Information
All of the directories under which ISC BIND runs should be owned by root. Of course, any files created at run time by BIND will still be owned by named, and the run time files will need to be in a directory writable by the named group.
Rationale:
Restricting ownership of the directories provides defense in depth and will reduce the probability of unauthorized modifications to those resources. If there was a BIND vulnerability that allowed code execution as the named user, then the code would not be able to modify permissions on the BIND directories owned by root.
Solution
To correct the directory ownership, perform the following:
find $BIND_HOME $RUNDIR -type d ! -user root | xargs chown root
Note: it is important to remember that the run time files will need to be in a directory writable by the named group. Changing the directory ownership to root might cause permissions issues, if the group permissions are not writable.
Default Value:
The following directories are owned by named in the default package install
/var/named/dynamic
/var/named/slaves
/var/named/data
/run/named