Update to 9.11.5-P1, 9.12.3-P1, 9.13.5.

While there:
- Don't disable symbol table generation when building WITH_DEBUG.
- Try and make sure nullfs can really be used in a more robustt and
  centralized way.
- Make sure all changes are sync'ed among all BIND9 ports.

dns/bind9-devel/Makefile

@@ -9,7 +9,7 @@ PORTREVISION=	1
 .else
 # XXX: correct version
 # dns/bind9xx here
-PORTREVISION=	1
+PORTREVISION=	2
 .endif
 CATEGORIES=	dns net ipv6
 # XXX: put the ISC master_site
@@ -54,7 +54,6 @@ CPE_UPDATE=	${ISCVERSION:C/.*-//:tl}
 
 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS=	--localstatedir=/var --disable-linux-caps \
-		--disable-symtable \
 		--with-libxml2=${LOCALBASE} \
 		--with-readline="-L${LOCALBASE}/lib -ledit" \
 		--with-dlopen=yes \
@@ -210,6 +209,18 @@ TUNING_LARGE_CONFIGURE_OFF=	--with-tuning=default
 
 .include <bsd.port.pre.mk>
 
+.if defined(WITH_DEBUG)
+CONFIGURE_ARGS+=	--enable-symtable
+.else
+CONFIGURE_ARGS+=	--disable-symtable
+.endif
+
+.if ${SSL_DEFAULT} == base
+SUB_LIST+=	ENGINES=/usr/lib/engines
+.else
+SUB_LIST+=	ENGINES=${LOCALBASE}/lib/engines
+.endif
+
 # XXX: Remove
 post-extract:
 	echo "SRCID=${GL_COMMIT}" > ${WRKSRC}/srcid

dns/bind9-devel/files/named.in

@@ -62,7 +62,7 @@ required_dirs="${named_chrootdir}"
 _named_confdirroot="${named_conf%/*}"
 _named_confdir="${named_chrootdir}${_named_confdirroot}"
 _named_program_root="${named_program%/sbin/named}"
-_openssl_engines="%%LOCALBASE%%/lib/engines"
+_openssl_engines="%%ENGINES%%"
 
 # Needed if named.conf and rndc.conf are moved or if rndc.conf is used
 rndc_conf=${rndc_conf:-"$_named_confdir/rndc.conf"}
@@ -143,19 +143,16 @@ chroot_autoupdate()
 		fi
 	fi
 
-	# If OpenSSL from ports, then the engines should be present in the
-	# chroot, named loads them after chrooting.
+	# The OpenSSL engines should be present in the chroot, named loads them
+	# after chrooting.
 	if [ -d ${_openssl_engines} ]; then
-		# FIXME when 8.4 is gone see if
-		# security.jail.param.allow.mount.nullfs can be used.
-		if [ `${SYSCTL_N} security.jail.jailed` -eq 0 -o `${SYSCTL_N} security.jail.mount_allowed` -eq 1 ]; then
-			mkdir -p ${named_chrootdir}${_openssl_engines}
+		mkdir -p ${named_chrootdir}${_openssl_engines}
+		if can_mount nullfs ; then
 			mount -t nullfs ${_openssl_engines} ${named_chrootdir}${_openssl_engines}
 		else
 			warn "named chroot: cannot nullfs mount OpenSSL" \
 				"engines into the chroot, will copy the shared" \
 				"libraries instead."
-			mkdir -p ${named_chrootdir}${_openssl_engines}
 			cp -f ${_openssl_engines}/*.so ${named_chrootdir}${_openssl_engines}
 		fi
 	fi
@@ -241,22 +238,41 @@ named_stop()
 
