--- bin/named/unix/os.c	2006-02-03 23:51:38.000000000 +0000
+++ ../bin/named/unix/os.c	2007-09-25 16:23:08.000000000 +0000
@@ -174,9 +174,27 @@
 	}
 }
 
+static unsigned int
+linux_getcaps(void) {
+	struct __user_cap_header_struct caphead;
+	struct __user_cap_data_struct cap;
+	char strbuf[ISC_STRERRORSIZE];
+
+	memset(&caphead, 0, sizeof(caphead));
+	caphead.version = _LINUX_CAPABILITY_VERSION;
+	caphead.pid = 0;
+	memset(&cap, 0, sizeof(cap));
+	if (syscall(SYS_capget, &caphead, &cap) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		ns_main_earlyfatal("capget failed: %s", strbuf);
+	}
+
+	return cap.permitted;
+}
+
 static void
 linux_initialprivs(void) {
-	unsigned int caps;
+	unsigned int caps, current;
 
 	/*%
 	 * We don't need most privileges, so we drop them right away.
@@ -185,7 +203,8 @@
 	 */
 
 	caps = 0;
-
+	current = linux_getcaps();
+	
 	/*
 	 * We need to be able to bind() to privileged ports, notably port 53!
 	 */
@@ -226,12 +245,12 @@
 	 */
 	caps |= (1 << CAP_SYS_RESOURCE);
 
-	linux_setcaps(caps);
+	linux_setcaps(caps & current);
 }
 
 static void
 linux_minprivs(void) {
-	unsigned int caps;
+	unsigned int caps, current;
 
 	/*%
 	 * Drop all privileges except the ability to bind() to privileged
@@ -242,6 +261,7 @@
 	 */
 
 	caps = 0;
+	current = linux_getcaps();
 	caps |= (1 << CAP_NET_BIND_SERVICE);
 
 	/*
@@ -253,7 +273,7 @@
 	 */
 	caps |= (1 << CAP_SYS_RESOURCE);
 
-	linux_setcaps(caps);
+	linux_setcaps(caps & current);
 }
 
 #ifdef HAVE_SYS_PRCTL_H