diff --git a/manifests/backend/bind9.pp b/manifests/backend/bind9.pp
index 9042e656..2d4b465b 100644
--- a/manifests/backend/bind9.pp
+++ b/manifests/backend/bind9.pp
@@ -24,7 +24,7 @@ class designate::backend::bind9 (
   $rndc_host           = '127.0.0.1',
   $rndc_port           = '953',
   $rndc_config_file    = '/etc/rndc.conf',
-  $rndc_key_file       = '/etc/rndc.key'
+  $rndc_key_file       = '/etc/rndc.key',
 ) {
 
   include ::designate::deps
@@ -43,4 +43,15 @@ class designate::backend::bind9 (
     content => 'allow-new-zones yes;',
     order   => '20',
   }
+
+  # /var/named is root:named on RedHat and /var/cache/bind is root:bind on
+  # Debian. Both groups only have read access but require write permission in
+  # order to be able to use rndc addzone/delzone commands that Designate uses.
+  # NOTE(bnemec): ensure_resource is to avoid a chicken and egg problem with
+  # removing this from puppet-openstack-integration.  Once that has been done
+  # the ensure_resource wrapper could be removed.
+  ensure_resource('file', $::dns::params::vardir, {
+    mode    => 'g+w',
+    require => Package[$::dns::params::dns_server_package]
+  })
 }