 named_poststop()
 {
-	if [ -n "${named_chrootdir}" -a -c ${named_chrootdir}/dev/null ]; then
+	if [ -n "${named_chrootdir}" ]; then
 		# if using OpenSSL from ports, unmount OpenSSL engines, if they
 		# were not mounted but only copied, do nothing.
-		if [ -d ${_openssl_engines} -a \( `${SYSCTL_N} security.jail.jailed` -eq 0 -o `${SYSCTL_N} security.jail.mount_allowed` -eq 1 \) ]; then
-		  umount ${named_chrootdir}${_openssl_engines}
+		if [ -d ${_openssl_engines} ]; then
+			if can_mount nullfs; then
+				umount ${named_chrootdir}${_openssl_engines}
+			fi
 		fi
-		# unmount /dev
-		if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then
-			umount ${named_chrootdir}/dev 2>/dev/null || true
-		else
-			warn "named chroot:" \
-			    "cannot unmount devfs from inside jail!"
+		if [ -c ${named_chrootdir}/dev/null ]; then
+			# unmount /dev
+			if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then
+				umount ${named_chrootdir}/dev 2>/dev/null || true
+			else
+				warn "named chroot:" \
+					"cannot unmount devfs from inside jail!"
+			fi
 		fi
 	fi
 }
 
+can_mount()
+{
+	local kld
+	kld=$1
+	if ! load_kld $kld; then
+		return 1
+	fi
+	if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ] ||
+		[ `${SYSCTL_N} security.jail.mount_allowed` -eq 1 ] ||
+		[ `${SYSCTL_N} security.jail.mount_${kld}_allowed` -eq 1 ] ; then
+		return 0
+	fi
+	return 1
+}
+
 create_file()
 {
 	if [ -e "$1" ]; then

dns/bind911/Makefile

@@ -3,7 +3,7 @@
 
 PORTNAME=	bind
 PORTVERSION=	${ISCVERSION:S/-P/P/:S/b/.b/:S/a/.a/:S/rc/.rc/}
-PORTREVISION=	1
+PORTREVISION=	0
 CATEGORIES=	dns net ipv6
 MASTER_SITES=	ISC/bind9/${ISCVERSION}
 PKGNAMESUFFIX=	911
@@ -20,7 +20,7 @@ LIB_DEPENDS=	libxml2.so:textproc/libxml2
 USES=	cpe libedit
 
 # ISC releases things like 9.8.0-P1, which our versioning doesn't like
-ISCVERSION=	9.11.5
+ISCVERSION=	9.11.5-P1
 
 CPE_VENDOR=	isc
 CPE_VERSION=	${ISCVERSION:C/-.*//}
@@ -30,7 +30,6 @@ CPE_UPDATE=	${ISCVERSION:C/.*-//:tl}
 
 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS=	--localstatedir=/var --disable-linux-caps \
-		--disable-symtable \
 		--with-randomdev=/dev/random \
 		--with-libxml2=${LOCALBASE} \
 		--with-readline="-L${LOCALBASE}/lib -ledit" \
@@ -192,6 +191,12 @@ TUNING_LARGE_CONFIGURE_OFF=	--with-tuning=default
 
 .include <bsd.port.pre.mk>
 
+.if defined(WITH_DEBUG)
+CONFIGURE_ARGS+=	--enable-symtable
+.else
+CONFIGURE_ARGS+=	--disable-symtable
+.endif
+
 .if ${SSL_DEFAULT} == base
 SUB_LIST+=	ENGINES=/usr/lib/engines
 .else

dns/bind911/distinfo

@@ -1,3 +1,3 @@
-TIMESTAMP = 1540325506
-SHA256 (bind-9.11.5.tar.gz) = a4cae11dad954bdd4eb592178f875bfec09fcc7e29fe0f6b7a4e5b5c6bc61322
-SIZE (bind-9.11.5.tar.gz) = 8810710
+TIMESTAMP = 1544687911
+SHA256 (bind-9.11.5-P1.tar.gz) = 6cd6dbf016569f12d4a0ed629e44e895d9ed41c6908274ed2e617666c5491928
+SIZE (bind-9.11.5-P1.tar.gz) = 8814650

