I am in the middle of following the perfect setup myself. It has the user modify some things.
Here is the error I get.
Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named. Modify the line: OPTIONS="-u bind" so that it reads OPTIONS="-u bind -t /var/lib/named":
Create the necessary directories under /var/lib:
mkdir -p /var/lib/named/etc
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run
Then move the config directory from /etc to /var/lib/named/etc:
mv /etc/bind /var/lib/named/etc
Create a symlink to the new config directory from the old location (to avoid problems when bind gets updated in the future):
ln -s /var/lib/named/etc/bind /etc/bind
Make null and random devices, and fix permissions of the directories:
mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind
* Stopping domain name service... bind rndc: connect failed: 127.0.0.1#953: connection refused
found 1 CPU, using 1 worker thread
May 21 18:38:25 Gail named: loading configuration from '/etc/bind/named.conf'
May 21 18:38:25 Gail named: none:0: open: /etc/bind/named.conf: permission denied
May 21 18:38:25 Gail named: loading configuration: permission denied
May 21 18:38:25 Gail named: exiting (due to fatal error)
May 21 18:38:25 Gail kernel: [ 2999.652630] audit(1211409505.327:2): type=1503 operation="inode_permission" requested_mask="r::" denied_mask="r::" name="/var/lib/named/etc/bind/named.conf" pid=5512 profile="/usr/sbin/named" namespace="default"
May 21 18:41:09 Gail named: starting BIND 9.4.2 -u bind -t /var/lib/named
Here are some of my permissions
ls -alt /etc/bind/named.conf
-rw-r--r-- 1 bind bind 907 2008-04-09 15:42 /etc/bind/named.conf
ls -alt /var/lib/named/etc/bind/named.conf
-rw-r--r-- 1 bind bind 907 2008-04-09 15:42 /var/lib/named/etc/bind/named.conf