[net-dns/bind] sync with tree, hopefully not breaking anything

net-dns/bind/Manifest

@@ -1,3 +1,2 @@
-DIST bind-9.18.27.tar.xz 5524000 BLAKE2B 720b1677606c27768af7799f4a36cebcbebea2f4ddf42421bc9cba29d48b8f3bc9616c691c1b7e1897635984d01099ea40c1c7346908aa3652b1347794139e25 SHA512 d0c89821fef38e531d65b465adeb5946589775e6a4d5e2068e969f1106c961d3b202af19247b9e20f9fbde645be10d610478edf89ed0d83b39d38fb4353c693a
-DIST bind-9.18.27.tar.xz.asc 833 BLAKE2B 8621991724e19b0b987cf82c8d6bbf31ef2440c9e133d06925c982f60d69587770dc4560c34050243da0bbe59d8180bdc910ca661cec9a0cd11d525ef4110fa2 SHA512 0da73d14dd8db8e55fcfe47e597fe242f7889b64e3cb383e24f90bed95b13cf38771cf7513bf621e308e5a6d10d83ae333ddd09f266fa7b1bd031192ec698404
-DIST dyndns-samples.tbz2 22866 BLAKE2B 409890653c6536cb9c0e3ba809d2bfde0e0ae73a2a101b4f229b46c01568466bc022bbbc37712171adbd08c572733e93630feab95a0fcd1ac50a7d37da1d1108 SHA512 83b0bf99f8e9ff709e8e9336d8c5231b98a4b5f0c60c10792f34931e32cc638d261967dfa5a83151ec3740977d94ddd6e21e9ce91267b3e279b88affdbc18cac
+DIST bind-9.18.29.tar.xz 5562720 BLAKE2B f3e7de6936362bcce4993e401ed8fdd9d597459e82ad908a918fff1da619f91ef4896595ea210b43f2b492d763d7be2b71105495858da55431b60874c7fd2312 SHA512 6c2676e2e2cb90f3bd73afb367813c54d1c961e12df1e12e41b9d0ee5a1d5cdf368d81410469753eaef37e43358b56796f078f3b2f20c3b247c4bef91d56c716
+DIST bind-9.18.29.tar.xz.asc 833 BLAKE2B afb127b5431f5e05eb1849335a692bf3a072bfc6182a8052316728a11f2f63f9f3c67a820a1d75f8d4cf3fe50e142f286f06f5392378bb64854402d3496061aa SHA512 6612c7151c4c1736e0237b8219cefbafbc1dcd4b04ad9b12b99cba703e6debde90d2f9838dd1465a47b9a002a598d9b8f3221dfe1a3bdc41436a92e6d06db472

net-dns/bind/bind-9.18.27.ebuild

@@ -3,73 +3,61 @@
 
 EAPI=8
 
-PYTHON_COMPAT=( python3_{10..12} )
-
 VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/isc.asc
-inherit python-any-r1 systemd tmpfiles verify-sig
+inherit multiprocessing systemd tmpfiles verify-sig
 
 MY_PV="${PV/_p/-P}"
 MY_PV="${MY_PV/_rc/rc}"
-MY_P="${PN}-${MY_PV}"
-
-RRL_PV="${MY_PV}"
 
 DESCRIPTION="Berkeley Internet Name Domain - Name Server"
-HOMEPAGE="https://www.isc.org/software/bind https://gitlab.isc.org/isc-projects/bind9"
+HOMEPAGE="https://www.isc.org/software/bind"
 SRC_URI="
 	https://downloads.isc.org/isc/bind9/${PV}/${P}.tar.xz
-	doc? ( mirror://gentoo/dyndns-samples.tbz2 )
 	verify-sig? ( https://downloads.isc.org/isc/bind9/${PV}/${P}.tar.xz.asc )
 "
-S="${WORKDIR}/${MY_P}"
+S="${WORKDIR}/${PN}-${MY_PV}"
 
 LICENSE="MPL-2.0"
 SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~x86 ~amd64-linux ~x86-linux"
-IUSE="+caps dnsrps dnstap doc doh fixed-rrset idn geoip gssapi lmdb selinux static-libs test xml"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux"
+IUSE="+caps dnsrps dnstap doc doh fixed-rrset idn +jemalloc geoip gssapi lmdb selinux static-libs test xml"
+RESTRICT="!test? ( test )"
 
