SecBSD's official ports repository

net/isc-bind/Makefile

@@ -0,0 +1,93 @@
+COMMENT=	Berkeley Internet Name Daemon: DNS server and tools
+
+# Second digits: odd numbers devel, even numbers stable,
+# ESV branched occasionally.  9.18.x is ESV.
+V=		9.18.17
+SUBST_VARS+=	V
+PORTROACH=	limitw:1,even
+EXTRACT_SUFX=	.tar.xz
+EPOCH=		3
+PATCH_DIST_STRIP= -p1
+
+DISTNAME=	bind-$V
+PKGNAME=	isc-bind-${V:S/-P/pl/}
+
+CATEGORIES=	net
+
+HOMEPAGE=	https://www.isc.org/bind/
+
+MAINTAINER=	Stuart Henderson <stu.ports@spacehopper.org>
+
+# MPL 2.0
+PERMIT_PACKAGE=	Yes
+
+WANTLIB += c crypto execinfo iconv idn2 json-c lzma m nghttp2
+WANTLIB += pthread ssl unistring uv xml2 z
+
+FLAVORS=	geoip
+FLAVOR?=
+
+MASTER_SITES=	${MASTER_SITE_ISC:=bind9/$V/}
+MASTER_SITES0=	${MASTER_SITE_ISC:=bind9/$V/patches/}
+
+MODULES=	lang/python
+# used for dnssec-checkds/dnssec-coverage, but don't want to force the run dep.
+MODPY_RUNDEP=	No
+BUILD_DEPENDS=	textproc/py-sphinx${MODPY_FLAVOR}
+LIB_DEPENDS=	converters/libiconv \
+		devel/json-c \
+		devel/libidn2 \
+		devel/libuv \
+		textproc/libxml \
+		www/nghttp2
+
+DEBUG_PACKAGES=	${BUILD_PACKAGES}
+CONFIGURE_STYLE= gnu
+USE_GMAKE=	Yes
+LIBTOOL_FLAGS=	--tag=disable-static
+CONFIGURE_ARGS=	--enable-full-report \
+		--with-libtool \
+		--with-libidn2 \
+		--without-lmdb \
+		--without-readline \
+		--without-cmocka \
+		--without-gssapi \
+		--with-python=${MODPY_BIN}
+FAKE_FLAGS=	sysconfdir=${PREFIX}/share/examples/bind9
+
+COMPILER=	base-clang ports-gcc
+COMPILER_LANGS=	c
+
+.if ${MACHINE_ARCH:Mhppa}
+WANTLIB +=	atomic
+LIB_DEPENDS +=	${MODGCC4_CPPLIBDEP}
+MAKE_FLAGS +=	LDFLAGS="${LDFLAGS} -latomic"
+.endif
+
+.if ${FLAVOR:Mgeoip}
+LIB_DEPENDS+=	net/libmaxminddb
+WANTLIB+=	maxminddb
+.else
+CONFIGURE_ARGS+= --disable-geoip
+.endif
+
+# not strictly speaking interactive, but it configures temporary addresses on
+# lo0 as root, so let's try and avoid running it unintentionally
+TEST_IS_INTERACTIVE= Yes
+
+pre-test:
+	@echo '*** tests still need more work in the port - server processes not starting'
+	cd ${WRKSRC}/bin/tests/system && ${SUDO} ./ifconfig.sh up
+
+post-test:
+	cd ${WRKSRC}/bin/tests/system && ${SUDO} ./ifconfig.sh down
+
+# symlinks to make it easier to use newer dig/etc if /usr/bin is ahead of
+# /usr/local/bin in the path:
+post-install:
+.for i in dig nslookup host
+	ln -fs $i ${PREFIX}/bin/e$i; ln -fs $i.1 ${PREFIX}/man/man1/e$i.1
+.endfor
+	${INSTALL_DATA} ${FILESDIR}/named.conf ${PREFIX}/share/examples/bind9/
+
+.include <bsd.port.mk>

net/isc-bind/distinfo

@@ -0,0 +1,2 @@
+SHA256 (bind-9.18.17.tar.xz) = veHFAXuB0decaeuPU38uUDL9NiOs3V7oMNT3S8JINFg=
+SIZE (bind-9.18.17.tar.xz) = 5471560

