From df0cae9e8b391795a31e2b7056243c1072520ee2 Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Mon, 3 Jun 2013 14:40:31 +0200
Subject: [PATCH] update RRL patch to the latest version 9.9.3-rl.150.20

Signed-off-by: Tomas Hozza <thozza@redhat.com>
---
 bind.spec                           |    5 +-
 rl-9.9.3rc2.patch => rl-9.9.3.patch | 1194 ++++++++++++++-------------
 2 files changed, 639 insertions(+), 560 deletions(-)
 rename rl-9.9.3rc2.patch => rl-9.9.3.patch (76%)

diff --git a/bind.spec b/bind.spec
index abd2280..923de0b 100644
--- a/bind.spec
+++ b/bind.spec
@@ -79,7 +79,7 @@ Patch131:bind-9.9.1-P2-multlib-conflict.patch
 Patch132:bind99-stat.patch
 Patch133:bind99-rh640538.patch
 Patch134:bind97-rh669163.patch
-Patch136:rl-9.9.3rc2.patch
+Patch136:rl-9.9.3.patch
 Patch137:bind99-rrl.patch
 # Install dns/update.h header for bind-dyndb-ldap plugin
 Patch138:bind-9.9.3-include-update-h.patch
@@ -279,7 +279,7 @@ popd
 %patch127 -p1 -b .forward
 %patch130 -p1 -b .libdb4
 %patch131 -p1 -b .multlib-conflict
-%patch136 -p1 -b .rl
+%patch136 -p0 -b .rl
 %patch137 -p1 -b .rrl
 %patch138 -p1 -b .update
 
@@ -782,6 +782,7 @@ rm -rf ${RPM_BUILD_ROOT}
 * Mon Jun 03 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.3-1
 - update to 9.9.3
 - install dns/update.h header
+- update RRL patch to the latest version 9.9.3-rl.150.20
 
 * Fri May 17 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.3-0.7.rc2
 - Fix segfault in host/nslookup (#878139)
diff --git a/rl-9.9.3rc2.patch b/rl-9.9.3.patch
similarity index 76%
rename from rl-9.9.3rc2.patch
rename to rl-9.9.3.patch
index 13d2fd9..90ad238 100644
--- a/rl-9.9.3rc2.patch
+++ b/rl-9.9.3.patch
@@ -1,7 +1,7 @@
-diff -up bind-9.9.3rc2/bin/named/client.c.rl bind-9.9.3rc2/bin/named/client.c
---- bind-9.9.3rc2/bin/named/client.c.rl	2013-04-30 08:38:46.000000000 +0200
-+++ bind-9.9.3rc2/bin/named/client.c	2013-05-13 12:30:38.624659408 +0200
-@@ -994,6 +994,11 @@ ns_client_send(ns_client_t *client) {
+diff -r -u bin/named/client.c-orig bin/named/client.c
+--- bin/named/client.c-orig	2004-01-01 00:00:00.000000000 +0000
++++ bin/named/client.c	2004-01-01 00:00:00.000000000 +0000
+@@ -994,6 +994,11 @@
  	}
  	if (result != ISC_R_SUCCESS)
  		goto done;
@@ -13,7 +13,7 @@ diff -up bind-9.9.3rc2/bin/named/client.c.rl bind-9.9.3rc2/bin/named/client.c
  	result = dns_message_rendersection(client->message,
  					   DNS_SECTION_ANSWER,
  					   DNS_MESSAGERENDER_PARTIAL |
-@@ -1134,6 +1139,49 @@ ns_client_error(ns_client_t *client, isc
+@@ -1134,6 +1139,51 @@
  #endif
  
