rpm --setperms will make ipa server fail

Background:
One of the recommended mechanisms for enforcing configuration of system files (and reversing user changes) is to use:
rpm --setperms [rpm_name]

Problem:
We have discovered that in RHEL 7.6 two of the ipa rpms have file permissions too restictive for operation of the IdM servers (either master or replica).

1) ipa-client-common - sets the permission of /etc/pki/ca-trust/source/ipa.p11-kit to 0000. This will keep named-pkcs11 (DNS) from starting. There is code in the domain-join which overrides this permission (to 644), but that is not sufficient as the rpm does not know this.
Verify: rpm -qV ipa-client-common

2) ipa-server-common - sets the permission of /var/named/dyndb-ldap/ipa to 0000. This also keeps named-pkcs11 (DNS) from starting. Initialization of the server sets this directory to 755, but the rpm does not know this.
Verify: rpm -qV ipa-server-common

Is it expected that execution of "rpm --setperms" would be compatible with successful operation of the systems? If so, this should be part of the standard testing of the IPA rpms, and the current too-restrictive permissions should be changed.