nsd users - May 2020 - NSD still shows permission errors on Debian 10 Buster

Hi,

Subscribed specially to reply to the subject thread.

I am also trying to run nsd on debian buster, and it's not working so 
nicely. :-)
> error: Cannot open /var/log/nsd.log for appending (Read-only file system),
logging to stderr
> warning: failed to unlink pidfile /run/nsd/nsd.pid: Permission denied
I added "/var/log" and "/run/nsd" ReadWritePaths to the
nsd.service
file, but the error remains:
> [Unit]
> Description=Name Server Daemon
> Documentation=man:nsd(8)
> After=network.target
> 
> [Service]
> Type=notify
> Restart=always
> ExecStart=/usr/sbin/nsd -d
> ExecReload=+/bin/kill -HUP $MAINPID
> CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE
CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
> MemoryDenyWriteExecute=true
> NoNewPrivileges=true
> PrivateDevices=true
> PrivateTmp=true
> ProtectHome=true
> ProtectControlGroups=true
> ProtectKernelModules=true
> ProtectKernelTunables=true
> ProtectSystem=strict
> ReadWritePaths=/var/lib/nsd /etc/nsd /run /var/log /run/nsd
> RuntimeDirectory=nsd
> RestrictRealtime=true
> SystemCallArchitectures=native
> SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount
@obsolete @resources
> 
> [Install]
> WantedBy=multi-user.target
I read in Paul Wouters reply to add nsd User/Group to the service file, 
but then nsd no longer starts, as the nsd user has no permission to bind 
to port 53:
> error: can't bind udp socket: Permission denied
I wanted to migrate from bind to nsd, but it seems the debian package 
could use some love. :-)

Does anyone have a suggestion how to proceed..? (a working systemd file 
perhaps?)

Thanks,
MJ