Information
The files and directories for Zone Signing Keys (ZSK) and Key Signing Keys (KSK) should be read-only by the named user, with no access to other.
Rationale:
The named daemon does not require write access to the key files or the directories, Implementing a minimal read-only access provides an additional layer of denfense, so that if the service was exploited, the exploit would not be able to modify signing keys. Likewise restricting read access to the keys will prevent inappropriate disclosure of the private keys.
Solution
Perform the following:
chmod -R g-w,o-rwX $KEYDIR
Default Value:
The BIND signing key files and directory do not exist by default.