  	/*
@@ -26,8 +26,7 @@ diff -up bind-9.9.3rc2/bin/named/client.c.rl bind-9.9.3rc2/bin/named/client.c
 +
 +		INSIST(rcode != dns_rcode_noerror &&
 +		       rcode != dns_rcode_nxdomain);
-+		wouldlog = (ns_g_server->log_queries &&
-+			    isc_log_wouldlog(ns_g_lctx, DNS_RRL_LOG_DROP));
++		wouldlog = isc_log_wouldlog(ns_g_lctx, DNS_RRL_LOG_DROP);
 +		rrl_result = dns_rrl(client->view, &client->peeraddr,
 +				     TCP_CLIENT(client),
 +				     dns_rdataclass_in, dns_rdatatype_none,
@@ -41,18 +40,21 @@ diff -up bind-9.9.3rc2/bin/named/client.c.rl bind-9.9.3rc2/bin/named/client.c
 +			 * NS_LOGCATEGORY_RRL.
 +			 */
 +			if (wouldlog) {
-+				ns_client_log(client, NS_LOGCATEGORY_QUERIES,
++				ns_client_log(client,
++					      NS_LOGCATEGORY_QUERY_EERRORS,
 +					      NS_LOGMODULE_CLIENT,
 +					      DNS_RRL_LOG_DROP,
 +					      "%s", log_buf);
 +			}
 +			/*
 +			 * Some error responses cannot be 'slipped',
-+			 * so don't try.
-+			 * This will counted with dropped queries in the
-+			 * QryDropped counter.
++			 * so don't try to slip any error responses.
 +			 */
 +			if (!client->view->rrl->log_only) {
++				isc_stats_increment(ns_g_server->nsstats,
++						dns_nsstatscounter_ratedropped);
++				isc_stats_increment(ns_g_server->nsstats,
++						dns_nsstatscounter_dropped);
 +				ns_client_next(client, DNS_R_DROP);
 +				return;
 +			}
@@ -63,10 +65,10 @@ diff -up bind-9.9.3rc2/bin/named/client.c.rl bind-9.9.3rc2/bin/named/client.c
  	 * Message may be an in-progress reply that we had trouble
  	 * with, in which case QR will be set.  We need to clear QR before
  	 * calling dns_message_reply() to avoid triggering an assertion.
-diff -up bind-9.9.3rc2/bin/named/config.c.rl bind-9.9.3rc2/bin/named/config.c
---- bind-9.9.3rc2/bin/named/config.c.rl	2013-04-30 08:38:46.000000000 +0200
-+++ bind-9.9.3rc2/bin/named/config.c	2013-05-13 12:30:38.625659408 +0200
-@@ -228,6 +228,13 @@ view \"_bind\" chaos {\n\
+diff -r -u bin/named/config.c-orig bin/named/config.c
+--- bin/named/config.c-orig	2004-01-01 00:00:00.000000000 +0000
++++ bin/named/config.c	2004-01-01 00:00:00.000000000 +0000
+@@ -228,6 +228,13 @@
  	notify no;\n\
  	allow-new-zones no;\n\
  \n\
@@ -80,10 +82,10 @@ diff -up bind-9.9.3rc2/bin/named/config.c.rl bind-9.9.3rc2/bin/named/config.c
  	zone \"version.bind\" chaos {\n\
  		type master;\n\
  		database \"_builtin version\";\n\
-diff -up bind-9.9.3rc2/bin/named/include/named/query.h.rl bind-9.9.3rc2/bin/named/include/named/query.h
---- bind-9.9.3rc2/bin/named/include/named/query.h.rl	2013-04-30 08:38:46.000000000 +0200
-+++ bind-9.9.3rc2/bin/named/include/named/query.h	2013-05-13 12:30:38.625659408 +0200
-@@ -85,6 +85,7 @@ struct ns_query {
+diff -r -u bin/named/include/named/query.h-orig bin/named/include/named/query.h
+--- bin/named/include/named/query.h-orig	2004-01-01 00:00:00.000000000 +0000
++++ bin/named/include/named/query.h	2004-01-01 00:00:00.000000000 +0000
+@@ -85,6 +85,7 @@
  #define NS_QUERYATTR_CACHEACLOK		0x2000
  #define NS_QUERYATTR_DNS64		0x4000
  #define NS_QUERYATTR_DNS64EXCLUDE	0x8000
@@ -91,10 +93,10 @@ diff -up bind-9.9.3rc2/bin/named/include/named/query.h.rl bind-9.9.3rc2/bin/name
  