-# libuv lower bound should be the highest value seen at
-# https://gitlab.isc.org/isc-projects/bind9/-/blob/bind-9.18/lib/isc/netmgr/netmgr.c?ref_type=heads#L203
-# to avoid issues with matching stable/testing, etc
 DEPEND="
 	acct-group/named
 	acct-user/named
-	dev-libs/jemalloc
 	dev-libs/json-c:=
-	>=dev-libs/libuv-1.42.0:=
-	sys-libs/zlib
+	>=dev-libs/libuv-1.37.0:=
+	sys-libs/zlib:=
 	dev-libs/openssl:=[-bindist(-)]
 	caps? ( >=sys-libs/libcap-2.1.0 )
-	dnstap? ( dev-libs/fstrm dev-libs/protobuf-c )
-	doh? ( net-libs/nghttp2 )
+	dnstap? (
+		dev-libs/fstrm
+		dev-libs/protobuf-c
+	)
+	doh? ( net-libs/nghttp2:= )
 	geoip? ( dev-libs/libmaxminddb )
 	gssapi? ( virtual/krb5 )
 	idn? ( net-dns/libidn2 )
+	jemalloc? ( dev-libs/jemalloc:= )
 	lmdb? ( dev-db/lmdb )
 	xml? ( dev-libs/libxml2 )
 "
-
-#		optionally for testing dnssec
-#		dev-python/dnspython[dnssec]
-BDEPEND="
-	test? (
-		${PYTHON_DEPS}
-		dev-python/pytest
-		dev-python/requests
-		dev-python/requests-toolbelt
-		dev-python/dnspython
-		dev-perl/Net-DNS-SEC
-		dev-util/cmocka
-	)
-"
-
-RDEPEND="${DEPEND}
+RDEPEND="
+	${DEPEND}
 	selinux? ( sec-policy/selinux-bind )
 	sys-process/psmisc
-	!net-dns/bind-tools
+	!<net-dns/bind-tools-9.18.0
+"
+# sphinx required for man-page and html creation
+BDEPEND="
+	virtual/pkgconfig
+	doc? ( dev-python/sphinx )
+	test? (
+		dev-util/cmocka
+		dev-util/kyua
+	)
 "
-
-RESTRICT="!test? ( test )"
 
 src_configure() {
 	local myeconfargs=(
@@ -79,7 +67,6 @@ src_configure() {
 		--enable-full-report
 		--without-readline
 		--with-openssl="${ESYSROOT}"/usr
-		--with-jemalloc
 		--with-json-c
 		--with-zlib
 		$(use_enable caps linux-caps)
@@ -93,25 +80,18 @@ src_configure() {
 		$(use_with geoip maxminddb)
 		$(use_with gssapi)
 		$(use_with idn libidn2)
+		$(use_with jemalloc)
 		$(use_with lmdb)
 		$(use_with xml libxml2)
-		"${@}"
 	)
 
 	econf "${myeconfargs[@]}"
 }
 
 src_test() {
-	# "${WORKDIR}/${P}"/bin/tests/system/README
-	# as root:
-	# sh bin/tests/system/ifconfig.sh up
-	# as portage:
-	# make check
-	# as root:
-	# sh bin/tests/system/ifconfig.sh down
-
-	# just run the tests that dont mock around with IP addresses
-	emake -C tests/ check
+	# system tests ('emake test') require network configuration for IPs etc
+	# so we run the unit tests instead.
+	TEST_PARALLEL_JOBS="$(makeopts_jobs)" emake unit
 }
 
 src_install() {
@@ -134,7 +114,8 @@ src_install() {
 	fi
 
 	insinto /etc/bind
-	newins "${FILESDIR}"/named.conf-r9 named.conf
+	newins "${FILESDIR}"/named.conf-r8 named.conf
+	newins "${FILESDIR}"/named.conf.auth named.conf.auth
 	newins "${FILESDIR}"/redhat/named.rfc1912.zones named.rfc1912.zones.conf
 
 	insinto /var/bind/pri
@@ -145,16 +126,18 @@ src_install() {
 
 	newenvd "${FILESDIR}"/10bind.env 10bind
 
-	use static-libs || find "${ED}"/usr/lib* -name '*.la' -delete
+	if ! use static-libs ; then
+		find "${ED}"/usr/lib* -name '*.la' -delete || die
+	fi
 
