diff --git a/bind-chrootenv.conf b/bind-chrootenv.conf
index fcdfc70..eca73a7 100644
--- a/bind-chrootenv.conf
+++ b/bind-chrootenv.conf
@@ -1,6 +1,6 @@
 # See tmpfiles.d(5) for details
 #Type Path        Mode UID  GID  Age Argument
-d /var/lib/named 755 named named - -
+d /var/lib/named 1775 root named - -
 d /var/lib/named/dev 755 root root - -
 c /var/lib/named/dev/null 666 root root - 1:3
 c /var/lib/named/dev/random 666 root root - 1:8
diff --git a/bind.changes b/bind.changes
index 9b1663d..00b6a27 100644
--- a/bind.changes
+++ b/bind.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Tue Jun 30 08:32:21 UTC 2020 - Josef Möllers <josef.moellers@suse.com>
+
+- Changed /var/lib/named to owner root:named and perms rwxrwxr-t
+  so that named, being a/the only member of the "named" group
+  has full r/w access yet cannot change directories owned by root
+  in the case of a compromized named.
+  [bsc#1173307, bind-chrootenv.conf]
+
 -------------------------------------------------------------------
 Thu Jun 18 06:35:35 UTC 2020 - Josef Möllers <josef.moellers@suse.com>
 
diff --git a/bind.conf b/bind.conf
index 854eb35..4f9f9eb 100644
--- a/bind.conf
+++ b/bind.conf
@@ -1,6 +1,6 @@
 # See tmpfiles.d(5) for details
 #Type Path        Mode UID  GID  Age Argument
-d /var/lib/named 755 named named - -
+d /var/lib/named 1775 root named - -
 d /var/lib/named/dyn 755 named named - -
 d /var/lib/named/master 755 named named - -
 d /var/lib/named/slave 755 named named - -
diff --git a/bind.spec b/bind.spec
index 967ad5b..315901f 100644
--- a/bind.spec
+++ b/bind.spec
@@ -561,7 +561,7 @@ fi
 %if %{with_systemd}
 %{_prefix}/lib/tmpfiles.d/bind-chrootenv.conf
 %endif
-%attr(-,named,named) %dir %{_var}/lib/named
+%attr(1775,root,named) %dir %{_var}/lib/named
 %dir %{_var}/lib/named%{_sysconfdir}
 %dir %{_var}/lib/named%{_sysconfdir}/named.d
 %dir %{_var}/lib/named/dev