diff --git a/metadata/md5-cache/net-dns/bind-tools-9.10.2-r1 b/metadata/md5-cache/net-dns/bind-tools-9.10.2-r1
new file mode 100644
index 0000000..c5695cd
--- /dev/null
+++ b/metadata/md5-cache/net-dns/bind-tools-9.10.2-r1
@@ -0,0 +1,15 @@
+DEFINED_PHASES=compile configure install prepare
+DEPEND=ssl? ( dev-libs/openssl:0 ) gost? ( >=dev-libs/openssl-1.0.0:0[-bindist] ) xml? ( dev-libs/libxml2 ) idn? ( net-dns/idnkit ) gssapi? ( virtual/krb5 ) readline? ( sys-libs/readline:0= ) seccomp? ( sys-libs/libseccomp ) !<sys-devel/gettext-0.18.1.1-r3 || ( >=sys-devel/automake-1.13:1.13 >=sys-devel/automake-1.15:1.15 ) >=sys-devel/autoconf-2.69 >=sys-devel/libtool-2.4
+DESCRIPTION=bind tools: dig, nslookup, host, nsupdate, dnssec-keygen
+EAPI=5
+HOMEPAGE=http://www.isc.org/software/bind
+IUSE=doc gost gssapi idn ipv6 readline seccomp ssl urandom xml
+KEYWORDS=*
+LICENSE=ISC BSD BSD-2 HPND JNIC RSA openssl
+RDEPEND=ssl? ( dev-libs/openssl:0 ) gost? ( >=dev-libs/openssl-1.0.0:0[-bindist] ) xml? ( dev-libs/libxml2 ) idn? ( net-dns/idnkit ) gssapi? ( virtual/krb5 ) readline? ( sys-libs/readline:0= ) seccomp? ( sys-libs/libseccomp ) !<net-dns/bind-9.10.2
+REQUIRED_USE=gost? ( ssl )
+RESTRICT=test
+SLOT=0
+SRC_URI=ftp://ftp.isc.org/isc/bind9/9.10.2/bind-9.10.2.tar.gz
+_eclasses_=autotools	999c8f6cf5d91495cb0779588f20716c	eutils	06133990e861be0fe60c2b428fd025d9	flag-o-matic	5d5921a298e95441da2f85be419894c0	libtool	52d0e17251d04645ffaa61bfdd858944	multilib	3bf24e6abb9b76d9f6c20600f0b716bf	toolchain-funcs	48b38a216afb92db6314d6c3187abea3
+_md5_=b68f0447ed381d29ba6bc3401d6718db
diff --git a/net-dns/bind-tools/Manifest b/net-dns/bind-tools/Manifest
new file mode 100644
index 0000000..e3eca09
--- /dev/null
+++ b/net-dns/bind-tools/Manifest
@@ -0,0 +1 @@
+DIST bind-9.10.2.tar.gz 8481111 SHA256 6f9bb7908aa45c1edfa391e356fc0afc1ded175386cdefb6cf9e1289f7457a98 SHA512 e4c72fe52641a515620930d0e1c149e6f0d9cec2e1a64cbfd510829d908ccab7293197dbbe603c863168f9ea9ded57b27b32cbad02f8b60abc91acb035c2e79f WHIRLPOOL 6b1df7b711fd6d7bba0aad533a11cc979d9e06ea43d4c160536306945e18ece8e622077f75be0bf6a077dd6b40789377e443d92d7dbabdb528b3bdd24aec0553
diff --git a/net-dns/bind-tools/bind-tools-9.10.2-r1.ebuild b/net-dns/bind-tools/bind-tools-9.10.2-r1.ebuild
new file mode 100644
index 0000000..2dee5d0
--- /dev/null
+++ b/net-dns/bind-tools/bind-tools-9.10.2-r1.ebuild
@@ -0,0 +1,125 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-dns/bind-tools/bind-tools-9.10.2-r1.ebuild,v 1.1 2015/05/26 03:01:00 vapier Exp $
+
+EAPI="5"
+
+inherit eutils autotools flag-o-matic toolchain-funcs
+
+MY_PN=${PN//-tools}
+MY_PV=${PV/_p/-P}
+MY_PV=${MY_PV/_rc/rc}
+MY_P="${MY_PN}-${MY_PV}"
+
+DESCRIPTION="bind tools: dig, nslookup, host, nsupdate, dnssec-keygen"
+HOMEPAGE="http://www.isc.org/software/bind"
+SRC_URI="ftp://ftp.isc.org/isc/bind9/${MY_PV}/${MY_P}.tar.gz"
+
+LICENSE="ISC BSD BSD-2 HPND JNIC RSA openssl"
+SLOT="0"
+KEYWORDS="*"
+IUSE="doc gost gssapi idn ipv6 readline seccomp ssl urandom xml"