-	dosym ../../var/bind/pri /etc/bind/pri
-	dosym ../../var/bind/sec /etc/bind/sec
-	dosym ../../var/bind/dyn /etc/bind/dyn
+	dosym -r /var/bind/pri /etc/bind/pri
+	dosym -r /var/bind/sec /etc/bind/sec
+	dosym -r /var/bind/dyn /etc/bind/dyn
 	keepdir /var/bind/{pri,sec,dyn} /var/log/named
 
 	fowners root:named /{etc,var}/bind /var/log/named /var/bind/{sec,pri,dyn}
-	fowners root:named /var/bind/pri/named.{empty,localhost,loopback} /etc/bind/{bind.keys,named.conf,named.rfc1912.zones.conf}
-	fperms 0640 /var/bind/pri/named.{empty,localhost,loopback} /etc/bind/{bind.keys,named.conf,named.rfc1912.zones.conf}
+	fowners root:named /var/bind/pri/named.{empty,localhost,loopback} /etc/bind/{bind.keys,named.conf.auth,named.rfc1912.zones.conf}
+	fperms 0640 /var/bind/pri/named.{empty,localhost,loopback} /etc/bind/{bind.keys,named.conf.auth,named.rfc1912.zones.conf}
 	fperms 0750 /etc/bind /var/bind/pri
 	fperms 0770 /var/log/named /var/bind/{,sec,dyn}
 
@@ -173,4 +156,97 @@ pkg_postinst() {
 		chown root:named /etc/bind/rndc.key || die
 		chmod 0640 /etc/bind/rndc.key || die
 	fi
+
+	einfo
+	einfo "You can edit /etc/conf.d/named to customize named settings"
+	einfo
+
+	einfo "If you'd like to run bind in a chroot AND this is a new"
+	einfo "install OR your bind doesn't already run in a chroot:"
+	einfo "1) Uncomment and set the CHROOT variable in /etc/conf.d/named."
+	einfo "2) Run \`emerge --config '=${CATEGORY}/${PF}'\`"
+	einfo
+
+	CHROOT=$(source /etc/conf.d/named 2>/dev/null; echo ${CHROOT})
+	if [[ -n ${CHROOT} ]]; then
+		elog "NOTE: As of net-dns/bind-9.4.3_p5-r1 the chroot part of the init-script got some major changes!"
+		elog "To enable the old behaviour (without using mount) uncomment the"
+		elog "CHROOT_NOMOUNT option in your /etc/conf.d/named config."
+		elog "If you decide to use the new/default method, ensure to make backup"
+		elog "first and merge your existing configs/zones to /etc/bind and"
+		elog "/var/bind because bind will now mount the needed directories into"
+		elog "the chroot dir."
+	fi
+
+	# show only when upgrading to 9.18
+	if [[ -n "${REPLACING_VERSIONS}" ]] && ver_test "${REPLACING_VERSIONS}" -lt 9.18; then
+		elog "As this is a major bind version upgrade, please read:"
+		elog "   https://kb.isc.org/docs/changes-to-be-aware-of-when-moving-from-bind-916-to-918"
+		elog "for differences in functionality."
+		elog ""
+		ewarn "In particular, please note that bind-9.18 does not need a root hints file anymore"
+		ewarn "and we only ship with one as a stop-gap. If your current configuration specifies a"
+		ewarn "root hints file - usually called named.cache - bind will not start as it will not be able"
+		ewarn "to find the specified file. Best practice is to delete the offending lines that"
+		ewarn "reference named.cache file from your configuration."
+	fi
+}
+
+pkg_config() {
+	CHROOT=$(source /etc/conf.d/named; echo ${CHROOT})
+	CHROOT_NOMOUNT=$(source /etc/conf.d/named; echo ${CHROOT_NOMOUNT})
+	CHROOT_GEOIP=$(source /etc/conf.d/named; echo ${CHROOT_GEOIP})
+
+	if [[ -z "${CHROOT}" ]]; then
+		eerror "This config script is designed to automate setting up"
+		eerror "a chrooted bind/named. To do so, please first uncomment"
+		eerror "and set the CHROOT variable in '/etc/conf.d/named'."
+		die "Unset CHROOT"
+	fi
+
+	if [[ -d "${CHROOT}" ]]; then
+		ewarn "NOTE: As of net-dns/bind-9.4.3_p5-r1 the chroot part of the init-script got some major changes!"
+		ewarn "To enable the old behaviour (without using mount) uncomment the"
+		ewarn "CHROOT_NOMOUNT option in your /etc/conf.d/named config."
+		ewarn
+		ewarn "${CHROOT} already exists... some things might become overridden"
+		ewarn "press CTRL+C if you don't want to continue"
+		sleep 10
+	fi
+
+	echo; einfo "Setting up the chroot directory..."
+
+	mkdir -m 0750 -p ${CHROOT} || die
+	mkdir -m 0755 -p ${CHROOT}/{dev,etc,var/log,run} || die
+	mkdir -m 0750 -p ${CHROOT}/etc/bind || die
+	mkdir -m 0770 -p ${CHROOT}/var/{bind,log/named} ${CHROOT}/run/named/ || die
+
+	chown root:named \
+		${CHROOT} \
+		${CHROOT}/var/{bind,log/named} \
+		${CHROOT}/run/named/ \
+		${CHROOT}/etc/bind \
+		|| die
+
+	mknod ${CHROOT}/dev/null c 1 3 || die
+	chmod 0666 ${CHROOT}/dev/null || die
+
+	mknod ${CHROOT}/dev/zero c 1 5 || die
+	chmod 0666 ${CHROOT}/dev/zero || die
+
+	if [[ "${CHROOT_NOMOUNT:-0}" -ne 0 ]]; then
+		cp -a /etc/bind ${CHROOT}/etc/ || die
+		cp -a /var/bind ${CHROOT}/var/ || die
+	fi
+
+	if [[ "${CHROOT_GEOIP:-0}" -eq 1 ]]; then
+		if use geoip; then
+			mkdir -m 0755 -p ${CHROOT}/usr/share/GeoIP || die
+		elif use geoip2; then
+			mkdir -m 0755 -p ${CHROOT}/usr/share/GeoIP2 || die
+		fi
+	fi
+
+	elog "You may need to add the following line to your syslog-ng.conf:"
+	elog "source jail { unix-stream(\"${CHROOT}/dev/log\"); };"
 }

