Dynamic updates aren’t directly written to the zonefile in bind. They are first written to a binary log file called a journal.
The issue on your system is that bind doesn’t have the permissions to create the journal file. The SERVFAIL is a result of that failure.
You should check what user/group bind is running at, and check that /etc/bind has the right permissions on it in order to enable the journal file to be created.
Apart from directory permissions, SELinux may also be a culprit.
See these previous threads: