As of version 8.something, BIND supports chrooted operation, but
it only chroots the name server process. Some extra scaffolding is
needed in order to make the rest of the system work smoothly.

The example below is for FreeBSD 4.1. Other FreeBSD versions may
differ in version numbers of shared library objects.

My named runs chrooted under the directory /etc/namedb.  In order
to make chroot operation painless I have wrapped the named (name
server) and ndc (name server control) commands in little shell
scripts that provide the necessary options. The original named and
ndc programs are renamed to named.real and ndc.real, respectively.

For named logging I hard linked the /var/run/log socket into the
named chroot directory tree at /etc/namedb/var/run/log; this setup
assumes that the /var/run and /etc/namedb directory trees are both
in the same file system.

The file /etc/namedb/etc/localtime is just a copy of the regular
/etc/localtime file.

If you provide secondary name service, don't forget to install a
copy of the named-xfer utility under /etc/namedb, otherwise your
secondary zones will expire and users will be unhappy.

        Wietse

/usr/sbin/named:
================

    #!/bin/sh

    cd /etc/namedb
    rm var/run/log
    ln /var/run/log var/run/log
    exec named.real -u bind -g bind -t /etc/namedb -b /etc/namedb/named.conf

/usr/sbin/ndc:
==============

    #!/bin/sh

    exec ndc.real -c /etc/namedb/var/run/ndc "$@"

ls -lR /etc/namedb:
===================

    /etc/namedb:
    total 30
    drwxr-xr-x  2 root  wheel   512 Nov 23 15:56 etc
    ...
    drwxr-xr-x  2 bind  bind    512 Dec 30 16:55 s
    drwxr-xr-x  4 root  wheel   512 Nov 23 15:34 usr
    drwxr-xr-x  3 root  wheel   512 Nov 23 15:34 var

    /etc/namedb/etc:
    total 2
    -r--r--r--  1 root  wheel  1250 Nov 23 15:56 localtime
    lrwxr-xr-x  1 root  wheel     2 Dec 30 13:04 namedb -> ..

    /etc/namedb/s:
    total 0

    /etc/namedb/usr:
    total 2
    drwxr-xr-x  2 root  wheel  512 Nov 23 15:43 lib
    drwxr-xr-x  2 root  wheel  512 Nov 23 15:36 libexec

    /etc/namedb/usr/lib:
    total 585
    -r--r--r--  1 root  wheel  553460 Nov 23 15:43 libc.so.4
    -r--r--r--  1 root  wheel   32864 Nov 23 15:42 libutil.so.3

    /etc/namedb/usr/libexec:
    total 401
    -r-xr-xr-x  1 root  wheel   74512 Nov 23 15:36 ld-elf.so.1
    -rwxr-xr-x  1 root  wheel  323324 Nov 23 15:35 named-xfer

    /etc/namedb/var:
    total 1
    drwxr-xr-x  2 bind  wheel  512 Dec 30 14:55 run

    /etc/namedb/var/run:
    total 1
    srw-rw-rw-  1 root  wheel  0 Dec 30 14:32 log
    -rw-r--r--  1 root  wheel  4 Dec 30 14:55 named.pid
    srw-------  1 root  wheel  0 Dec 30 14:55 ndc