+# no PKCS11 currently as it requires OpenSSL to be patched, also see bug 409687
+
+REQUIRED_USE="gost? ( ssl )"
+
+DEPEND="ssl? ( dev-libs/openssl:0 )
+	gost? ( >=dev-libs/openssl-1.0.0:0[-bindist] )
+	xml? ( dev-libs/libxml2 )
+	idn? ( net-dns/idnkit )
+	gssapi? ( virtual/krb5 )
+	readline? ( sys-libs/readline:0= )
+	seccomp? ( sys-libs/libseccomp )"
+RDEPEND="${DEPEND}
+	!<net-dns/bind-9.10.2"
+
+S="${WORKDIR}/${MY_P}"
+
+# bug 479092, requires networking
+RESTRICT="test"
+
+src_prepare() {
+	epatch "${FILESDIR}"/${PN}-9.5.0_p1-lwconfig.patch #231247
+	epatch "${FILESDIR}"/${PN}-9.10.2-openssl.patch #417129
+
+	# Disable tests for now, bug 406399
+	sed -i '/^SUBDIRS/s:tests::' bin/Makefile.in lib/Makefile.in || die
+
+	# bug #220361
+	rm aclocal.m4
+	rm -rf libtool.m4/
+	eautoreconf
+}
+
+src_configure() {
+	local myconf=
+
+	if use urandom; then
+		myconf="${myconf} --with-randomdev=/dev/urandom"
+	else
+		myconf="${myconf} --with-randomdev=/dev/random"
+	fi
+
+	# bug 344029
+	append-cflags "-DDIG_SIGCHASE"
+
+	# localstatedir for nsupdate -l, bug 395785
+	tc-export BUILD_CC
+	econf \
+		--localstatedir=/var \
+		--without-python \
+		--without-libjson \
+		--disable-openssl-version-check \
+		$(use_enable ipv6) \
+		$(use_with idn) \
+		$(usex idn --with-idnlib=-lidnkit '') \
+		$(use_enable seccomp) \
+		$(use_with ssl openssl) \
+		$(use_with xml libxml2) \
+		$(use_with gssapi) \
+		$(use_with readline) \
+		$(use_with gost) \
+		${myconf}
+
+	# bug #151839
+	echo '#undef SO_BSDCOMPAT' >> config.h
+}
+
+src_compile() {
+	local AR=$(tc-getAR)
+
+	emake AR="${AR}" -C lib/
+	emake AR="${AR}" -C bin/delv/
+	emake AR="${AR}" -C bin/dig/
+	emake AR="${AR}" -C bin/nsupdate/
+	emake AR="${AR}" -C bin/dnssec/
+}
+
+src_install() {
+	dodoc README CHANGES FAQ
+
+	cd "${S}"/bin/delv
+	dobin delv
+	doman delv.1
+
+	cd "${S}"/bin/dig
+	dobin dig host nslookup
+	doman {dig,host,nslookup}.1
+
+	cd "${S}"/bin/nsupdate
+	dobin nsupdate
+	doman nsupdate.1
+	if use doc; then
+		dohtml nsupdate.html
+	fi
+
+	cd "${S}"/bin/dnssec
+	for tool in dsfromkey importkey keyfromlabel keygen \
+	  revoke settime signzone verify; do
+		dobin dnssec-"${tool}"
+		doman dnssec-"${tool}".8
+		if use doc; then
+			dohtml dnssec-"${tool}".html
+		fi
+	done
+}
diff --git a/net-dns/bind-tools/files/bind-tools-9.10.2-openssl.patch b/net-dns/bind-tools/files/bind-tools-9.10.2-openssl.patch
new file mode 100644
index 0000000..deeb109
--- /dev/null
+++ b/net-dns/bind-tools/files/bind-tools-9.10.2-openssl.patch
@@ -0,0 +1,145 @@
+https://bugs.gentoo.org/417129
+
+fix openssl build logic:
+* do not probe direct filesystem paths (including hardcoding things like /usr)
+* use pkg-config to locate proper openssl libraries
+* turn dsa check into a header one
+* turn ecdsa check into a link one
+* have gost/aes actually default to --with-xxx value when cross-compiling
+
+Patch by Mike Frysinger <vapier@chromium.org>
+
+--- a/configure.in
++++ b/configure.in
