On debian, bind (the name of the nameserver program) runs as
                root by default. Considering bind's security history, this
                is not a good idea. It is also a good idea to jail bind so
                that it runs only within it's own home directory. These
                FAQ's describe how to
                1) run bind as non-root
                2) chroot bind [jail it so that it runs completely within
                it's own home directory)

                more to come when we've finished actually doing the above~)
                Subcategories:
                Answers in this category:
                (Answer)Diesel.cat.org.au -- primary name server
                [New Answer in "Securing cat's nameserver (bind)"]
                praccus (at) octapod.org, andy (at) cat.org.au