BIND chrooted on Debian Sarge

# /etc/init.d/bind9 stop

We need to edit /etc/default/bind9 to run the daemon as the unprivileged user bind and chrooted to /var/lib/named, change the content to

OPTS="-u bind -t /var/lib/named".

Creating all directories under /var/lib:

# mkdir -p /var/lib/named/etc
# mkdir /var/lib/named/dev
# mkdir -p /var/lib/named/var/cache/bind
# mkdir -p /var/lib/named/var/run/bind/run

To move the config dir and create symlink to prevent trouble on future updates run:

# mv /etc/bind /var/lib/named/etc
# ln -s /var/lib/named/etc/bind /etc/bind

Maybe you need much more files or directory created/moved depending on your configuration.

In the end we need to modify the start options of syslogd. Add

-a /var/lib/named/dev/log

to the value SYSLOGD in /etc/init.d/sysklogd and restart the daemons:

# /etc/init.d/sysklogd restart
# /etc/init.d/bind9 start