  
  isc_result_t
-diff -up bind-9.9.3rc2/bin/named/include/named/server.h.rl bind-9.9.3rc2/bin/named/include/named/server.h
---- bind-9.9.3rc2/bin/named/include/named/server.h.rl	2013-04-30 08:38:46.000000000 +0200
-+++ bind-9.9.3rc2/bin/named/include/named/server.h	2013-05-13 12:30:38.626659408 +0200
-@@ -167,7 +167,10 @@ enum {
+diff -r -u bin/named/include/named/server.h-orig bin/named/include/named/server.h
+--- bin/named/include/named/server.h-orig	2004-01-01 00:00:00.000000000 +0000
++++ bin/named/include/named/server.h	2004-01-01 00:00:00.000000000 +0000
+@@ -167,7 +167,10 @@
  
  	dns_nsstatscounter_rpz_rewrites = 36,
  
@@ -106,23 +108,40 @@ diff -up bind-9.9.3rc2/bin/named/include/named/server.h.rl bind-9.9.3rc2/bin/nam
  };
  
  void
-diff -up bind-9.9.3rc2/bin/named/query.c.rl bind-9.9.3rc2/bin/named/query.c
---- bind-9.9.3rc2/bin/named/query.c.rl	2013-04-30 08:38:46.000000000 +0200
-+++ bind-9.9.3rc2/bin/named/query.c	2013-05-13 12:30:38.628659407 +0200
-@@ -5865,6 +5865,105 @@ query_find(ns_client_t *client, dns_fetc
+diff -r -u bin/named/query.c-orig bin/named/query.c
+--- bin/named/query.c-orig	2004-01-01 00:00:00.000000000 +0000
++++ bin/named/query.c	2004-01-01 00:00:00.000000000 +0000
+@@ -193,7 +193,7 @@
+ #ifdef NEWSTATS
+ 	/* Do query type statistics
+ 	 *
+-	 * We only increment per-type if we're using the authoriative
++	 * We only increment per-type if we're using the authoritative
+ 	 * answer counter, preventing double-counting.
+ 	 */
+ 	if (counter == dns_nsstatscounter_authans) {
+@@ -5865,6 +5865,128 @@
   resume:
  	CTRACE("query_find: resume");
  