dns/bind911/files/named.in

@@ -146,16 +146,13 @@ chroot_autoupdate()
 	# The OpenSSL engines should be present in the chroot, named loads them
 	# after chrooting.
 	if [ -d ${_openssl_engines} ]; then
-		if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ] ||
-		  [ `${SYSCTL_N} security.jail.mount_allowed` -eq 1 ] ||
-		  [ `${SYSCTL_N} security.jail.mount_nullfs_allowed` -eq 1 ] ; then
-			mkdir -p ${named_chrootdir}${_openssl_engines}
+		mkdir -p ${named_chrootdir}${_openssl_engines}
+		if can_mount nullfs ; then
 			mount -t nullfs ${_openssl_engines} ${named_chrootdir}${_openssl_engines}
 		else
 			warn "named chroot: cannot nullfs mount OpenSSL" \
 				"engines into the chroot, will copy the shared" \
 				"libraries instead."
-			mkdir -p ${named_chrootdir}${_openssl_engines}
 			cp -f ${_openssl_engines}/*.so ${named_chrootdir}${_openssl_engines}
 		fi
 	fi
@@ -241,22 +238,41 @@ named_stop()
 
 named_poststop()
 {
-	if [ -n "${named_chrootdir}" -a -c ${named_chrootdir}/dev/null ]; then
+	if [ -n "${named_chrootdir}" ]; then
 		# if using OpenSSL from ports, unmount OpenSSL engines, if they
 		# were not mounted but only copied, do nothing.
-		if [ -d ${_openssl_engines} -a \( `${SYSCTL_N} security.jail.jailed` -eq 0 -o `${SYSCTL_N} security.jail.mount_allowed` -eq 1 \) ]; then
-		  umount ${named_chrootdir}${_openssl_engines}
+		if [ -d ${_openssl_engines} ]; then
+			if can_mount nullfs; then
+				umount ${named_chrootdir}${_openssl_engines}
+			fi
 		fi
-		# unmount /dev
-		if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then
-			umount ${named_chrootdir}/dev 2>/dev/null || true
-		else
-			warn "named chroot:" \
-			    "cannot unmount devfs from inside jail!"
+		if [ -c ${named_chrootdir}/dev/null ]; then
+			# unmount /dev
+			if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then
+				umount ${named_chrootdir}/dev 2>/dev/null || true
+			else
+				warn "named chroot:" \
+					"cannot unmount devfs from inside jail!"
+			fi
 		fi
 	fi
 }
 
+can_mount()
+{
+	local kld
+	kld=$1
+	if ! load_kld $kld; then
+		return 1
+	fi
+	if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ] ||
+		[ `${SYSCTL_N} security.jail.mount_allowed` -eq 1 ] ||
+		[ `${SYSCTL_N} security.jail.mount_${kld}_allowed` -eq 1 ] ; then
+		return 0
+	fi
+	return 1
+}
+
 create_file()
 {
 	if [ -e "$1" ]; then

dns/bind912/Makefile

@@ -5,10 +5,9 @@ PORTNAME=	bind
 PORTVERSION=	${ISCVERSION:S/-P/P/:S/b/.b/:S/a/.a/:S/rc/.rc/}
 .if defined(BIND_TOOLS_SLAVE)
 # dns/bind-tools here
-PORTREVISION=	1
+PORTREVISION=	0
 .else
-# dns/bind912 here
-PORTREVISION=	2
+PORTREVISION=	0
 .endif
 CATEGORIES=	dns net ipv6
 MASTER_SITES=	ISC/bind9/${ISCVERSION}
@@ -33,7 +32,7 @@ LIB_DEPENDS=	libxml2.so:textproc/libxml2
 
 USES=	compiler:c11 cpe libedit
 # ISC releases things like 9.8.0-P1, which our versioning doesn't like
-ISCVERSION=	9.12.3
+ISCVERSION=	9.12.3-P1
 
 CPE_VENDOR=	isc
 CPE_VERSION=	${ISCVERSION:C/-.*//}
@@ -43,7 +42,6 @@ CPE_UPDATE=	${ISCVERSION:C/.*-//:tl}
 
 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS=	--localstatedir=/var --disable-linux-caps \
-		--disable-symtable \
 		--with-randomdev=/dev/random \
 		--with-libxml2=${LOCALBASE} \
 		--with-readline="-L${LOCALBASE}/lib -ledit" \
@@ -211,6 +209,12 @@ TUNING_LARGE_CONFIGURE_OFF=	--with-tuning=default
 
