Create zone from designate says "permission denied" having backend bind9 running in different vm

Question

I installed bind9 in my 10.10.70.25 vm and I've my openstack-designate running in 10.10.70.81 vm.

rndc.key for bind9 and designate are same.

rndc.key for designate is located at /home/syed/bind/rndc.key

Below is my /home/syed/bind/rndc.conf in designate (10.10.70.81)

key "rndc-key" {
    algorithm hmac-md5;
    secret "shTCHuGbqgAzKdL8+MTCIg==";
};
options {
    default-key "rndc-key";
    default-server 10.10.70.25;
    default-port 953;
};

Below is the bind9 section of my /etc/designate/designate.conf

[backend:agent:bind9]

#
# From designate.agent
#

# RNDC Host (string value)
rndc_host = 10.10.70.25

# RNDC Port (integer value)
rndc_port = 953

# RNDC Config File (string value)
rndc_config_file = /home/syed/bind/rndc.conf

# RNDC Key File (string value)
rndc_key_file = /home/syed/bind/rndc.key

# Path where zone files are stored (string value)
zone_file_path = /etc/bind

# Host to query when finding zones (string value)
query_destination = 127.0.0.1

Below is my named.conf in bind9 (10.10.70.25)

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

key "rndc-key" {
        algorithm hmac-md5;
        secret "shTCHuGbqgAzKdL8+MTCIg==";
};

controls {
    inet 10.10.70.25 port 953
    allow { 10.10.70.81; } keys { "rndc-key"; };
};

when I run

rndc -c  /home/syed/bind/rndc.conf -k /home/syed/bind/rndc.key status

it's showing "server is up and running"

when I run

openstack zone create --email admin@syedinttest5.org corp.syedinttest5.org.

I'm getting permission denied error

Command: sudo designate-rootwrap /etc/designate/rootwrap.conf rndc -s 10.10.70.25 -p 953 -c /home/syed/bind/rndc.conf -k /home/syed/bind/rndc.key addzone corp.syedinttest11.org  { type slave; masters { 10.10.70.81 port 5354;}; file "slave.corp.syedinttest11.org.faaf39d3-3745-49b4-a840-aefea6570ae4"; };
Exit code: 1
Stdout: u''
Stderr: u"rndc: 'addzone' failed: permission denied\n"
2018-02-12 04:15:46.282 TRACE designate.pool_manager.service Traceback (most recent call last):
2018-02-12 04:15:46.282 TRACE designate.pool_manager.service   File "/opt/stack/designate/designate/pool_manager/service.py", line 462, in _create_zone_on_target
2018-02-12 04:15:46.282 TRACE designate.pool_manager.service     backend.create_zone(context, zone)
2018-02-12 04:15:46.282 TRACE designate.pool_manager.service   File "/opt/stack/designate/designate/backend/impl_bind9.py", line 98, in create_zone
2018-02-12 04:15:46.282 TRACE designate.pool_manager.service     self._execute_rndc(rndc_op)
2018-02-12 04:15:46.282 TRACE designate.pool_manager.service   File "/opt/stack/designate/designate/backend/impl_bind9.py", line 144, in _execute_rndc
2018-02-12 04:15:46.282 TRACE designate.pool_manager.service     raise exceptions.Backend(e)
2018-02-12 04:15:46.282 TRACE designate.pool_manager.service Backend: Unexpected error while running command.
2018-02-12 04:15:46.282 TRACE designate.pool_manager.service Command: sudo designate-rootwrap /etc/designate/rootwrap.conf rndc -s 10.10.70.25 -p 953 -c /home/syed/bind/rndc.conf -k /home/syed/bind/rndc.key addzone corp.syedinttest11.org  { type slave; masters { 10.10.70.81 port 5354;}; file "slave.corp.syedinttest11.org.faaf39d3-3745-49b4-a840-aefea6570ae4"; };
2018-02-12 04:15:46.282 TRACE designate.pool_manager.service Exit code: 1
2018-02-12 04:15:46.282 TRACE designate.pool_manager.service Stdout: u''
2018-02-12 04:15:46.282 TRACE designate.pool_manager.service Stderr: u"rndc: 'addzone' failed: permission denied\n"

1. how to resolve the error 2. If I want to setup bind9 server, will it be always slave to designate's mdns ??