+@@ -1442,16 +1442,21 @@ case "$use_openssl" in
+ 		OPENSSLLINKOBJS=""
+ 		OPENSSLLINKSRCS=""
+ 		;;
+-	auto)
+-		DST_OPENSSL_INC=""
+-		CRYPTO=""
++	yes|auto)
++		CRYPTO=""
++		PKG_CHECK_MODULES([OPENSSL], [libcrypto], [CRYPTO='-DOPENSSL'], [
++			if test "$use_openssl" = "yes"; then
++				AC_MSG_ERROR(openssl not found)
++			fi
++			use_openssl="no"
++		])
++
++		DST_OPENSSL_INC=$OPENSSL_CFLAGS
++		DST_OPENSSL_LIBS=$OPENSSL_LIBS
+ 		OPENSSLGOSTLINKOBJS=""
+ 		OPENSSLGOSTLINKSRS=""
+ 		OPENSSLLINKOBJS=""
+ 		OPENSSLLINKSRCS=""
+-		AC_MSG_ERROR(
+-[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
+-If you don't want OpenSSL, use --without-openssl])
+ 		;;
+ 	*)
+ 		if test "$want_native_pkcs11" = "yes"
+@@ -1588,27 +1593,39 @@ no)
+ ;;
+ esac
+ 
++		CC="$saved_cc"
++		CFLAGS="$saved_cflags"
++		LIBS="$saved_libs"
++		OPENSSLLINKOBJS='${OPENSSLLINKOBJS}'
++		OPENSSLLINKSRCS='${OPENSSLLINKSRCS}'
++		;;
++esac
++
++if test "$use_openssl" = "yes"; then
++	saved_cc="$CC"
++	saved_cflags="$CFLAGS"
++	saved_libs="$LIBS"
++	CFLAGS="$CFLAGS $DST_OPENSSL_INC"
++	LIBS="$LIBS $DST_OPENSSL_LIBS"
++
+-	AC_MSG_CHECKING(for OpenSSL DSA support)
+-	if test -f $use_openssl/include/openssl/dsa.h
+-	then
++	AC_CHECK_HEADERS([openssl/dsa.h])
++	if test "$ac_cv_header_openssl_dsa_h" = yes; then
+ 		AC_DEFINE(HAVE_OPENSSL_DSA)
+-		AC_MSG_RESULT(yes)
+-	else
+-		AC_MSG_RESULT(no)
+ 	fi
+ 
+ 	AC_CHECK_FUNCS(EVP_sha256 EVP_sha384 EVP_sha512)
+ 
+ 	AC_MSG_CHECKING(for OpenSSL ECDSA support)
+ 	have_ecdsa=""
+-	AC_TRY_RUN([
++	AC_TRY_LINK([
+ #include <openssl/ecdsa.h>
+ #include <openssl/objects.h>
++],[
+ int main() {
+ 	EC_KEY *ec256, *ec384;
+ 
+ #if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA384)
+-	return (1);
++#error choke
+ #endif
+ 	ec256 = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+ 	ec384 = EC_KEY_new_by_curve_name(NID_secp384r1);
+@@ -1637,24 +1654,7 @@ int main() {
+ 	[AC_MSG_RESULT(yes)
+ 	have_ecdsa="yes"],
+ 	[AC_MSG_RESULT(no)
+-	have_ecdsa="no"],
++	have_ecdsa="no"])
+-	[AC_MSG_RESULT(using --with-ecdsa)])
+-	case "$with_ecdsa" in
+-	yes)
+-	    case "$have_ecdsa" in
+-	    no)  AC_MSG_ERROR([ecdsa not supported]) ;;
+-	    *)  have_ecdsa=yes ;;
+-	    esac
+-	    ;;
+-	no)
+-	    have_ecdsa=no ;;
+-	*)
+-	    case "$have_ecdsa" in
+-	    yes|no) ;;
+-	    *) AC_MSG_ERROR([need --with-ecdsa=[[yes or no]]]) ;;
+-	    esac
+-	    ;;
+-	esac
+ 	case $have_ecdsa in
+ 	yes)
+ 		OPENSSL_ECDSA="yes"
+@@ -1702,7 +1702,8 @@ int main() {
+ 	have_gost="yes"],
+ 	[AC_MSG_RESULT(no)
+ 	have_gost="no"],
+-	[AC_MSG_RESULT(using --with-gost)])
++	[AC_MSG_RESULT(using --with-gost)
++	have_gost=$with_gost])
+ 	case "$with_gost" in
+ 	yes)
+ 	    case "$have_gost" in
+@@ -1752,7 +1753,8 @@ int main() {
+ 	[AC_MSG_RESULT(yes)
+ 	 have_aes="yes"],
+ 	[AC_MSG_RESULT(no)])],
+-	[AC_MSG_RESULT(using --with-aes)])
++	[AC_MSG_RESULT(using --with-aes)
++	 have_aes=$with_aes])
+ 
+ 	ISC_OPENSSL_INC=""
+ 	ISC_OPENSSL_LIBS=""
+@@ -1765,8 +1767,7 @@ int main() {