 .include <bsd.port.pre.mk>
 
+.if defined(WITH_DEBUG)
+CONFIGURE_ARGS+=	--enable-symtable
+.else
+CONFIGURE_ARGS+=	--disable-symtable
+.endif
+
 .if ${SSL_DEFAULT} == base
 SUB_LIST+=	ENGINES=/usr/lib/engines
 .else

dns/bind912/distinfo

@@ -1,3 +1,3 @@
-TIMESTAMP = 1540325569
-SHA256 (bind-9.12.3.tar.gz) = 0e80762631258e1c193552efa7c56c05ec5e8c2f98e4b2a3b91a61fd8d96b938
-SIZE (bind-9.12.3.tar.gz) = 8616664
+TIMESTAMP = 1544687855
+SHA256 (bind-9.12.3-P1.tar.gz) = 6cb79389d787368af27f01c65a9fa09be1fd062eda37c94819a1a0178d5ded73
+SIZE (bind-9.12.3-P1.tar.gz) = 8625693

dns/bind912/files/named.in

@@ -146,16 +146,13 @@ chroot_autoupdate()
 	# The OpenSSL engines should be present in the chroot, named loads them
 	# after chrooting.
 	if [ -d ${_openssl_engines} ]; then
-		if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ] ||
-		  [ `${SYSCTL_N} security.jail.mount_allowed` -eq 1 ] ||
-		  [ `${SYSCTL_N} security.jail.mount_nullfs_allowed` -eq 1 ] ; then
-			mkdir -p ${named_chrootdir}${_openssl_engines}
+		mkdir -p ${named_chrootdir}${_openssl_engines}
+		if can_mount nullfs ; then
 			mount -t nullfs ${_openssl_engines} ${named_chrootdir}${_openssl_engines}
 		else
 			warn "named chroot: cannot nullfs mount OpenSSL" \
 				"engines into the chroot, will copy the shared" \
 				"libraries instead."
-			mkdir -p ${named_chrootdir}${_openssl_engines}
 			cp -f ${_openssl_engines}/*.so ${named_chrootdir}${_openssl_engines}
 		fi
 	fi
@@ -241,22 +238,41 @@ named_stop()
 
 named_poststop()
 {
-	if [ -n "${named_chrootdir}" -a -c ${named_chrootdir}/dev/null ]; then
+	if [ -n "${named_chrootdir}" ]; then
 		# if using OpenSSL from ports, unmount OpenSSL engines, if they
 		# were not mounted but only copied, do nothing.
-		if [ -d ${_openssl_engines} -a \( `${SYSCTL_N} security.jail.jailed` -eq 0 -o `${SYSCTL_N} security.jail.mount_allowed` -eq 1 \) ]; then
-		  umount ${named_chrootdir}${_openssl_engines}
+		if [ -d ${_openssl_engines} ]; then
+			if can_mount nullfs; then
+				umount ${named_chrootdir}${_openssl_engines}
+			fi
 		fi
-		# unmount /dev
-		if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then
-			umount ${named_chrootdir}/dev 2>/dev/null || true
-		else
-			warn "named chroot:" \
-			    "cannot unmount devfs from inside jail!"
+		if [ -c ${named_chrootdir}/dev/null ]; then
+			# unmount /dev
+			if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then
+				umount ${named_chrootdir}/dev 2>/dev/null || true
+			else
+				warn "named chroot:" \
+					"cannot unmount devfs from inside jail!"
+			fi
 		fi
 	fi
 }
 
