It's easy to remember that these two services are running on the same machine whose IP address is 192.168.0.1.
Now imagine that our network administrator decides for some reason or another to move the mail server to the machine 192.168.0.11.
The file ns-example-com_rndc-key should not be made world readable for security reasons.
This should be inserted into the bind configuration by an include because the bind configuration itself is world-readable.
It is composed of several fields: Starting bind as a non root user is good practice but to run the daemon in a chroot environment we also need specify the chroot directory.
This is done using the same OPTIONS variable in /etc/default/bind9.
Consequently, I consider the xxxbox like a primary server outside of our domain.