net-dns/bind/files/named.conf-r8

@@ -0,0 +1,166 @@
+/*
+ * Refer to the named.conf(5) and named(8) man pages, and the documentation
+ * in /usr/share/doc/bind-* for more details.
+ * Online versions of the documentation can be found here:
+ * https://kb.isc.org/article/AA-01031
+ *
+ * If you are going to set up an authoritative server, make sure you
+ * understand the hairy details of how DNS works. Even with simple mistakes,
+ * you can break connectivity for affected parties, or cause huge amounts of
+ * useless Internet traffic.
+ */
+
+acl "xfer" {
+	/* Deny transfers by default except for the listed hosts.
+	 * If we have other name servers, place them here.
+	 */
+	none;
+};
+
+/*
+ * You might put in here some ips which are allowed to use the cache or
+ * recursive queries
+ */
+acl "trusted" {
+	127.0.0.0/8;
+	::1/128;
+};
+
+options {
+	directory "/var/bind";
+	pid-file "/run/named/named.pid";
+
+	/* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
+	//bindkeys-file "/etc/bind/bind.keys";
+
+	listen-on-v6 { ::1; };
+	listen-on { 127.0.0.1; };
+
+	allow-query {
+		/*
+		 * Accept queries from our "trusted" ACL.  We will
+		 * allow anyone to query our master zones below.
+		 * This prevents us from becoming a free DNS server
+		 * to the masses.
+		 */
+		trusted;
+	};
+
+	allow-query-cache {
+		/* Use the cache for the "trusted" ACL. */
+		trusted;
+	};
+
+	allow-recursion {
+		/* Only trusted addresses are allowed to use recursion. */
+		trusted;
+	};
+
+	allow-transfer {
+		/* Zone tranfers are denied by default. */
+		none;
+	};
+
+	allow-update {
+		/* Don't allow updates, e.g. via nsupdate. */
+		none;
+	};
+
+	/*
+	* If you've got a DNS server around at your upstream provider, enter its
+	* IP address here, and enable the line below. This will make you benefit
+	* from its cache, thus reduce overall DNS traffic in the Internet.
+	*
+	* Uncomment the following lines to turn on DNS forwarding, and change
+	*  and/or update the forwarding ip address(es):
+	*/
+/*
+	forward first;
+	forwarders {
+	//	123.123.123.123;	// Your ISP NS
+	//	124.124.124.124;	// Your ISP NS
+	//	4.2.2.1;		// Level3 Public DNS
+	//	4.2.2.2;		// Level3 Public DNS
+		8.8.8.8;		// Google Open DNS
+		8.8.4.4;		// Google Open DNS
+	};
+
+*/
+
+	dnssec-enable yes;
+	//dnssec-validation yes;
+
+	/*
+	 * As of bind 9.8.0:
+	 * "If the root key provided has expired,
+	 * named will log the expiration and validation will not work."
+	 */
+	dnssec-validation auto;
+
+	/* if you have problems and are behind a firewall: */
+	//query-source address * port 53;
+};
+
+/*
+logging {
+	channel default_log {
+		file "/var/log/named/named.log" versions 5 size 50M;
+		print-time yes;
+		print-severity yes;
+		print-category yes;
+	};
+
+	category default { default_log; };
+	category general { default_log; };
+};
+*/
+
+include "/etc/bind/rndc.key";
+controls {
+	inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };
+};
+
+zone "." in {
+	type hint;
+	file "/var/bind/named.cache";
+};
+
+zone "localhost" IN {
+	type master;
+	file "pri/localhost.zone";
+	notify no;
+};
+
+/*
+ * Briefly, a zone which has been declared delegation-only will be effectively
+ * limited to containing NS RRs for subdomains, but no actual data beyond its
+ * own apex (for example, its SOA RR and apex NS RRset). This can be used to
+ * filter out "wildcard" or "synthesized" data from NAT boxes or from
+ * authoritative name servers whose undelegated (in-zone) data is of no
+ * interest.
+ * See http://www.isc.org/software/bind/delegation-only for more info
+ */
+
+//zone "COM" { type delegation-only; };
+//zone "NET" { type delegation-only; };
+
+//zone "YOUR-DOMAIN.TLD" {
+//	type master;
+//	file "/var/bind/pri/YOUR-DOMAIN.TLD.zone";
+//	allow-query { any; };
+//	allow-transfer { xfer; };
+//};
+
+//zone "YOUR-SLAVE.TLD" {
+//	type slave;
+//	file "/var/bind/sec/YOUR-SLAVE.TLD.zone";
+//	masters { <MASTER>; };
+
+	/* Anybody is allowed to query but transfer should be controlled by the master. */
+//	allow-query { any; };
+//	allow-transfer { none; };
+
+	/* The master should be the only one who notifies the slaves, shouldn't it? */
+//	allow-notify { <MASTER>; };
+//	notify no;
+//};