+can_mount()
+{
+	local kld
+	kld=$1
+	if ! load_kld $kld; then
+		return 1
+	fi
+	if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ] ||
+		[ `${SYSCTL_N} security.jail.mount_allowed` -eq 1 ] ||
+		[ `${SYSCTL_N} security.jail.mount_${kld}_allowed` -eq 1 ] ; then
+		return 0
+	fi
+	return 1
+}
+
 create_file()
 {
 	if [ -e "$1" ]; then

dns/bind913/Makefile

@@ -5,10 +5,10 @@ PORTNAME=	bind
 PORTVERSION=	${ISCVERSION:S/-P/P/:S/b/.b/:S/a/.a/:S/rc/.rc/}
 .if defined(BIND_TOOLS_SLAVE)
 # dns/bind-tools here
-PORTREVISION=	1
+PORTREVISION=	0
 .else
 # dns/bind913 here
-PORTREVISION=	1
+PORTREVISION=	0
 .endif
 CATEGORIES=	dns net ipv6
 MASTER_SITES=	ISC/bind9/${ISCVERSION}
@@ -33,7 +33,7 @@ LIB_DEPENDS=	libxml2.so:textproc/libxml2
 
 USES=	compiler:c11 cpe libedit ssl
 # ISC releases things like 9.8.0-P1, which our versioning doesn't like
-ISCVERSION=	9.13.4
+ISCVERSION=	9.13.5
 
 CPE_VENDOR=	isc
 CPE_VERSION=	${ISCVERSION:C/-.*//}
@@ -43,7 +43,6 @@ CPE_UPDATE=	${ISCVERSION:C/.*-//:tl}
 
 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS=	--localstatedir=/var --disable-linux-caps \
-		--disable-symtable \
 		--with-libxml2=${LOCALBASE} \
 		--with-readline="-L${LOCALBASE}/lib -ledit" \
 		--with-dlopen=yes \
@@ -199,6 +198,18 @@ TUNING_LARGE_CONFIGURE_OFF=	--with-tuning=default
 
 .include <bsd.port.pre.mk>
 
+.if defined(WITH_DEBUG)
+CONFIGURE_ARGS+=	--enable-symtable
+.else
+CONFIGURE_ARGS+=	--disable-symtable
+.endif
+
+.if ${SSL_DEFAULT} == base
+SUB_LIST+=	ENGINES=/usr/lib/engines
+.else
+SUB_LIST+=	ENGINES=${LOCALBASE}/lib/engines
+.endif
+
 post-patch:
 .if defined(BIND_TOOLS_SLAVE)
 	@${REINPLACE_CMD} -e 's#^SUBDIRS.*#SUBDIRS = lib bin#' \

dns/bind913/distinfo

@@ -1,3 +1,3 @@
-TIMESTAMP = 1542875991
-SHA256 (bind-9.13.4.tar.gz) = ea02107ae0b22a5b3df76d4c45bd44414f1d17731fffc07813d8e5b4ce05f95b
-SIZE (bind-9.13.4.tar.gz) = 6274124
+TIMESTAMP = 1544687807
+SHA256 (bind-9.13.5.tar.gz) = bbde0b81c66a7c7f5b074c8f0e714ed8aa235e4b930e28953cab0ae3cae94e4b
+SIZE (bind-9.13.5.tar.gz) = 6309308

dns/bind913/files/extrapatch-bind-min-override-ttl

@@ -1,6 +1,6 @@
---- bin/named/config.c.orig	2018-11-19 17:02:41 UTC
+--- bin/named/config.c.orig	2018-12-07 18:44:21 UTC
 +++ bin/named/config.c
-@@ -182,6 +182,7 @@ options {\n\
+@@ -179,6 +179,7 @@ options {\n\
  	notify-source *;\n\
  	notify-source-v6 *;\n\
  	nsec3-test-zone no;\n\
@@ -8,9 +8,9 @@
  	provide-ixfr true;\n\
  	qname-minimization relaxed;\n\
  	query-source address *;\n\
---- bin/named/server.c.orig	2018-11-19 17:02:41 UTC
+--- bin/named/server.c.orig	2018-12-07 18:44:21 UTC
 +++ bin/named/server.c
-@@ -4116,6 +4116,11 @@ configure_view(dns_view_t *view, dns_vie
+@@ -4154,6 +4154,11 @@ configure_view(dns_view_t *view, dns_vie
  	}
  
