>> I'm also using ddns and have my zone files in >> /var/named/chroot/var/named/dynamic. > are you using DDNS in DualStack (IPv4 and IPv6 together) or do you > have only DHCP or DHCPv6 and not both? IPv4 only. > By default, SELinux prevents any role from modifying > named_zone_t > files; this means that files in the zone database directory > cannot be > modified by dynamic DNS (DDNS) updates or zone transfers. > > The Red Hat BIND distribution and SELinux policy creates three > directories where named is allowed to create and modify files: > /var/named/slaves, /var/named/dynamic /var/named/data. By > placing files > you want named to modify, such as slave or DDNS updateable zone > files > and database / statistics dump files in these directories, named > will > work normally and no further operator action is required. Files > in > these directories are automatically assigned the ’named_cache_t’ > file > context, which SELinux allows named to write." That's probably why I have updateable zone files in chrooted /var/named/dynamic. Default targeted policy comes with necessary rules for chrooted bind. See # semanage fcontext -l | grep named_