Allow only temporary zone updates without making them permanent

[Tony Finch]

Grant Taylor via bind-users <bind-users at lists.isc.org> wrote:
>
> The only way that I see that BIND, running as something other than root, could
> change them is if the user it's running as has write on the directory and
> deletes & recreates new zone files as itself.  But that would surprise me too.

`named` requires write access to the directory containing dynamic zones,
because it needs to be able to create files there. It will rewrite the
zone file from scratch when it merges in the journal, which is what would
cause the change of ownership.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
sovereignty rests with the people and authority
in a democracy derives from the people