 +	/*
 +	 * Rate limit these responses to this client.
++	 * Do not delay counting and handling obvious referrals,
++	 *	since those won't come here again.
++	 * Delay handling delegations for which we are certain to recurse and
++	 *	return here (DNS_R_DELEGATION, not a child of one of our
++	 *	own zones, and recursion enabled)
++	 * Count each response at most once.
 +	 */
 +	if (client->view->rrl != NULL &&
-+	    fname != NULL && dns_name_isabsolute(fname) &&
++	    ((fname != NULL && dns_name_isabsolute(fname)) ||
++	     (result == ISC_R_NOTFOUND && !RECURSIONOK(client))) &&
++	    !(result == DNS_R_DELEGATION && !is_zone && RECURSIONOK(client)) &&
 +	    (client->query.attributes & NS_QUERYATTR_RRL_CHECKED) == 0) {
 +		dns_rdataset_t nc_rdataset;
 +		isc_boolean_t wouldlog;
 +		char log_buf[DNS_RRL_LOG_BUF_LEN];
-+		isc_result_t nc_result;
++		isc_result_t nc_result, resp_result;
 +		dns_rrl_result_t rrl_result;
 +
 +		client->query.attributes |= NS_QUERYATTR_RRL_CHECKED;
@@ -135,7 +154,7 @@ diff -up bind-9.9.3rc2/bin/named/query.c.rl bind-9.9.3rc2/bin/named/query.c
 +			 */
 +			if (db != NULL)
 +				tname = dns_db_origin(db);
-+			rrl_result = result;
++			resp_result = result;
 +		} else if (result == DNS_R_NCACHENXDOMAIN &&
 +			   rdataset != NULL &&
 +			   dns_rdataset_isassociated(rdataset) &&
@@ -159,17 +178,28 @@ diff -up bind-9.9.3rc2/bin/named/query.c.rl bind-9.9.3rc2/bin/named/query.c
 +				}
 +				dns_rdataset_disassociate(&nc_rdataset);
 +			}
-+			rrl_result = DNS_R_NXDOMAIN;
++			resp_result = DNS_R_NXDOMAIN;
++		} else if (result == DNS_R_NXRRSET ||
++			   result == DNS_R_EMPTYNAME) {
++			resp_result = DNS_R_NXRRSET;
 +		} else if (result == DNS_R_DELEGATION) {
-+			rrl_result = result;
++			resp_result = result;
++		} else if (result == ISC_R_NOTFOUND) {
++			/*
++			 * Handle referral to ".", including when recursion
++			 * is off or not requested and the hints have not
++			 * been loaded or we have "additional-from-cache no".
++			 */
++			tname = dns_rootname;
++			resp_result = DNS_R_DELEGATION;
 +		} else {
-+			rrl_result = ISC_R_SUCCESS;
++			resp_result = ISC_R_SUCCESS;
 +		}
 +		rrl_result = dns_rrl(client->view, &client->peeraddr,
 +				     ISC_TF((client->attributes
 +					     & NS_CLIENTATTR_TCP) != 0),
 +				     client->message->rdclass, qtype, tname,
-+				     rrl_result, client->now,
++				     resp_result, client->now,
 +				     wouldlog, log_buf, sizeof(log_buf));
 +		if (rrl_result != DNS_RRL_RESULT_OK) {
 +			/*
@@ -182,9 +212,10 @@ diff -up bind-9.9.3rc2/bin/named/query.c.rl bind-9.9.3rc2/bin/named/query.c
 +			 * in QryDropped while slipped responses are counted
 +			 * with other truncated responses in RespTruncated.
 +			 */
-+			if (wouldlog && ns_g_server->log_queries) {
-+				ns_client_log(client, NS_LOGCATEGORY_QUERIES,
-+					      NS_LOGMODULE_CLIENT,
++			if (wouldlog) {
++				ns_client_log(client,
++					      NS_LOGCATEGORY_QUERY_EERRORS,
++					      NS_LOGMODULE_QUERY,
 +					      DNS_RRL_LOG_DROP,
 +					      "%s", log_buf);
 +			}
@@ -206,6 +237,9 @@ diff -up bind-9.9.3rc2/bin/named/query.c.rl bind-9.9.3rc2/bin/named/query.c
 +						dns_nsstatscounter_rateslipped);
 +					client->message->flags |=
 +						DNS_MESSAGEFLAG_TC;
++					if (resp_result == DNS_R_NXDOMAIN)
++						client->message->rcode =
++							dns_rcode_nxdomain;
 +				}
 +				goto cleanup;
 +			}
@@ -215,7 +249,7 @@ diff -up bind-9.9.3rc2/bin/named/query.c.rl bind-9.9.3rc2/bin/named/query.c
  	if (!ISC_LIST_EMPTY(client->view->rpz_zones) &&
  	    (RECURSIONOK(client) || !client->view->rpz_recursive_only) &&
  	    rpz_ck_dnssec(client, result, rdataset, sigrdataset) &&
-@@ -7318,12 +7417,14 @@ query_find(ns_client_t *client, dns_fetc
+@@ -7318,12 +7440,14 @@
  	}
  
  	if (eresult != ISC_R_SUCCESS &&
@@ -233,14 +267,14 @@ diff -up bind-9.9.3rc2/bin/named/query.c.rl bind-9.9.3rc2/bin/named/query.c
  			 */
  			query_next(client, eresult);
  		} else {
-diff -up bind-9.9.3rc2/bin/named/server.c.rl bind-9.9.3rc2/bin/named/server.c
---- bind-9.9.3rc2/bin/named/server.c.rl	2013-05-13 12:30:38.586659415 +0200
-+++ bind-9.9.3rc2/bin/named/server.c	2013-05-13 12:30:38.630659407 +0200
-@@ -1706,6 +1706,199 @@ configure_rpz(dns_view_t *view, const cf
+diff -r -u bin/named/server.c-orig bin/named/server.c
+--- bin/named/server.c-orig	2004-01-01 00:00:00.000000000 +0000
++++ bin/named/server.c	2004-01-01 00:00:00.000000000 +0000
+@@ -1639,6 +1639,168 @@
  	return (ISC_R_SUCCESS);
  }
  
