diff --git a/bind.spec b/bind.spec
index 1f934da..58038d6 100644
--- a/bind.spec
+++ b/bind.spec
@@ -763,9 +763,6 @@ popd
 mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/etc/{pki/dnssec-keys,named}
 mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/%{_libdir}/bind
 # these are required to prevent them being erased during upgrade of previous
-touch ${RPM_BUILD_ROOT}/%{chroot_prefix}/dev/null
-touch ${RPM_BUILD_ROOT}/%{chroot_prefix}/dev/random
-touch ${RPM_BUILD_ROOT}/%{chroot_prefix}/dev/zero
 touch ${RPM_BUILD_ROOT}/%{chroot_prefix}/etc/named.conf
 #end chroot
 
@@ -783,9 +780,6 @@ popd
 mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/etc/{pki/dnssec-keys,named}
 mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/%{_libdir}/bind
 # these are required to prevent them being erased during upgrade of previous
-touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/dev/null
-touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/dev/random
-touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/dev/zero
 touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/etc/named.conf
 %endif
 #end sdb-chroot
@@ -1020,28 +1014,24 @@ fi
 
 %post chroot
 %systemd_post named-chroot.service
-if [ "$1" -gt 0 ]; then
-  [ -e %{chroot_prefix}/dev/random ] || \
-    /bin/mknod %{chroot_prefix}/dev/random c 1 8
-  [ -e %{chroot_prefix}/dev/zero ] || \
-    /bin/mknod %{chroot_prefix}/dev/zero c 1 5
-  [ -e %{chroot_prefix}/dev/null ] || \
-    /bin/mknod %{chroot_prefix}/dev/null c 1 3
-fi;
+if [ $1 -gt 1 ]; then
+  # Fix permissions on existing device files on upgrade
+  for DEV in "%{chroot_prefix}/dev"/{null,random,dev}; do
+    if [ -e "$DEV" -a "$(stat --printf="%G %a" "$DEV")" = "root 644" ]; then
+      chmod 0664 "$DEV"
+      chgrp named "$DEV"
+    fi
+  done
+fi
 :;
 
 %posttrans chroot
 if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
   [ -x /sbin/restorecon ] && /sbin/restorecon %{chroot_prefix}/dev/* > /dev/null 2>&1;
 fi;
-:;
 
 %preun chroot
 %systemd_preun named-chroot.service 
-if [ "$1" -eq 0 ]; then
-  # Package removal, not upgrade
-  rm -f %{chroot_prefix}/dev/{random,zero,null}
-fi
 :;
 
 %postun chroot
@@ -1053,14 +1043,15 @@ fi
 
 %post sdb-chroot
 %systemd_post named-sdb-chroot.service
-if [ "$1" -gt 0 ]; then
-  [ -e %{chroot_sdb_prefix}/dev/random ] || \
-    /bin/mknod %{chroot_sdb_prefix}/dev/random c 1 8
-  [ -e %{chroot_sdb_prefix}/dev/zero ] || \
-    /bin/mknod %{chroot_sdb_prefix}/dev/zero c 1 5
-  [ -e %{chroot_sdb_prefix}/dev/null ] || \
-    /bin/mknod %{chroot_sdb_prefix}/dev/null c 1 3
-fi;
+if [ $1 -gt 1 ]; then
+  # Fix permissions on existing device files on upgrade
+  for DEV in "%{chroot_prefix}/dev"/{null,random,dev}; do
+    if [ -e "$DEV" -a "$(stat --printf="%G %a" "$DEV")" = "root 644" ]; then
+      chmod 0664 "$DEV"
+      chgrp named "$DEV"
+    fi
+  done
+fi
 :;
 
 %posttrans sdb-chroot
@@ -1071,10 +1062,6 @@ fi;
 
 %preun sdb-chroot
 %systemd_preun named-sdb-chroot.service 
-if [ "$1" -eq 0 ]; then
-  # Package removal, not upgrade
-  rm -f %{chroot_sdb_prefix}/dev/{random,zero,null}
-fi
 :;
 
 %postun sdb-chroot
@@ -1254,9 +1241,10 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_unitdir}/named-chroot.service
 %{_unitdir}/named-chroot-setup.service
 %{_libexecdir}/setup-named-chroot.sh
-%ghost %{chroot_prefix}/dev/null
-%ghost %{chroot_prefix}/dev/random
-%ghost %{chroot_prefix}/dev/zero
+%defattr(0664,root,named,-)
+%ghost %dev(c,1,3) %verify(not mtime) %{chroot_prefix}/dev/null
+%ghost %dev(c,1,8) %verify(not mtime) %{chroot_prefix}/dev/random
+%ghost %dev(c,1,5) %verify(not mtime) %{chroot_prefix}/dev/zero
 %defattr(0640,root,named,0750)
 %dir %{chroot_prefix}
 %dir %{chroot_prefix}/dev
@@ -1288,9 +1276,10 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_unitdir}/named-sdb-chroot.service
 %{_unitdir}/named-sdb-chroot-setup.service
 %{_libexecdir}/setup-named-chroot.sh
-%ghost %{chroot_sdb_prefix}/dev/null
-%ghost %{chroot_sdb_prefix}/dev/random
-%ghost %{chroot_sdb_prefix}/dev/zero
+%defattr(0664,root,named,-)
+%ghost %dev(c,1,3) %verify(not mtime) %{chroot_sdb_prefix}/dev/null
+%ghost %dev(c,1,8) %verify(not mtime) %{chroot_sdb_prefix}/dev/random
+%ghost %dev(c,1,5) %verify(not mtime) %{chroot_sdb_prefix}/dev/zero
 %defattr(0640,root,named,0750)
 %dir %{chroot_sdb_prefix}
 %dir %{chroot_sdb_prefix}/dev
@@ -1413,6 +1402,7 @@ rm -rf ${RPM_BUILD_ROOT}
 %changelog
 * Thu Jul 12 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-15
 - Use new config file named-chroot.files for chroot setup (#1429656)
+- Fix chroot devices file verification (#1592873)
 
 * Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.11.3-14
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
diff --git a/setup-named-chroot.sh b/setup-named-chroot.sh
index f46e107..2704966 100755
--- a/setup-named-chroot.sh
+++ b/setup-named-chroot.sh
@@ -27,20 +27,21 @@ fi
 dev_create()
 {
   DEVNAME="$ROOTDIR/dev/$1"
-  MINOR="$2"
+  shift
   if ! [ -e "$DEVNAME" ]; then
-    /bin/mknod "$DEVNAME" c 1 $MINOR
-  fi
-  if [ -x /usr/sbin/selinuxenabled -a -x /sbin/restorecon ]; then
-    /usr/sbin/selinuxenabled && /sbin/restorecon "$DEVNAME" > /dev/null
+    /bin/mknod -m 0664 "$DEVNAME" $@
+    /bin/chgrp named "$DEVNAME"
+    if [ -x /usr/sbin/selinuxenabled -a -x /sbin/restorecon ]; then
+      /usr/sbin/selinuxenabled && /sbin/restorecon "$DEVNAME" > /dev/null || :
+    fi
   fi
 }
 
 dev_chroot_prep()
 {
-  dev_create random 8
-  dev_create zero   5
-  dev_create null   3
+  dev_create random c 1 8
+  dev_create zero   c 1 5
+  dev_create null   c 1 3
 }
 
 files_comment_filter()