net/isc-bind/files/named.conf

@@ -0,0 +1,21 @@
+// Example file for a simple configuration of BIND, processing only
+// recursive queries.  Consult BIND's Administration and Reference Manual
+// for more information.
+
+acl clients {
+	localnets;
+	::1;
+};
+
+options {
+	directory "/tmp";	// working directory, inside the /var/named chroot
+				// - must be writable by _bind
+	version "";		// remove this to allow version queries
+
+	listen-on    { any; };
+	listen-on-v6 { any; };
+
+	empty-zones-enable yes;
+
+	allow-recursion { clients; };
+};

net/isc-bind/patches/patch-bin_dig_dig_c

@@ -0,0 +1,52 @@
+Patch to use pledge on OpenBSD.
+locale is needed for idn2.
+
+Index: bin/dig/dig.c
+--- bin/dig/dig.c.orig
++++ bin/dig/dig.c
+@@ -18,6 +18,7 @@
+ #include <stdbool.h>
+ #include <stdlib.h>
+ #include <time.h>
++#include <unistd.h>
+ 
+ #include <isc/app.h>
+ #include <isc/attributes.h>
+@@ -3023,6 +3024,15 @@ dig_setup(int argc, char **argv) {
+ 	ISC_LIST_INIT(server_list);
+ 	ISC_LIST_INIT(search_list);
+ 
++	/*
++	 * unix: needed for startup check, isc_net_probeunix.
++	 * (unix sockets used in controlconf).
++	 */
++	if (pledge("stdio rpath inet unix dns unveil", NULL) == -1) {
++		perror("pledge");
++		exit(1);
++	}
++
+ 	debug("dig_setup()");
+ 
+ 	/* setup dighost callbacks */
+@@ -3054,6 +3064,21 @@ dig_query_setup(bool is_batchfile, bool config_only, i
+ 	} else if (keysecret[0] != 0) {
+ 		setup_text_key();
+ 	}
++
++	if (unveil("/usr/share/locale", "r") == -1) {
++		perror("unveil /usr/share/locale");
++		exit(1);
++	}
++	/*
++	 * dns:   resolv.conf, also allows port 53 sockets
++	 * inet:  needed if we query on port != 53
++	 * rpath: locale
++	 */
++	if (pledge("stdio rpath inet dns", NULL) == -1) {
++		perror("pledge");
++		exit(1);
++	}
++
+ 	if (domainopt[0] != '\0') {
+ 		set_search_domain(domainopt);
+ 		usesearch = true;

net/isc-bind/patches/patch-bin_dig_host_c

@@ -0,0 +1,52 @@
+Patch to use pledge on OpenBSD.
+locale is needed for idn2.
+
+Index: bin/dig/host.c
+--- bin/dig/host.c.orig
++++ bin/dig/host.c
+@@ -18,6 +18,7 @@
+ #include <locale.h>
+ #include <stdbool.h>
+ #include <stdlib.h>
++#include <unistd.h>
+ 
+ #include <isc/app.h>
+ #include <isc/attributes.h>
+@@ -908,6 +909,15 @@ main(int argc, char **argv) {
+ 	dighost_trying = trying;
+ 	dighost_shutdown = host_shutdown;
+ 
++	/*
++	 * unix: needed for startup check, isc_net_probeunix.
++	 * (unix sockets used in controlconf).
++	 */
++	if (pledge("stdio rpath inet unix dns unveil", NULL) == -1) {
++		perror("pledge");
++		exit(1);
++	}
++
+ 	debug("main()");
+ 	progname = argv[0];
+ 	pre_parse_args(argc, argv);
+@@ -921,6 +931,21 @@ main(int argc, char **argv) {
+ 	} else if (keysecret[0] != 0) {
+ 		setup_text_key();
+ 	}
++
++	if (unveil("/usr/share/locale", "r") == -1) {
++		perror("unveil /usr/share/locale");
++		exit(1);
++	}
++	/*
++	 * dns:   resolv.conf, also allows port 53 sockets
++	 * inet:  needed if we query on port != 53
++	 * rpath: locale
++	 */
++	if (pledge("stdio rpath inet dns", NULL) == -1) {
++		perror("pledge");
++		exit(1);
++	}
++
+ 	result = isc_app_onrun(mctx, global_task, onrun_callback, NULL);
+ 	check_result(result, "isc_app_onrun");
+ 	isc_app_run();

