With those fixes, nsd starts without complaining.
The CAP_CHOWN is not idea but it silences errors shown in red by journalctl:
Oct 27 21:27:50 knowing-snail nsd[1685]: [2018-10-27 21:27:50.627] nsd[1685]: notice: nsd starting (NSD 4.1.25)
Oct 27 21:27:50 knowing-snail nsd[1685]: cannot chown 111.115 /run/nsd/nsd.pid: Operation not permitted
Oct 27 21:27:50 knowing-snail nsd[1685]: cannot overwrite the pidfile /run/nsd/nsd.pid: Operation not permitted
Oct 27 21:27:50 knowing-snail nsd[1685]: [2018-10-27 21:27:50.632] nsd[1685]: error: cannot chown 111.115 /run/nsd/nsd.pid: Operation not permitted
Oct 27 21:27:50 knowing-snail nsd[1685]: [2018-10-27 21:27:50.632] nsd[1685]: error: cannot overwrite the pidfile /run/nsd/nsd.pid: Operation not permitted
Oct 27 21:27:50 knowing-snail nsd[1686]: nsd started (NSD 4.1.25), pid 1685Upstream was receptive to lower the log level of the PID chown failure for unbound so presumably they would accept the same change for nsd. I didn't get the time to open the bug upstream but feel free to not merge the CAP change.
During a service stop some warnings/errors will be logged because nsd wants to unlink its PID:
Oct 27 21:54:17 knowing-snail nsd[2303]: [2018-10-27 21:54:17.885] nsd[2304]: warning: signal received, shutting down...
Oct 27 21:54:17 knowing-snail nsd[2303]: [2018-10-27 21:54:17.885] nsd[2304]: warning: failed to unlink pidfile /run/nsd/nsd.pid: Permission denied
Oct 27 21:54:17 knowing-snail nsd[2304]: failed to unlink pidfile /run/nsd/nsd.pid: Permission deniedThis is harmless AFAICT and with RuntimeDirectory, systemd will take care of removing /run/nsd after the daemon is stopped so nothing will be left behind. In this case, I also think that upstream wouldn't mind bumping the verbose level of those failure messages.