-+#define CHECK_RRL(obj, cond, pat, val1, val2)				\
++#define CHECK_RRL(cond, pat, val1, val2)				\
 +	do {								\
 +		if (!(cond)) {						\
 +			cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,	\
@@ -250,6 +284,22 @@ diff -up bind-9.9.3rc2/bin/named/server.c.rl bind-9.9.3rc2/bin/named/server.c
 +		    }							\
 +	} while (0)
 +
++#define CHECK_RRL_RATE(rate, def, max_rate, name)			\
++	do {								\
++		obj = NULL;						\
++		rrl->rate.str = name;					\
++		result = cfg_map_get(map, name, &obj);			\
++		if (result == ISC_R_SUCCESS) {				\
++			rrl->rate.r = cfg_obj_asuint32(obj);		\
++			CHECK_RRL(rrl->rate.r <= max_rate,		\
++				  name" %d > %d",			\
++				  rrl->rate.r, max_rate);		\
++		} else {						\
++			rrl->rate.r = def;				\
++		}							\
++		rrl->rate.scaled = rrl->rate.r;				\
++	} while (0)
++
 +static isc_result_t
 +configure_rrl(dns_view_t *view, const cfg_obj_t *config, const cfg_obj_t *map) {
 +	const cfg_obj_t *obj;
@@ -280,86 +330,39 @@ diff -up bind-9.9.3rc2/bin/named/server.c.rl bind-9.9.3rc2/bin/named/server.c
 +	result = cfg_map_get(map, "max-table-size", &obj);
 +	if (result == ISC_R_SUCCESS) {
 +		i = cfg_obj_asuint32(obj);
-+		CHECK_RRL(obj, i >= min_entries,
++		CHECK_RRL(i >= min_entries,
 +			  "max-table-size %d < min-table-size %d",
 +			  i, min_entries);
 +	}
 +	rrl->max_entries = i;
 +
-+	i = 0;
-+	obj = NULL;
-+	result = cfg_map_get(map, "responses-per-second", &obj);
-+	if (result == ISC_R_SUCCESS) {
-+		i = cfg_obj_asuint32(obj);
-+		CHECK_RRL(obj, i <= DNS_RRL_MAX_RATE,
-+			  "responses-per-second %d > %d",
-+			  i, DNS_RRL_MAX_RATE);
-+	}
-+	rrl->responses_per_second = i;
-+	rrl->scaled_responses_per_second = rrl->responses_per_second;
++	CHECK_RRL_RATE(responses_per_second, 0, DNS_RRL_MAX_RATE,
++		       "responses-per-second");
++	CHECK_RRL_RATE(referrals_per_second,
++		       rrl->responses_per_second.r, DNS_RRL_MAX_RATE,
++		       "referrals-per-second");
++	CHECK_RRL_RATE(nodata_per_second,
++		       rrl->responses_per_second.r, DNS_RRL_MAX_RATE,
++		       "nodata-per-second");
++	CHECK_RRL_RATE(nxdomains_per_second,
++		       rrl->responses_per_second.r, DNS_RRL_MAX_RATE,
++		       "nxdomains-per-second");
++	CHECK_RRL_RATE(errors_per_second,
++		       rrl->responses_per_second.r, DNS_RRL_MAX_RATE,
++		       "errors-per-second");
 +
-+	/*
-+	 * The default error rate is the response rate,
-+	 * and so off by default.
-+	 */
-+	i = rrl->responses_per_second;
-+	obj = NULL;
-+	result = cfg_map_get(map, "errors-per-second", &obj);
-+	if (result == ISC_R_SUCCESS) {
-+		i = cfg_obj_asuint32(obj);
-+		CHECK_RRL(obj, i <= DNS_RRL_MAX_RATE,
-+			  "errors-per-second %d > %d",
-+			  i, DNS_RRL_MAX_RATE);
-+	}
-+	rrl->errors_per_second = i;
-+	rrl->scaled_errors_per_second = rrl->errors_per_second;
-+	/*
-+	 * The default NXDOMAIN rate is the response rate,
-+	 * and so off by default.
-+	 */
-+	i = rrl->responses_per_second;
-+	obj = NULL;
-+	result = cfg_map_get(map, "nxdomains-per-second", &obj);
-+	if (result == ISC_R_SUCCESS) {
-+		i = cfg_obj_asuint32(obj);
-+		CHECK_RRL(obj, i <= DNS_RRL_MAX_RATE,
-+			  "nxdomains-per-second %d > %d",
-+			  i, DNS_RRL_MAX_RATE);
-+	}
-+	rrl->nxdomains_per_second = i;