net/isc-bind/patches/patch-bin_dig_nslookup_c

@@ -0,0 +1,44 @@
+Patch to use pledge on OpenBSD.
+locale is needed for idn2.
+
+Index: bin/dig/nslookup.c
+--- bin/dig/nslookup.c.orig
++++ bin/dig/nslookup.c
+@@ -941,6 +941,15 @@ main(int argc, char **argv) {
+ 	result = isc_app_start();
+ 	check_result(result, "isc_app_start");
+ 
++	/*
++	 * unix: needed for startup check, isc_net_probeunix.
++	 * (unix sockets used in controlconf).
++	 */
++	if (pledge("stdio rpath inet unix dns unveil", NULL) == -1) {
++		perror("pledge");
++		exit(1);
++	}
++
+ 	setup_libs();
+ 	progname = argv[0];
+ 
+@@ -951,6 +960,21 @@ main(int argc, char **argv) {
+ 	} else if (keysecret[0] != 0) {
+ 		setup_text_key();
+ 	}
++
++	if (unveil("/usr/share/locale", "r") == -1) {
++		perror("unveil /usr/share/locale");
++		exit(1);
++	}
++	/*
++	 * dns:   resolv.conf, also allows port 53 sockets
++	 * inet:  needed if we query on port != 53
++	 * rpath: locale
++	 */
++	if (pledge("stdio rpath inet dns", NULL) == -1) {
++		perror("pledge");
++		exit(1);
++	}
++
+ 	if (domainopt[0] != '\0') {
+ 		set_search_domain(domainopt);
+ 	}

net/isc-bind/patches/patch-bin_named_include_named_globals_h

@@ -0,0 +1,12 @@
+Index: bin/named/include/named/globals.h
+--- bin/named/include/named/globals.h.orig
++++ bin/named/include/named/globals.h
+@@ -138,7 +138,7 @@ EXTERN const char *named_g_defaultpidfile INIT(NAMED_L
+ 								   "named.pid");
+ #endif /* if NAMED_RUN_PID_DIR */
+ 
+-EXTERN const char *named_g_username INIT(NULL);
++EXTERN const char *named_g_username INIT("_bind");
+ 
+ EXTERN const char *named_g_engine INIT(NULL);
+ 

net/isc-bind/patches/patch-lib_isc_net_c

@@ -0,0 +1,19 @@
+Patch to use pledge on OpenBSD.
+
+Index: lib/isc/net.c
+--- lib/isc/net.c.orig
++++ lib/isc/net.c
+@@ -216,6 +216,13 @@ isc_net_probeunix(void) {
+ 
+ static void
+ try_ipv6only(void) {
++#ifdef __OpenBSD__
++/*
++ * pledge doesn't allow setting IPV6_V6ONLY, but that's ok,
++ * IPV6_V6ONLY is always enabled on OpenBSD;
++ */
++#undef IPV6_V6ONLY
++#endif
+ #ifdef IPV6_V6ONLY
+ 	int s, on;
+ #endif /* ifdef IPV6_V6ONLY */

net/isc-bind/patches/patch-lib_isc_netmgr_netmgr_c

@@ -0,0 +1,42 @@
+Patch to use pledge on OpenBSD.
+
+Index: lib/isc/netmgr/netmgr.c
+--- lib/isc/netmgr/netmgr.c.orig
++++ lib/isc/netmgr/netmgr.c
+@@ -3295,7 +3295,8 @@ isc__nm_socket_disable_pmtud(uv_os_sock_t fd, sa_famil
+ 	 * Disable the Path MTU Discovery on IP packets
+ 	 */
+ 	if (sa_family == AF_INET6) {
+-#if defined(IPV6_DONTFRAG)
++/* disabled for pledge */
++#if !defined(__OpenBSD__) && defined(IPV6_DONTFRAG)
+ 		if (setsockopt_off(fd, IPPROTO_IPV6, IPV6_DONTFRAG) == -1) {
+ 			return (ISC_R_FAILURE);
+ 		} else {
+@@ -3313,7 +3314,12 @@ isc__nm_socket_disable_pmtud(uv_os_sock_t fd, sa_famil
+ 		UNUSED(fd);
+ #endif
+ 	} else if (sa_family == AF_INET) {
+-#if defined(IP_DONTFRAG)
++/*
++   OpenBSD doesn't have this yet but if we do get it sometime,
++   it will probably need the same pledge handling as IPV6_DONTFRAG
++   above
++ */
++#if !defined(__OpenBSD__) && defined(IP_DONTFRAG)
+ 		if (setsockopt_off(fd, IPPROTO_IP, IP_DONTFRAG) == -1) {
+ 			return (ISC_R_FAILURE);
+ 		} else {
+@@ -3343,7 +3349,11 @@ isc__nm_socket_v6only(uv_os_sock_t fd, sa_family_t sa_
+ 	 * Enable the IPv6-only option on IPv6 sockets
+ 	 */
+ 	if (sa_family == AF_INET6) {
+-#if defined(IPV6_V6ONLY)
++/*
++ * pledge doesn't allow setting IPV6_V6ONLY, but that's ok,
++ * IPV6_V6ONLY is always enabled on OpenBSD
++ */
++#if !defined(__OpenBSD__) && defined(IPV6_V6ONLY)
+ 		if (setsockopt_on(fd, IPPROTO_IPV6, IPV6_V6ONLY) == -1) {
+ 			return (ISC_R_FAILURE);
+ 		} else {