+ 	OPENSSLLINKOBJS='${OPENSSLLINKOBJS}'
+ 	OPENSSLLINKSRCS='${OPENSSLLINKSRCS}'
+ 
+-	;;
+-esac
++fi
+ 
+ #
+ # This would include the system openssl path (and linker options to use
diff --git a/net-dns/bind-tools/files/bind-tools-9.5.0_p1-lwconfig.patch b/net-dns/bind-tools/files/bind-tools-9.5.0_p1-lwconfig.patch
new file mode 100644
index 0000000..7aa1d16
--- /dev/null
+++ b/net-dns/bind-tools/files/bind-tools-9.5.0_p1-lwconfig.patch
@@ -0,0 +1,63 @@
+--- lib/lwres/lwconfig.c.old	2007-06-20 01:47:22.000000000 +0200
++++ lib/lwres/lwconfig.c	2008-06-15 02:57:02.000000000 +0200
+@@ -175,13 +175,8 @@
+ 	REQUIRE(buffer != NULL);
+ 	REQUIRE(size > 0U);
+ 
+-	*p = '\0';
+-
+ 	ch = eatwhite(fp);
+ 
+-	if (ch == EOF)
+-		return (EOF);
+-
+ 	do {
+ 		*p = '\0';
+ 
+@@ -592,23 +587,37 @@
+ 		if (strlen(word) == 0U)
+ 			rval = LWRES_R_SUCCESS;
+ 		else if (strcmp(word, "nameserver") == 0)
+-			rval = lwres_conf_parsenameserver(ctx, fp);
++			rval = (stopchar != '\n')? /* fail instantly if EOL is reached */
++				lwres_conf_parsenameserver(ctx, fp)
++				: LWRES_R_FAILURE;
+ 		else if (strcmp(word, "lwserver") == 0)
+-			rval = lwres_conf_parselwserver(ctx, fp);
++			rval = (stopchar != '\n')?
++				lwres_conf_parselwserver(ctx, fp)
++				: LWRES_R_FAILURE;
+ 		else if (strcmp(word, "domain") == 0)
+-			rval = lwres_conf_parsedomain(ctx, fp);
++			rval = (stopchar != '\n')?
++				lwres_conf_parsedomain(ctx, fp)
++				: LWRES_R_FAILURE;
+ 		else if (strcmp(word, "search") == 0)
+-			rval = lwres_conf_parsesearch(ctx, fp);
++			rval = (stopchar != '\n')?
++				lwres_conf_parsesearch(ctx, fp)
++				: LWRES_R_FAILURE;
+ 		else if (strcmp(word, "sortlist") == 0)
+-			rval = lwres_conf_parsesortlist(ctx, fp);
++			rval = (stopchar != '\n')?
++				lwres_conf_parsesortlist(ctx, fp)
++				: LWRES_R_FAILURE;
+ 		else if (strcmp(word, "options") == 0)
+-			rval = lwres_conf_parseoption(ctx, fp);
++			rval = (stopchar != '\n')?
++				lwres_conf_parseoption(ctx, fp)
++				: LWRES_R_FAILURE;
+ 		else {
+ 			/* unrecognised word. Ignore entire line */
+ 			rval = LWRES_R_SUCCESS;
+-			stopchar = eatline(fp);
+-			if (stopchar == EOF) {
+-				break;
++			if (stopchar != '\n') { /* do not eat the next line */
++				stopchar = eatline(fp);
++				if (stopchar == EOF) {
++					break;
++				}
+ 			}
+ 		}
+ 		if (ret == LWRES_R_SUCCESS && rval != LWRES_R_SUCCESS)
diff --git a/net-dns/bind-tools/metadata.xml b/net-dns/bind-tools/metadata.xml
new file mode 100644
index 0000000..fb31564
--- /dev/null
+++ b/net-dns/bind-tools/metadata.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer>
+		<email>idl0r@gentoo.org</email>
+		<name>Christian Ruppert</name>
+	</maintainer>
+	<use>
+		<flag name="urandom">Use /dev/urandom instead of /dev/random</flag>
+		<flag name="gssapi">Enable gssapi support</flag>
+		<flag name="gost">Enables gost OpenSSL engine support</flag>
+	</use>
+	<longdescription>ISC's Bind DNS' server tools</longdescription>
+</pkgmetadata>