net-dns/bind/files/named.conf.auth

@@ -3,7 +3,7 @@
 //};
 
 options {
-	directory "/var/bind";
+	directory "/var/cache/bind";
 	pid-file "/run/named/named.pid";
 
 	listen-on { 127.0.0.1; };

net-dns/bind/files/named.confd-r8

@@ -9,6 +9,28 @@ NAMED_CONF="/etc/bind/named.conf"
 # Leave this unchanged if you want bind to automatically detect the number
 #CPU="1"
 
+# If you wish to run bind in a chroot:
+# 1) un-comment the CHROOT= assignment, below. You may use
+#    a different chroot directory but MAKE SURE it's empty.
+# 2) run: emerge --config =<bind-version>
+#
+#CHROOT="/chroot/dns"
+
+# Uncomment to enable binmount of /usr/share/GeoIP
+#CHROOT_GEOIP="1"
+
+# Uncomment the line below to avoid that the init script mounts the needed paths
+# into the chroot directory.
+# You have to copy all needed config files by hand if you say CHROOT_NOMOUNT="1".
+#CHROOT_NOMOUNT="1"
+
+# Uncomment this option if you have setup your own chroot environment and you
+# don't want/need the chroot consistency check
+#CHROOT_NOCHECK=1
+
+# Default pid file location
+# use named.conf to specify pid-file location
+
 # Scheduling priority: 19 is the lowest and -20 is the highest.
 # Default: 0
 #NAMED_NICELEVEL="0"