net/isc-bind/pkg/DESCR

@@ -0,0 +1,10 @@
+BIND is open source software that implements the Domain Name System
+(DNS) protocols for the Internet. It is a reference implementation
+of those protocols, but it is also production-grade software,
+suitable for use in high-volume and high-reliability applications.
+
+The BIND 9 Administrator Reference Manual is available online at
+https://bind9.readthedocs.io/.
+
+Flavours:
+	geoip - include support for geolocation using GeoIP2 (libmaxminddb)

net/isc-bind/pkg/PLIST

@@ -0,0 +1,344 @@
+@pkgpath net/isc-bind,ratelimit
+@newgroup _bind:741
+@newuser _bind:741:_bind::bind user:/nonexistent:/sbin/nologin
+@extra ${SYSCONFDIR}/rndc.key
+@extra ${LOCALSTATEDIR}/named/etc/rndc.key
+@rcscript ${RCDIR}/isc_named
+@bin bin/arpaname
+@bin bin/delv
+@bin bin/dig
+@bin bin/dnssec-cds
+@bin bin/dnssec-dsfromkey
+@bin bin/dnssec-importkey
+@bin bin/dnssec-keyfromlabel
+@bin bin/dnssec-keygen
+@bin bin/dnssec-revoke
+@bin bin/dnssec-settime
+@bin bin/dnssec-signzone
+@bin bin/dnssec-verify
+bin/edig
+bin/ehost
+bin/enslookup
+@bin bin/host
+@bin bin/mdig
+@bin bin/named-checkconf
+@bin bin/named-checkzone
+@bin bin/named-compilezone
+@bin bin/named-journalprint
+@bin bin/named-rrchecker
+@bin bin/nsec3hash
+@bin bin/nslookup
+@bin bin/nsupdate
+include/bind9/
+include/bind9/check.h
+include/bind9/getaddresses.h
+include/dns/
+include/dns/acl.h
+include/dns/adb.h
+include/dns/badcache.h
+include/dns/bit.h
+include/dns/byaddr.h
+include/dns/cache.h
+include/dns/callbacks.h
+include/dns/catz.h
+include/dns/cert.h
+include/dns/client.h
+include/dns/clientinfo.h
+include/dns/compress.h
+include/dns/db.h
+include/dns/dbiterator.h
+include/dns/diff.h
+include/dns/dispatch.h
+include/dns/dlz.h
+include/dns/dlz_dlopen.h
+include/dns/dns64.h
+include/dns/dnsrps.h
+include/dns/dnssec.h
+include/dns/dnstap.h
+include/dns/ds.h
+include/dns/dsdigest.h
+include/dns/dyndb.h
+include/dns/ecs.h
+include/dns/edns.h
+include/dns/enumclass.h
+include/dns/enumtype.h
+include/dns/events.h
+include/dns/fixedname.h
+include/dns/forward.h
+include/dns/geoip.h
+include/dns/ipkeylist.h
+include/dns/iptable.h
+include/dns/journal.h
+include/dns/kasp.h
+include/dns/keydata.h
+include/dns/keyflags.h
+include/dns/keymgr.h
+include/dns/keytable.h
+include/dns/keyvalues.h
+include/dns/librpz.h
+include/dns/log.h
+include/dns/lookup.h
+include/dns/master.h
+include/dns/masterdump.h
+include/dns/message.h
+include/dns/name.h
+include/dns/ncache.h
+include/dns/nsec.h
+include/dns/nsec3.h
+include/dns/nta.h
+include/dns/opcode.h
+include/dns/order.h
+include/dns/peer.h
+include/dns/private.h
+include/dns/rbt.h
+include/dns/rcode.h
+include/dns/rdata.h
+include/dns/rdataclass.h
+include/dns/rdatalist.h
+include/dns/rdataset.h
+include/dns/rdatasetiter.h
+include/dns/rdataslab.h
+include/dns/rdatastruct.h
+include/dns/rdatatype.h
+include/dns/request.h
+include/dns/resolver.h
+include/dns/result.h
