diff --git a/bundles/bind-acme/metadata.py b/bundles/bind-acme/metadata.py
index c133fe3..f5f08cf 100644
--- a/bundles/bind-acme/metadata.py
+++ b/bundles/bind-acme/metadata.py
@@ -33,11 +33,12 @@ def acme_records(metadata):
                             for name in {
                                 record['name'] if record['name'] != '@' else ''
                                     for record in conf['records']
-                                    if '._domainkey' not in record['name']
+                                    if f"{record['name']}.{zone}" in metadata.get('letsencrypt/domains')
                             }
                     }
                 }
                     for zone, conf in metadata.get('bind/zones').items()
+                    if zone != metadata.get('bind/acme_hostname')
             },
         },
     }
diff --git a/bundles/bind/files/db b/bundles/bind/files/db
index 8644995..a27ba2a 100644
--- a/bundles/bind/files/db
+++ b/bundles/bind/files/db
@@ -11,8 +11,8 @@ $TTL 600
         900        ;Negative response caching TTL
 )
 
-% for record in sorted(records, key=lambda r: (r['name'], r['type'], r['value'])):
-${(record['name'] or '@').ljust(column_width('name', records))} \
+% for record in sorted(records, key=lambda r: (tuple(reversed(r['name'].split('.'))), r['type'], r['value'])):
+(${(record['name'] or '@').rjust(column_width('name', records))}) \
 IN \
 ${record['type'].ljust(column_width('type', records))} \
     % if record['type'] == 'TXT':
diff --git a/bundles/bind/items.py b/bundles/bind/items.py
index 4ef1f26..c1b0b83 100644
--- a/bundles/bind/items.py
+++ b/bundles/bind/items.py
@@ -151,6 +151,7 @@ for view in views:
             'group': 'bind',
             'source': 'db',
             'content_type': 'mako',
+            'unless': f"test -f /var/lib/bind/{view['name']}/db.{zone}" if 'keys' in conf else 'false',
             'context': {
                 'view': view['name'],
                 'serial': datetime.now().strftime('%Y%m%d%H'),