I ran into this issue too. I think that, in principle, daemons should not be able to write to their own configuration files, so making the files owned by root is a good thing anyway. The only real trouble is that things break on upgrade due to the earlier default ownership.
One other related issue is that the current CapabilityBoundingSet appears to break the ip-transparent nsd option. May 03 17:59:40 juniper nsd[20346]: setsockopt(...,IP_TRANSPARENT, ...) failed for udp: Operation not permitted May 03 17:59:40 juniper nsd[20346]: setsockopt(...,IP_TRANSPARENT, ...) failed for udp: Operation not permitted May 03 17:59:40 juniper nsd[20346]: setsockopt(...,IP_TRANSPARENT, ...) failed for tcp: Operation not permitted May 03 17:59:40 juniper nsd[20346]: setsockopt(...,IP_TRANSPARENT, ...) failed for tcp: Operation not permitted I had this in use as a workaround for: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765831 ...and apparently I don't need the workaround anymore, but other use cases for that option will presumably be broken still. Thanks, Corey