+include/dns/rootns.h
+include/dns/rpz.h
+include/dns/rriterator.h
+include/dns/rrl.h
+include/dns/sdb.h
+include/dns/sdlz.h
+include/dns/secalg.h
+include/dns/secproto.h
+include/dns/soa.h
+include/dns/ssu.h
+include/dns/stats.h
+include/dns/time.h
+include/dns/tkey.h
+include/dns/transport.h
+include/dns/tsec.h
+include/dns/tsig.h
+include/dns/ttl.h
+include/dns/types.h
+include/dns/update.h
+include/dns/validator.h
+include/dns/view.h
+include/dns/xfrin.h
+include/dns/zone.h
+include/dns/zonekey.h
+include/dns/zoneverify.h
+include/dns/zt.h
+include/dst/
+include/dst/dst.h
+include/dst/gssapi.h
+include/irs/
+include/irs/resconf.h
+include/isc/
+include/isc/aes.h
+include/isc/align.h
+include/isc/app.h
+include/isc/assertions.h
+include/isc/astack.h
+include/isc/atomic.h
+include/isc/attributes.h
+include/isc/backtrace.h
+include/isc/barrier.h
+include/isc/base32.h
+include/isc/base64.h
+include/isc/buffer.h
+include/isc/cmocka.h
+include/isc/commandline.h
+include/isc/condition.h
+include/isc/counter.h
+include/isc/crc64.h
+include/isc/deprecated.h
+include/isc/dir.h
+include/isc/endian.h
+include/isc/errno.h
+include/isc/error.h
+include/isc/event.h
+include/isc/eventclass.h
+include/isc/file.h
+include/isc/formatcheck.h
+include/isc/fuzz.h
+include/isc/glob.h
+include/isc/hash.h
+include/isc/heap.h
+include/isc/hex.h
+include/isc/hmac.h
+include/isc/ht.h
+include/isc/httpd.h
+include/isc/interfaceiter.h
+include/isc/iterated_hash.h
+include/isc/lang.h
+include/isc/lex.h
+include/isc/list.h
+include/isc/log.h
+include/isc/magic.h
+include/isc/managers.h
+include/isc/md.h
+include/isc/mem.h
+include/isc/meminfo.h
+include/isc/mutex.h
+include/isc/mutexblock.h
+include/isc/net.h
+include/isc/netaddr.h
+include/isc/netdb.h
+include/isc/netmgr.h
+include/isc/netscope.h
+include/isc/nonce.h
+include/isc/offset.h
+include/isc/once.h
+include/isc/os.h
+include/isc/parseint.h
+include/isc/pool.h
+include/isc/portset.h
+include/isc/print.h
+include/isc/quota.h
+include/isc/radix.h
+include/isc/random.h
+include/isc/ratelimiter.h
+include/isc/refcount.h
+include/isc/regex.h
+include/isc/region.h
+include/isc/resource.h
+include/isc/result.h
+include/isc/rwlock.h
+include/isc/safe.h
+include/isc/serial.h
+include/isc/siphash.h
+include/isc/sockaddr.h
+include/isc/stat.h
+include/isc/stats.h
+include/isc/stdatomic.h
+include/isc/stdio.h
+include/isc/stdtime.h
+include/isc/strerr.h
+include/isc/string.h
+include/isc/symtab.h
+include/isc/syslog.h
+include/isc/task.h
+include/isc/taskpool.h
+include/isc/thread.h
+include/isc/time.h
+include/isc/timer.h
+include/isc/tls.h
+include/isc/tm.h
+include/isc/types.h
+include/isc/url.h
+include/isc/utf8.h
+include/isc/util.h
+include/isccc/
+include/isccc/alist.h
+include/isccc/base64.h
+include/isccc/cc.h
+include/isccc/ccmsg.h
+include/isccc/events.h
+include/isccc/sexpr.h
+include/isccc/symtab.h
+include/isccc/symtype.h
+include/isccc/types.h