  	obj = NULL;
@@ -22,7 +22,7 @@
  	result = named_config_get(maps, "max-cache-ttl", &obj);
  	INSIST(result == ISC_R_SUCCESS);
  	view->maxcachettl = cfg_obj_asuint32(obj);
---- lib/dns/include/dns/view.h.orig	2018-11-19 17:02:41 UTC
+--- lib/dns/include/dns/view.h.orig	2018-12-07 18:44:21 UTC
 +++ lib/dns/include/dns/view.h
 @@ -153,6 +153,7 @@ struct dns_view {
  	bool			requestnsid;
@@ -32,7 +32,7 @@
  	dns_ttl_t			maxncachettl;
  	dns_ttl_t			mincachettl;
  	dns_ttl_t			minncachettl;
---- lib/dns/resolver.c.orig	2018-11-19 17:02:41 UTC
+--- lib/dns/resolver.c.orig	2018-12-07 18:44:21 UTC
 +++ lib/dns/resolver.c
 @@ -5967,6 +5967,12 @@ cache_name(fetchctx_t *fctx, dns_name_t 
  		}
@@ -47,9 +47,9 @@
  		 * Enforce the configure maximum cache TTL.
  		 */
  		if (rdataset->ttl > res->view->maxcachettl) {
---- lib/isccfg/namedconf.c.orig	2018-11-19 17:02:41 UTC
+--- lib/isccfg/namedconf.c.orig	2018-12-07 18:44:21 UTC
 +++ lib/isccfg/namedconf.c
-@@ -1921,6 +1921,7 @@ view_clauses[] = {
+@@ -1900,6 +1900,7 @@ view_clauses[] = {
  	{ "max-acache-size", &cfg_type_sizenodefault,
  	  CFG_CLAUSEFLAG_OBSOLETE },
  	{ "max-cache-size", &cfg_type_sizeorpercent, 0 },

dns/bind913/files/named.in

@@ -62,7 +62,7 @@ required_dirs="${named_chrootdir}"
 _named_confdirroot="${named_conf%/*}"
 _named_confdir="${named_chrootdir}${_named_confdirroot}"
 _named_program_root="${named_program%/sbin/named}"
-_openssl_engines="%%LOCALBASE%%/lib/engines"
+_openssl_engines="%%ENGINES%%"
 
 # Needed if named.conf and rndc.conf are moved or if rndc.conf is used
 rndc_conf=${rndc_conf:-"$_named_confdir/rndc.conf"}
@@ -143,19 +143,16 @@ chroot_autoupdate()
 		fi
 	fi
 
-	# If OpenSSL from ports, then the engines should be present in the
-	# chroot, named loads them after chrooting.
+	# The OpenSSL engines should be present in the chroot, named loads them
+	# after chrooting.
 	if [ -d ${_openssl_engines} ]; then
-		# FIXME when 8.4 is gone see if
-		# security.jail.param.allow.mount.nullfs can be used.
-		if [ `${SYSCTL_N} security.jail.jailed` -eq 0 -o `${SYSCTL_N} security.jail.mount_allowed` -eq 1 ]; then
-			mkdir -p ${named_chrootdir}${_openssl_engines}
+		mkdir -p ${named_chrootdir}${_openssl_engines}
+		if can_mount nullfs ; then
 			mount -t nullfs ${_openssl_engines} ${named_chrootdir}${_openssl_engines}
 		else
 			warn "named chroot: cannot nullfs mount OpenSSL" \
 				"engines into the chroot, will copy the shared" \
 				"libraries instead."
-			mkdir -p ${named_chrootdir}${_openssl_engines}
 			cp -f ${_openssl_engines}/*.so ${named_chrootdir}${_openssl_engines}
 		fi
 	fi
@@ -241,22 +238,41 @@ named_stop()
 
