Arch Linux

Can you attach an strace of both the running and failing commands please.

Sure, attached. And below the exact commandline I used to generate them.
Note that both of them were taken inside a docker container.

# strace -o running.strace /usr/sbin/named -f -u named -L named.log
# strace -o failing.strace /usr/sbin/named -f -u named -L named.log

It looks as if the failing one fails on opening the log file.

prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0
seccomp(SECCOMP_SET_MODE_STRICT, 1, NULL) = -1 EINVAL (Invalid argument)
seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=38, filter=0x5576afc1f2b0}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
stat("named.log", 0x7ffd578da800) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "named.log", O_WRONLY|O_CREAT|O_APPEND, 0666) = ?
+++ killed by SIGKILL +++
Setup the secccomp filtering then seccomp kills because of openat?
Edit:
But unless the platform is i686 it seems openat should be allowed https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=blob;f=bin/named/include/named/seccomp.h;h=2e7f6b41a179ca4ad37070861c75d671184ea58b;hb=HEAD

Sorry, the kill was by me (kill -9).
Ctrl-C does not work and the process does not react in any way, so I killed it.
ps shows the process as <defunct>

# ps faux
root 18157 0.0 0.0 20532 3484 pts/0 Ss 17:07 0:00 | \_ /bin/bash
root 18798 0.0 0.0 18316 1848 pts/0 S+ 17:23 0:00 | \_ strace -o failing.strace /usr/sbin/named -f -u named -L named.log
named 18800 0.0 0.0 0 0 pts/0 Zl+ 17:23 0:00 | \_ [named] <defunct>

And the permission denied also happens for /dev/stdout (that's the only entry in the journal when starting named):
named[19047]: isc_log_open '/dev/stdout' failed: permission denied

switching seccomp to SCMP_ACT_TRAP
--- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP, si_call_addr=0x7f8350da2610, si_syscall=__NR_openat, si_arch=AUDIT_ARCH_X86_64} ---
Not sure which of https://sourceware.org/git/?p=glibc.git&a=search&h=1c9a5c270d8b66f30dcfaf1cb2d6cf39d3e18369&st=commit&s=openat was the trigger

My servers currently run bind 9.11.2-2 and glibc 2.26-5 with user named and so far everything works.

Did you rebuild bind with the new glibc to check your suspicion?

Yes in order to switch seccomp to SCMP_ACT_TRAP at https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=blob;f=bin/named/main.c;h=4fb056636dd29c3ccf021ddb272b1e916baaace9;hb=HEAD#l922
Rebuilding with seccomp disabled named seems to start correctly system is not configured for named but no zombie process is created named can be terminated without resorting to SIGKILL.
named from 9.11.2-2 matches the failing.strace from SuperBFG7 with the exception named.log is replaced by /dev/stdout.
My local build could well be suspect can not explain why your system is not seeing the issue when running as root "/usr/sbin/named -f -u named -L /dev/stdout"
Edit:
If you mean just rebuild against glibc 2.26-5 without any other changes the result was the same as using named from 9.11.2-2
Edit2:
Moving SCMP_SYS(openat), from the https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=blob;f=bin/named/include/named/seccomp.h;h=2e7f6b41a179ca4ad37070861c75d671184ea58b;hb=HEAD#l86 to line 60
and "openat", fromhttps://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=blob;f=bin/named/include/named/seccomp.h;h=2e7f6b41a179ca4ad37070861c75d671184ea58b;hb=HEAD#l153 to line 127
so that they are outside of #ifndef ISC_PLATFORM_USETHREADS meaning it will be used on threaded builds which is what the strace seems to show is required.
named as built with the above modification no longer results in a zombie process requiring SIGKILL.

@seblu: You are right: simply rebuilding bind against glibc-2.26-5 does not resolve this.
@loqs: With "running as root" I meant without the option "-u named", still works for me. But for security reasons I'd rather not do that.

@SuperBFG7 and if you disable seccomp or make the adjustment I noted to bin/named/include/named/seccomp.h ?
@seblu https://phabricator.kde.org/D7806 indicates another project having to add support for openat attributed to glibc 2.26
Looking at other linux distributions that package named I could not trivially find another that is on glibc 2.26 and builds named with seccomp support for comparison.

example patch that moves the openat syscall out of #ifndef ISC_PLATFORM_USETHREADS on x86_64

I can confirm that the patch works and named does not go defunct anymore. Thank you!
Strange is however, that no output is generated to stdout (no idea why) while writting output to a file works as expected (with correct permissions of course).