When running DNSSEC auto validation, named requires write access to %%ETCDIR%%/master in order to create -signed, .jbk, and .jnl files. Per pkg-plist however, this directory is owned by root:wheel, unlike %%ETCDIR%%/dynamic, %%ETCDIR%%/slave, and %%ETCDIR%%/working which are explicitly owned by (bind,bind,). This breaks auto validation. Worse, the (root,wheel,) ownership of %%ETCDIR%%/master is restored upon every update unfortunately. Therefore I suggest to align all created subdirectories: diff --git a/dns/bind911/pkg-plist b/dns/bind911/pkg-plist index 86422256566d..de6b48f6175c 100644 --- a/dns/bind911/pkg-plist +++ b/dns/bind911/pkg-plist @@ -397,6 +397,6 @@ sbin/rndc sbin/rndc-confgen sbin/tsig-keygen @dir(bind,bind,) %%ETCDIR%%/dynamic -@dir %%ETCDIR%%/master +@dir(bind,bind,) %%ETCDIR%%/master @dir(bind,bind,) %%ETCDIR%%/slave @dir(bind,bind,) %%ETCDIR%%/working dns/bind916 is not affected as it does not create a %%ETCDIR%%/master directory but just %%ETCDIR%%/dynamic, %%ETCDIR%%/slave, and %%ETCDIR%%/working. I have no idea why it's different though.
Alternatively, @dir %%ETCDIR%%/master can be removed from pkg-plist as it's auto created by installing %%ETCDIR%%/master/empty.db. That should also leave user modified ownership intact.
The idea is that the master directory is not modifiable by named, so that in case of a securty issue, the zones cannot be modified. If you want to use the master directory for your zones, and need a journal, use the <journal "journalfile"> directive in the configuration file to put the journal in a directory that can be written by named, like the "working" directory.
(In reply to Mathieu Arnold from comment #2) This argument is untrue for .signed files as they are created in namedb/master and cannot be moved elsewhere. For inline-signed DNSSEC, this is a POLA violation as it may render zones unsigned after restart. Please also see https://forums.freebsd.org/threads/bind-permissions-for-inline-signing-dnssec.72840/ (No, that guy wasn't me.)