Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Fri Mar 1 08:19:55 2013 -0700

    Initialise OpenSSL before calling chroot()

    OpenSSL may need to load additional shared libraries, in particular
    for the gost algorithm.  This will not work after we chroot(), so we
    need to initialise it before doing that.

    Move the calls to dst_lib_init2() and isc_entropy_create() into
    setup() and calls to the corresponding cleanup into cleanup().

    Addresses-Debian-Bug: 696661
    Signed-off-by: LaMont Jones <lamont@debian.org>

Index: bind9/bin/named/main.c
===================================================================
--- bind9.orig/bin/named/main.c	2016-02-17 11:40:32.224775927 -0700
+++ bind9/bin/named/main.c	2016-02-17 11:43:51.890515632 -0700
@@ -764,14 +764,6 @@
 			      ISC_LOG_INFO, "using up to %u sockets", socks);
 	}
 
-	result = isc_entropy_create(ns_g_mctx, &ns_g_entropy);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_entropy_create() failed: %s",
-				 isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-
 	result = isc_hash_create(ns_g_mctx, ns_g_entropy, DNS_NAME_MAXWIRE);
 	if (result != ISC_R_SUCCESS) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
@@ -941,6 +933,16 @@
 	}
 #endif
 
+	/*
+	 * DST may load additional libraries, which must be done before
+	 * chroot
+	 */
+	result = dst_lib_init2(ns_g_mctx, ns_g_entropy,
+			       ns_g_engine, ISC_ENTROPY_GOODONLY);
+	if (result != ISC_R_SUCCESS)
+		ns_main_earlyfatal("dst_lib_init2() failed: %s",
+				   isc_result_totext(result));
+
 #ifdef ISC_PLATFORM_USETHREADS
 	/*
 	 * Check for the number of cpu's before ns_os_chroot().
@@ -1117,6 +1119,12 @@
 
 	ns_builtin_deinit();
 
+	dst_lib_destroy();
+
+	isc_entropy_detach(&ns_g_entropy);
+	if (ns_g_fallbackentropy != NULL)
+		isc_entropy_detach(&ns_g_fallbackentropy);
+
 	/*
 	 * Add calls to unregister sdb drivers here.
 	 */