-+	rrl->scaled_nxdomains_per_second = rrl->nxdomains_per_second;
++	CHECK_RRL_RATE(all_per_second, 0, DNS_RRL_MAX_RATE,
++		       "all-per-second");
 +
-+	/*
-+	 * The all-per-second rate is off by default.
-+	 */
-+	i = 0;
-+	obj = NULL;
-+	result = cfg_map_get(map, "all-per-second", &obj);
-+	if (result == ISC_R_SUCCESS) {
-+		i = cfg_obj_asuint32(obj);
-+		CHECK_RRL(obj, i <= DNS_RRL_MAX_RATE, "all-per-second %d > %d",
-+			  i, DNS_RRL_MAX_RATE);
-+	}
-+	rrl->all_per_second = i;
-+	rrl->scaled_all_per_second = rrl->all_per_second;
-+
-+	i = 2;
-+	obj = NULL;
-+	result = cfg_map_get(map, "slip", &obj);
-+	if (result == ISC_R_SUCCESS) {
-+		i = cfg_obj_asuint32(obj);
-+		CHECK_RRL(obj, i <= DNS_RRL_MAX_SLIP,
-+			  "slip %d > %d", i, DNS_RRL_MAX_SLIP);
-+	}
-+	rrl->slip = i;
-+	rrl->scaled_slip = rrl->slip;
++	CHECK_RRL_RATE(slip, 2, DNS_RRL_MAX_SLIP,
++		       "slip");
 +
 +	i = 15;
 +	obj = NULL;
 +	result = cfg_map_get(map, "window", &obj);
 +	if (result == ISC_R_SUCCESS) {
 +		i = cfg_obj_asuint32(obj);
-+		CHECK_RRL(obj, i >= 1 && i <= DNS_RRL_MAX_WINDOW,
++		CHECK_RRL(i >= 1 && i <= DNS_RRL_MAX_WINDOW,
 +			  "window %d < 1 or > %d", i, DNS_RRL_MAX_WINDOW);
 +	}
 +	rrl->window = i;
@@ -369,18 +372,18 @@ diff -up bind-9.9.3rc2/bin/named/server.c.rl bind-9.9.3rc2/bin/named/server.c
 +	result = cfg_map_get(map, "qps-scale", &obj);
 +	if (result == ISC_R_SUCCESS) {
 +		i = cfg_obj_asuint32(obj);
-+		CHECK_RRL(obj, i >= 1, "invalid 'qps-scale %d'%s", i, "");
++		CHECK_RRL(i >= 1, "invalid 'qps-scale %d'%s", i, "");
 +	}
 +	rrl->qps_scale = i;
 +	rrl->qps = 1.0;
 +
 +	i = 24;
 +	obj = NULL;
-+	result = cfg_map_get(map, "IPv4-prefix-length", &obj);
++	result = cfg_map_get(map, "ipv4-prefix-length", &obj);
 +	if (result == ISC_R_SUCCESS) {
 +		i = cfg_obj_asuint32(obj);
-+		CHECK_RRL(obj, i >= 8 && i <= 32,
-+			  "invalid 'IPv4-prefix-length %d'%s", i, "");
++		CHECK_RRL(i >= 8 && i <= 32,
++			  "invalid 'ipv4-prefix-length %d'%s", i, "");
 +	}
 +	rrl->ipv4_prefixlen = i;
 +	if (i == 32)
@@ -390,11 +393,11 @@ diff -up bind-9.9.3rc2/bin/named/server.c.rl bind-9.9.3rc2/bin/named/server.c
 +
 +	i = 56;
 +	obj = NULL;
-+	result = cfg_map_get(map, "IPv6-prefix-length", &obj);
++	result = cfg_map_get(map, "ipv6-prefix-length", &obj);
 +	if (result == ISC_R_SUCCESS) {
 +		i = cfg_obj_asuint32(obj);
-+		CHECK_RRL(obj, i >= 16 && i <= DNS_RRL_MAX_PREFIX,
-+			  "IPv6-prefix-length %d < 16 or > %d",
++		CHECK_RRL(i >= 16 && i <= DNS_RRL_MAX_PREFIX,
++			  "ipv6-prefix-length %d < 16 or > %d",
 +			  i, DNS_RRL_MAX_PREFIX);
 +	}
 +	rrl->ipv6_prefixlen = i;
@@ -415,7 +418,7 @@ diff -up bind-9.9.3rc2/bin/named/server.c.rl bind-9.9.3rc2/bin/named/server.c
 +		result = cfg_acl_fromconfig(obj, config, ns_g_lctx,
 +					    ns_g_aclconfctx, ns_g_mctx,
 +					    0, &rrl->exempt);
-+		CHECK_RRL(obj, result == ISC_R_SUCCESS,
++		CHECK_RRL(result == ISC_R_SUCCESS,
 +			  "invalid %s%s", "address match list", "");
 +	}
 +
@@ -436,7 +439,7 @@ diff -up bind-9.9.3rc2/bin/named/server.c.rl bind-9.9.3rc2/bin/named/server.c
  /*
   * Configure 'view' according to 'vconfig', taking defaults from 'config'
   * where values are missing in 'vconfig'.
-@@ -3144,6 +3337,14 @@ configure_view(dns_view_t *view, cfg_obj
+@@ -3043,6 +3205,14 @@
  		}
  	}
  
