diff --git a/.drone.yml b/.drone.yml
index 9986fb6..b995a06 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -17,6 +17,7 @@ steps:
       - sleep 5 # give docker enough time to start
       - echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
       - ./debian/12/build.sh
+      - ./debian/13/build.sh
     when:
       branch:
       - master
diff --git a/README.md b/README.md
index 53f6025..5cbe250 100644
--- a/README.md
+++ b/README.md
@@ -8,6 +8,7 @@
 # Supported tags and respective `Dockerfile` links
 
 -	[`4.6-bookworm`, `latest`](https://github.com/pommi/docker-powerdns/blob/master/debian/12/Dockerfile)
+-	[`4.9-trixie`](https://github.com/pommi/docker-powerdns/blob/master/debian/13/Dockerfile)
 
 # Usage
 
diff --git a/build/rebuild.sh b/build/rebuild.sh
index c05a772..e05ade0 100755
--- a/build/rebuild.sh
+++ b/build/rebuild.sh
@@ -14,3 +14,7 @@ updates_available () {
 if updates_available pommib/powerdns:4.6-bookworm; then
     ./debian/12/build.sh
 fi
+
+if updates_available pommib/powerdns:4.9-trixie; then
+    ./debian/13/build.sh
+fi
diff --git a/debian/13/Dockerfile b/debian/13/Dockerfile
new file mode 100644
index 0000000..4382fa3
--- /dev/null
+++ b/debian/13/Dockerfile
@@ -0,0 +1,22 @@
+FROM debian:trixie-slim
+
+RUN set -eux && \
+	apt-get update && \
+	DEBIAN_FRONTEND=noninteractive apt-get upgrade -y && \
+	DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+		pdns-server \
+		pdns-backend-bind \
+		sqlite3 \
+		bind9-dnsutils \
+		inotify-tools \
+	&& \
+	rm -rf /var/lib/apt/lists/*
+
+ADD start.sh /
+
+EXPOSE 53/tcp 53/udp
+VOLUME ["/var/lib/powerdns"]
+
+CMD /start.sh
+
+HEALTHCHECK CMD dig +timeout=1 @127.0.0.1 || exit 1
diff --git a/debian/13/build.sh b/debian/13/build.sh
new file mode 100755
index 0000000..c2b4dc4
--- /dev/null
+++ b/debian/13/build.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+set -ex
+
+IMAGE=pommib/powerdns:4.9-trixie
+#docker pull $IMAGE
+docker pull debian:trixie-slim
+docker build --no-cache -t $IMAGE ./debian/13/
+docker push $IMAGE
diff --git a/debian/13/start.sh b/debian/13/start.sh
new file mode 100755
index 0000000..e650da1
--- /dev/null
+++ b/debian/13/start.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# create sqlite database for DNSSEC
+if test ! -e /var/lib/powerdns/bind-dnssec-db.sqlite3; then
+    echo [$0] Initializing /var/lib/powerdns/bind-dnssec-db.sqlite3
+    /usr/bin/pdnsutil create-bind-db /var/lib/powerdns/bind-dnssec-db.sqlite3
+fi
+sed -i 's/^# bind-dnssec-db=/bind-dnssec-db=\/var\/lib\/powerdns\/bind-dnssec-db.sqlite3/' /etc/powerdns/pdns.d/bind.conf
+
+# start powerdns server
+/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no &
+
+# watch for zone changes
+inotifywait -mqre modify --exclude '.*(\.git|.*\.swp)' --format '%w%f' "/var/lib/powerdns/zones/" |
+    while read -r path; do
+        zone=$(basename $path)
+        echo [$0] A modification was detected in $path
+        echo [$0] Executing \`/usr/bin/pdns_control bind-reload-now $zone\`
+        /usr/bin/pdns_control bind-reload-now $zone
+        if pdnsutil show-zone $zone 2>/dev/null | grep -q "Zone is not actively secured"; then
+            echo [$0] Zone is not actively secured, skipping \`pdnsutil rectify-zone $zone\`
+        else
+            echo [$0] DNSSEC secured zone. Executing \`pdnsutil rectify-zone $zone\`
+            /usr/bin/pdnsutil rectify-zone $zone
+        fi
+    done &
+
+wait -n
+
+exit $?