When running DNSSEC auto validation, named requires write access to %%ETCDIR%%/master in order to create -signed, .jbk, and .jnl files. Per pkg-plist however, this directory is owned by root:wheel, unlike %%ETCDIR%%/dynamic, %%ETCDIR%%/slave, and %%ETCDIR%%/working which are explicitly owned by (bind,bind,). This breaks auto validation.
Worse, the (root,wheel,) ownership of %%ETCDIR%%/master is restored upon every update unfortunately.
Therefore I suggest to align all created subdirectories:
diff --git a/dns/bind911/pkg-plist b/dns/bind911/pkg-plist
index 86422256566d..de6b48f6175c 100644
@@ -397,6 +397,6 @@ sbin/rndc
dns/bind916 is not affected as it does not create a %%ETCDIR%%/master directory but just %%ETCDIR%%/dynamic, %%ETCDIR%%/slave, and %%ETCDIR%%/working. I have no idea why it's different though.
Alternatively, @dir %%ETCDIR%%/master can be removed from pkg-plist as it's auto created by installing %%ETCDIR%%/master/empty.db. That should also leave user modified ownership intact.
The idea is that the master directory is not modifiable by named, so that in case of a securty issue, the zones cannot be modified.
If you want to use the master directory for your zones, and need a journal, use the <journal "journalfile"> directive in the configuration file to put the journal in a directory that can be written by named, like the "working" directory.
(In reply to Mathieu Arnold from comment #2)
This argument is untrue for .signed files as they are created in namedb/master and cannot be moved elsewhere. For inline-signed DNSSEC, this is a POLA violation as it may render zones unsigned after restart.
Please also see https://forums.freebsd.org/threads/bind-permissions-for-inline-signing-dnssec.72840/ (No, that guy wasn't me.)