+include/isccc/util.h
+include/isccfg/
+include/isccfg/aclconf.h
+include/isccfg/cfg.h
+include/isccfg/duration.h
+include/isccfg/grammar.h
+include/isccfg/kaspconf.h
+include/isccfg/log.h
+include/isccfg/namedconf.h
+include/ns/
+include/ns/client.h
+include/ns/events.h
+include/ns/hooks.h
+include/ns/interfacemgr.h
+include/ns/listenlist.h
+include/ns/log.h
+include/ns/notify.h
+include/ns/query.h
+include/ns/server.h
+include/ns/sortlist.h
+include/ns/stats.h
+include/ns/types.h
+include/ns/update.h
+include/ns/xfrout.h
+lib/bind/
+lib/bind/filter-a.la
+@so lib/bind/filter-a.so
+lib/bind/filter-aaaa.la
+@so lib/bind/filter-aaaa.so
+@so lib/libbind9-${V}.so
+lib/libbind9.la
+@so lib/libbind9.so
+@so lib/libdns-${V}.so
+lib/libdns.la
+@so lib/libdns.so
+@so lib/libirs-${V}.so
+lib/libirs.la
+@so lib/libirs.so
+@so lib/libisc-${V}.so
+lib/libisc.la
+@so lib/libisc.so
+@so lib/libisccc-${V}.so
+lib/libisccc.la
+@so lib/libisccc.so
+@so lib/libisccfg-${V}.so
+lib/libisccfg.la
+@so lib/libisccfg.so
+@so lib/libns-${V}.so
+lib/libns.la
+@so lib/libns.so
+@man man/man1/arpaname.1
+@man man/man1/delv.1
+@man man/man1/dig.1
+@man man/man1/dnssec-cds.1
+@man man/man1/dnssec-dsfromkey.1
+@man man/man1/dnssec-importkey.1
+@man man/man1/dnssec-keyfromlabel.1
+@man man/man1/dnssec-keygen.1
+@man man/man1/dnssec-revoke.1
+@man man/man1/dnssec-settime.1
+@man man/man1/dnssec-signzone.1
+@man man/man1/dnssec-verify.1
+@man man/man1/edig.1
+@man man/man1/ehost.1
+@man man/man1/enslookup.1
+@man man/man1/host.1
+@man man/man1/mdig.1
+@man man/man1/named-checkconf.1
+@man man/man1/named-checkzone.1
+@man man/man1/named-compilezone.1
+@man man/man1/named-journalprint.1
+@man man/man1/named-rrchecker.1
+@man man/man1/nsec3hash.1
+@man man/man1/nslookup.1
+@man man/man1/nsupdate.1
+@man man/man5/named.conf.5
+@man man/man5/rndc.conf.5
+@man man/man8/ddns-confgen.8
+@man man/man8/filter-a.8
+@man man/man8/filter-aaaa.8
+@man man/man8/named.8
+@man man/man8/rndc-confgen.8
+@man man/man8/rndc.8
+@man man/man8/tsig-keygen.8
+@bin sbin/ddns-confgen
+@bin sbin/named
+@bin sbin/rndc
+@bin sbin/rndc-confgen
+@bin sbin/tsig-keygen
+@sample ${LOCALSTATEDIR}/named/
+@mode 750
+@group _bind
+@sample ${LOCALSTATEDIR}/named/etc/
+@mode 775
+@sample ${LOCALSTATEDIR}/named/tmp/
+@mode
+@group
+share/examples/bind9/
+share/examples/bind9/bind.keys
+share/examples/bind9/named.conf
+@mode 640
+@group _bind
+@sample ${LOCALSTATEDIR}/named/etc/named.conf

net/isc-bind/pkg/isc_named.rc

@@ -0,0 +1,18 @@
+#!/bin/ksh
+
+daemon="${TRUEPREFIX}/sbin/named"
+daemon_flags="-t ${LOCALSTATEDIR}/named -u _bind -U 4"
+
+. /etc/rc.d/rc.subr
+
+rc_pre() {
+	if ! cmp -s ${SYSCONFDIR}/rndc.key ${LOCALSTATEDIR}/named/etc/rndc.key ; then
+		if ${TRUEPREFIX}/sbin/rndc-confgen -a -t ${LOCALSTATEDIR}/named \
+		    >/dev/null 2>&1; then
+			chmod 0640 ${LOCALSTATEDIR}/named/etc/rndc.key \
+			    >/dev/null 2>&1
+		fi
+	fi
+}
+
+rc_cmd $1