net-dns/bind/files/named.init-r15

@@ -11,13 +11,83 @@ depend() {
 	provide dns
 }
 
-NAMED_CONF=${NAMED_CONF:-/etc/bind/named.conf}
+NAMED_CONF=${NAMED_CONF:-${CHROOT}/etc/bind/named.conf}
+
+OPENSSL_LIBGOST=${OPENSSL_LIBGOST:-0}
+MOUNT_CHECK_TIMEOUT=${MOUNT_CHECK_TIMEOUT:-60}
+
+_mount() {
+	local from
+	local to
+	local opts
+	local ret=0
+
+	if [ "${#}" -lt 3 ]; then
+		eerror "_mount(): to few arguments"
+		return 1
+	fi
+
+	from=$1
+	to=$2
+	shift 2
+
+	opts="${*}"
+	shift $#
+
+	if [ -z "$(awk "\$2 == \"${to}\" { print \$2 }" /proc/mounts)" ]; then
+		einfo "mounting ${from} to ${to}"
+		mount ${from} ${to} ${opts}
+		ret=$?
+
+		eend $ret
+		return $ret
+	fi
+
+	return 0
+}
+
+_umount() {
+	local dir=$1
+	local ret=0
+
+	if [ -n "$(awk "\$2 == \"${dir}\" { print \$2 }" /proc/mounts)" ]; then
+		ebegin "umounting ${dir}"
+		umount ${dir}
+		ret=$?
+
+		eend $ret
+		return $ret
+	fi
+
+	return 0
+}
 
 _get_pidfile() {
 	# as suggested in bug #107724, bug 335398#c17
-	[ -n "${PIDFILE}" ] || PIDFILE=$(\
-			/usr/bin/named-checkconf -p ${NAMED_CONF} | grep 'pid-file' | cut -d\" -f2)
-	[ -z "${PIDFILE}" ] && PIDFILE="/run/named/named.pid"
+	[ -n "${PIDFILE}" ] || PIDFILE=${CHROOT}$(\
+			/usr/sbin/named-checkconf -p ${CHROOT:+-t} ${CHROOT} ${NAMED_CONF#${CHROOT}} | grep 'pid-file' | cut -d\" -f2)
+	[ -z "${PIDFILE}" ] && PIDFILE=${CHROOT}/run/named/named.pid
+}
+
+check_chroot() {
+	if [ -n "${CHROOT}" ]; then
+		[ ! -d "${CHROOT}" ] && return 1
+		[ ! -d "${CHROOT}/dev" ] || [ ! -d "${CHROOT}/etc" ] || [ ! -d "${CHROOT}/var" ] && return 1
+		[ ! -d "${CHROOT}/run" ] || [ ! -d "${CHROOT}/var/log" ] && return 1
+		[ ! -d "${CHROOT}/etc/bind" ] || [ ! -d "${CHROOT}/var/bind" ] && return 1
+		[ ! -d "${CHROOT}/var/log/named" ] && return 1
+		[ ! -c "${CHROOT}/dev/null" ] || [ ! -c "${CHROOT}/dev/zero" ] && return 1
+		[ "${CHROOT_GEOIP:-0}" -eq 1 ] && [ ! -d "${CHROOT}/usr/share/GeoIP" ] && return 1
+		if [ ${OPENSSL_LIBGOST:-0} -eq 1 ]; then
+			if [ -d "/usr/lib64" ]; then
+				[ ! -d "${CHROOT}/usr/lib64/engines" ] && return 1
+			elif [ -d "/usr/lib" ]; then
+				[ ! -d "${CHROOT}/usr/lib/engines" ] && return 1
+			fi
+		fi
+	fi
+
+	return 0
 }
 
 checkconfig() {
@@ -27,23 +97,65 @@ checkconfig() {
 		eerror "No ${NAMED_CONF} file exists!"
 		return 1
 	fi
-	/usr/bin/named-checkconf ${NAMED_CONF} || {
+
+	/usr/sbin/named-checkconf ${CHROOT:+-t} ${CHROOT} ${NAMED_CONF#${CHROOT}} || {
 		eerror "named-checkconf failed! Please fix your config first."
 		return 1
 	}
+
 	eend 0
+	return 0
 }
 
 checkzones() {
 	ebegin "Checking named configuration and zones"
-	/usr/bin/named-checkconf -z ${NAMED_CONF}
+	/usr/sbin/named-checkconf -z -j ${CHROOT:+-t} ${CHROOT} ${NAMED_CONF#${CHROOT}}
 	eend $?
 }
 