 named_poststop()
 {
-	if [ -n "${named_chrootdir}" -a -c ${named_chrootdir}/dev/null ]; then
+	if [ -n "${named_chrootdir}" ]; then
 		# if using OpenSSL from ports, unmount OpenSSL engines, if they
 		# were not mounted but only copied, do nothing.
-		if [ -d ${_openssl_engines} -a \( `${SYSCTL_N} security.jail.jailed` -eq 0 -o `${SYSCTL_N} security.jail.mount_allowed` -eq 1 \) ]; then
-		  umount ${named_chrootdir}${_openssl_engines}
+		if [ -d ${_openssl_engines} ]; then
+			if can_mount nullfs; then
+				umount ${named_chrootdir}${_openssl_engines}
+			fi
 		fi
-		# unmount /dev
-		if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then
-			umount ${named_chrootdir}/dev 2>/dev/null || true
-		else
-			warn "named chroot:" \
-			    "cannot unmount devfs from inside jail!"
+		if [ -c ${named_chrootdir}/dev/null ]; then
+			# unmount /dev
+			if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then
+				umount ${named_chrootdir}/dev 2>/dev/null || true
+			else
+				warn "named chroot:" \
+					"cannot unmount devfs from inside jail!"
+			fi
 		fi
 	fi
 }
 
+can_mount()
+{
+	local kld
+	kld=$1
+	if ! load_kld $kld; then
+		return 1
+	fi
+	if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ] ||
+		[ `${SYSCTL_N} security.jail.mount_allowed` -eq 1 ] ||
+		[ `${SYSCTL_N} security.jail.mount_${kld}_allowed` -eq 1 ] ; then
+		return 0
+	fi
+	return 1
+}
+
 create_file()
 {
 	if [ -e "$1" ]; then

dns/bind913/files/patch-configure

@@ -1,6 +1,6 @@
---- configure.orig	2018-11-22 00:20:34 UTC
+--- configure.orig	2018-12-07 18:44:21 UTC
 +++ configure
-@@ -16386,27 +16386,9 @@ done
+@@ -16296,27 +16296,9 @@ done
  		# problems start to show up.
  		saved_libs="$LIBS"
  		for TRY_LIBS in \
@@ -30,7 +30,7 @@
  		    { $as_echo "$as_me:${as_lineno-$LINENO}: checking linking as $TRY_LIBS" >&5
  $as_echo_n "checking linking as $TRY_LIBS... " >&6; }
  		    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-@@ -16449,47 +16431,7 @@ $as_echo "no" >&6; } ;;
+@@ -16359,47 +16341,7 @@ $as_echo "no" >&6; } ;;
  		no) as_fn_error $? "could not determine proper GSSAPI linkage" "$LINENO" 5 ;;
  		esac
  
@@ -79,7 +79,7 @@
  		DNS_GSSAPI_LIBS="$LIBS"
  
  		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&5
-@@ -21015,7 +20957,7 @@ $as_echo "" >&6; }
+@@ -20933,7 +20875,7 @@ $as_echo "" >&6; }
  			# Check other locations for includes.
  			# Order is important (sigh).
  

dns/bind913/pkg-plist

@@ -250,6 +250,7 @@ include/isccfg/log.h
 include/isccfg/namedconf.h
 include/isccfg/version.h
 include/ns/client.h
+include/ns/hooks.h
 include/ns/interfacemgr.h
 include/ns/lib.h
 include/ns/listenlist.h
@@ -273,6 +274,7 @@ include/pkcs11/eddsa.h
 include/pkcs11/pkcs11.h
 include/pkcs11/pkcs11f.h
 include/pkcs11/pkcs11t.h
+lib/filter-aaaa.so
 lib/libbind9.a
 lib/libdns.a
 lib/libirs.a
@@ -306,6 +308,7 @@ man/man8/dnssec-revoke.8.gz
 man/man8/dnssec-settime.8.gz
 man/man8/dnssec-signzone.8.gz
 man/man8/dnssec-verify.8.gz
+man/man8/filter-aaaa.8.gz
 man/man8/named-checkconf.8.gz
 man/man8/named-checkzone.8.gz
 man/man8/named-compilezone.8.gz