-init bind
+# Create or update the on host user to match the container's 'bind' user and group
+ACTUAL_UID=$(id -u bind 2>/dev/null)
+ACTUAL_GID=$(id -g bind 2>/dev/null)
 
-# create our main directory setup
+[ -z "$ACTUAL_GID" ] && groupadd -f -g "$gid" bind
+[ -z "$ACTUAL_UID" ] && useradd -u "$uid" -g "$gid" -M --no-log-init bind
+[ "$ACTUAL_GID" -ne "$gid" ] && groupmod -g "$gid" bind
+[ "$ACTUAL_UID" -ne "$uid" ] && usermod -u "$uid" -g "$gid"
+
+# create/update our main directory setup
 install -d -o bind -g bind -m 0755 /etc/bind/cfg /etc/bind/cache /etc/bind/zones /etc/bind/log/named
 # copy over our config and data without overwriting anything, hopefully.
-for d in cfg cache zones; do
-    rsync -av --chown bind:bind --ignore-existing ./$d/ /etc/bind/$d/
-done
+rsync -av --chown bind:bind --del ./cfg/  /etc/bind/cfg/
+rsync -av --chown bind:bind ./zones /etc/bind/zones/
+rsync -av --chown bind:bind --ignore-existing ./cache/ /etc/bind/cache/
 
 # install our podman config
 if [ -d /etc/containers/systemd ]; then
diff --git a/setup_docker.sh b/setup_docker.sh
index a0bb5ec..20de122 100755
--- a/setup_docker.sh
+++ b/setup_docker.sh
@@ -11,16 +11,21 @@ IMAGE="docker.io/internetsystemsconsortium/bind9:9.18"
 uidgid=$(docker run --rm --entrypoint=/bin/sh "$IMAGE" -c "/usr/bin/id -u bind; /usr/bin/id -g bind")
 read -d '' -r uid gid <<< "$uidgid" || :
 
-# create the group and user
-id -g bind >/dev/null 2>&1 || groupadd -f -g "$gid" bind
-id -u bind >/dev/null 2>&1 || useradd -u "$uid" -g "$gid" -M --no-log-init bind
+# Create or update the on host user to match the container's 'bind' user and group
+ACTUAL_UID=$(id -u bind 2>/dev/null)
+ACTUAL_GID=$(id -g bind 2>/dev/null)
 
-# create our main directory setup
+[ -z "$ACTUAL_GID" ] && groupadd -f -g "$gid" bind
+[ -z "$ACTUAL_UID" ] && useradd -u "$uid" -g "$gid" -M --no-log-init bind
+[ "$ACTUAL_GID" -ne "$gid" ] && groupmod -g "$gid" bind
+[ "$ACTUAL_UID" -ne "$uid" ] && usermod -u "$uid" -g "$gid"
+
+# create/update our main directory setup
 install -d -o bind -g bind -m 0755 /etc/bind/cfg /etc/bind/cache /etc/bind/zones /etc/bind/log/named
 # copy over our config and data without overwriting anything, hopefully.
-for d in cfg cache zones; do
-    rsync -av --chown bind:bind --ignore-existing ./$d/ /etc/bind/$d/
-done
+rsync -av --chown bind:bind --del ./cfg/  /etc/bind/cfg/
+rsync -av --chown bind:bind ./zones /etc/bind/zones/
+rsync -av --chown bind:bind --ignore-existing ./cache/ /etc/bind/cache/
 
 if [ -f docker.named.service ]; then
     install -m 0644 docker.named.service /etc/systemd/system/docker.named.service