 start() {
 	local piddir
 
-	ebegin "Starting named"
+	ebegin "Starting ${CHROOT:+chrooted }named"
+
+	if [ -n "${CHROOT}" ]; then
+		if [ ${CHROOT_NOCHECK:-0} -eq 0 ]; then
+			check_chroot || {
+				eend 1
+				eerror "Your chroot dir ${CHROOT} is inconsistent, please run 'emerge --config net-dns/bind' first"
+				return 1
+			}
+		fi
+
+		if [ ${OPENSSL_LIBGOST:-0} -eq 1 ]; then
+			if [ ! -e /usr/lib/engines/libgost.so ]; then
+				eend 1
+				eerror "Couldn't find /usr/lib/engines/libgost.so but bind has been built with openssl and libgost support"
+				return 1
+			fi
+			cp -Lp /usr/lib/engines/libgost.so "${CHROOT}/usr/lib/engines/libgost.so" || {
+				eend 1
+				eerror "Couldn't copy /usr/lib/engines/libgost.so into '${CHROOT}/usr/lib/engines/'"
+				return 1
+			}
+		fi
+		cp -Lp /etc/localtime "${CHROOT}/etc/localtime"
+
+		if [ "${CHROOT_NOMOUNT:-0}" -eq 0 ]; then
+			einfo "Mounting chroot dirs"
+			_mount /etc/bind ${CHROOT}/etc/bind -o bind
+			_mount /var/bind ${CHROOT}/var/bind -o bind
+			_mount /var/log/named ${CHROOT}/var/log/named -o bind
+			if [ "${CHROOT_GEOIP:-0}" -eq 1 ]; then
+				_mount /usr/share/GeoIP ${CHROOT}/usr/share/GeoIP -o bind
+			fi
+		fi
+
+		# On initial startup, if piddir inside the chroot /var/run/named
+		# Then the .../var/run part might not exist yet
+		checkpath -q -d -o root:root -m 0755 "${piddir}/.."
+	fi
+
 	checkconfig || { eend 1; return 1; }
 
 	# create piddir (usually /run/named) if necessary, bug 334535
@@ -63,16 +175,56 @@ start() {
 	start-stop-daemon --start --pidfile ${PIDFILE} \
 		--nicelevel ${NAMED_NICELEVEL:-0} \
 		--exec /usr/sbin/named \
-		-- -u named -c ${NAMED_CONF} ${CPU} ${OPTIONS}
+		-- -u named ${CPU} ${OPTIONS} ${CHROOT:+-t} ${CHROOT}
 	eend $?
 }
 
 stop() {
-	ebegin "Stopping named"
+	local reported=0
+
+	ebegin "Stopping ${CHROOT:+chrooted }named"
+
+	# Workaround for now, until openrc's restart has been fixed.
+	# openrc doesn't care about a restart() function in init scripts.
+	if [ "${RC_CMD}" = "restart" ]; then
+		if [ -n "${CHROOT}" -a ${CHROOT_NOCHECK:-0} -eq 0 ]; then
+			check_chroot || {
+				eend 1
+				eerror "Your chroot dir ${CHROOT} is inconsistent, please run 'emerge --config net-dns/bind' first"
+				return 1
+			}
+		fi
+
+		checkconfig || { eend 1; return 1; }
+	fi
+
 	# -R 10, bug 335398
 	_get_pidfile
 	start-stop-daemon --stop --retry 10 --pidfile $PIDFILE \
 		--exec /usr/sbin/named
+
+	if [ -n "${CHROOT}" ] && [ "${CHROOT_NOMOUNT:-0}" -eq 0 ]; then
+		ebegin "Umounting chroot dirs"
+
+		# just to be sure everything gets clean
+		while fuser -s ${CHROOT} 2>/dev/null; do
+			if [ "${reported}" -eq 0 ]; then
+				einfo "Waiting until all named processes are stopped (max. ${MOUNT_CHECK_TIMEOUT} seconds)"
+			elif [ "${reported}" -eq "${MOUNT_CHECK_TIMEOUT}" ]; then
+				eerror "Waiting until all named processes are stopped failed!"
+				eend 1
+				break
+			fi
+			sleep 1
+			reported=$((reported+1))
+		done
+
+		[ "${CHROOT_GEOIP:-0}" -eq 1 ] && _umount ${CHROOT}/usr/share/GeoIP
+		_umount ${CHROOT}/etc/bind
+		_umount ${CHROOT}/var/log/named
+		_umount ${CHROOT}/var/bind
+	fi
+
 	eend $?
 }
 

net-dns/bind/metadata.xml

@@ -16,4 +16,4 @@
 		<flag name="json">Enable JSON statistics channel</flag>
 		<flag name="lmdb">Enable LMDB support to store configuration for 'addzone' zones</flag>
 	</use>
-</pkgmetadata>
+</pkgmetadata>