diff --git a/files/rootwrap.d/bind9.filters b/files/rootwrap.d/bind9.filters
index df8786b..8fb8107 100644
--- a/files/rootwrap.d/bind9.filters
+++ b/files/rootwrap.d/bind9.filters
@@ -1,7 +1,7 @@
 # designate-rootwrap command filters for nodes on which designate is
 # expected to control network
 #
-# This file should be owned by (and only-writeable by) the root user
+# This file should be owned by (and only-writable by) the root user
 
 # format seems to be
 # cmd-name: filter-name, raw-command, user, args
diff --git a/files/rootwrap.d/djbdns.filters b/files/rootwrap.d/djbdns.filters
new file mode 100644
index 0000000..1471c93
--- /dev/null
+++ b/files/rootwrap.d/djbdns.filters
@@ -0,0 +1,4 @@
+[Filters]
+tcpclient: CommandFilter, /usr/bin/tcpclient, root
+axfr-get: CommandFilter, /usr/bin/axfr-get, root
+tinydns-data: CommandFilter, /usr/bin/tinydns-data, root
diff --git a/files/rootwrap.d/knot2.filters b/files/rootwrap.d/knot2.filters
new file mode 100644
index 0000000..d6c96b4
--- /dev/null
+++ b/files/rootwrap.d/knot2.filters
@@ -0,0 +1,3 @@
+# cmd-name: filter-name, raw-command, user, args
+[Filters]
+knotc: CommandFilter, /usr/sbin/knotc, root
diff --git a/templates/policy.json.j2 b/templates/policy.json.j2
index 5b9b842..0eeb7a1 100644
--- a/templates/policy.json.j2
+++ b/templates/policy.json.j2
@@ -122,5 +122,8 @@
     "find_zone_exports": "rule:admin_or_owner",
     "get_zone_export": "rule:admin_or_owner",
     "update_zone_export": "rule:admin_or_owner",
-    "delete_zone_export": "rule:admin_or_owner"
+
+    "find_service_status": "rule:admin",
+    "find_service_statuses": "rule:admin",
+    "update_service_service_status": "rule:admin"
 }