Hi Joel, thanks for the report.
The systemd service file has been in part of the package for 5 years, with the default ordering of sections (unit, service, install). The upstream service while was more less recently added (~1 year ago). Since systemd hardening has been available and recommended, the corresponding directives where added from upstream. Admittedly this still requires some fine tuning such as: https://salsa.debian.org/dns-team/nsd/merge_requests/1 As such, I am a bit reluctant to ship, use or patch around the upstream service file. However the DAC_OVERRIDE capability is quite excessive as is bypasses all permission checks. Giving the process this capability would be the quite contrary to the intent of settting CapabilityBoundingSet. Best regards, Markus