Comment 3 for bug 1630025

I can confirm that the following debian packages resolve the issue:

bind9_9.10.3.dfsg.P4-12.3+deb9u3_amd64.deb
bind9utils_9.10.3.dfsg.P4-12.3+deb9u3_amd64.deb
libbind9-140_9.10.3.dfsg.P4-12.3+deb9u3_amd64.deb
libdns162_9.10.3.dfsg.P4-12.3+deb9u3_amd64.deb
libgssapi-krb5-2_1.15-1+deb9u1_amd64.deb
libisc160_9.10.3.dfsg.P4-12.3+deb9u3_amd64.deb
libisccc140_9.10.3.dfsg.P4-12.3+deb9u3_amd64.deb
libisccfg140_9.10.3.dfsg.P4-12.3+deb9u3_amd64.deb
libk5crypto3_1.15-1+deb9u1_amd64.deb
libkrb5-3_1.15-1+deb9u1_amd64.deb
libkrb5support0_1.15-1+deb9u1_amd64.deb
liblwres141_9.10.3.dfsg.P4-12.3+deb9u3_amd64.deb
libssl1.0.2_1.0.2l-2+deb9u1_amd64.deb

If we could get bind9 and dependencies rebuilt with the necessary patch (from the bug, a 1-liner) that'd be splendid so that we can return to a safe chroot bind9 scenario