@@ -451,10 +454,10 @@ diff -up bind-9.9.3rc2/bin/named/server.c.rl bind-9.9.3rc2/bin/named/server.c
  	result = ISC_R_SUCCESS;
  
   cleanup:
-diff -up bind-9.9.3rc2/bin/named/statschannel.c.rl bind-9.9.3rc2/bin/named/statschannel.c
---- bind-9.9.3rc2/bin/named/statschannel.c.rl	2013-04-30 08:38:46.000000000 +0200
-+++ bind-9.9.3rc2/bin/named/statschannel.c	2013-05-13 12:30:38.630659407 +0200
-@@ -206,6 +206,10 @@ init_desc(void) {
+diff -r -u bin/named/statschannel.c-orig bin/named/statschannel.c
+--- bin/named/statschannel.c-orig	2004-01-01 00:00:00.000000000 +0000
++++ bin/named/statschannel.c	2004-01-01 00:00:00.000000000 +0000
+@@ -206,6 +206,10 @@
  	SET_NSSTATDESC(updatebadprereq,
  		       "updates rejected due to prerequisite failure",
  		       "UpdateBadPrereq");
@@ -465,10 +468,21 @@ diff -up bind-9.9.3rc2/bin/named/statschannel.c.rl bind-9.9.3rc2/bin/named/stats
  	SET_NSSTATDESC(rpz_rewrites, "response policy zone rewrites",
  		       "RPZRewrites");
  	INSIST(i == dns_nsstatscounter_max);
-diff -up bind-9.9.3rc2/bin/tests/system/conf.sh.in.rl bind-9.9.3rc2/bin/tests/system/conf.sh.in
---- bind-9.9.3rc2/bin/tests/system/conf.sh.in.rl	2013-04-30 08:38:46.000000000 +0200
-+++ bind-9.9.3rc2/bin/tests/system/conf.sh.in	2013-05-13 12:36:29.878601499 +0200
-@@ -62,7 +62,7 @@ SUBDIRS="acl additional allow_query addz
+diff -r -u bin/tests/system/README-orig bin/tests/system/README
+--- bin/tests/system/README-orig	2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/README	2004-01-01 00:00:00.000000000 +0000
+@@ -17,6 +17,7 @@
+   nsupdate/	Dynamic update and IXFR tests
+   resolver/     Regression tests for resolver bugs that have been fixed
+ 		(not a complete resolver test suite)
++  rrl/		query rate limiting
+   rpz/		Tests of response policy zone (RPZ) rewriting
+   stub/		Tests of stub zone functionality
+   unknown/	Unknown type and class tests
+diff -r -u bin/tests/system/conf.sh.in-orig bin/tests/system/conf.sh.in
+--- bin/tests/system/conf.sh.in-orig	2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/conf.sh.in	2004-01-01 00:00:00.000000000 +0000
+@@ -62,7 +62,7 @@
           database dlv dlvauto dlz dlzexternal dname dns64 dnssec ecdsa
           formerr forward glue gost ixfr inline limits logfileconfig
           lwresd masterfile masterformat metadata notify nsupdate pending
@@ -477,20 +491,9 @@ diff -up bind-9.9.3rc2/bin/tests/system/conf.sh.in.rl bind-9.9.3rc2/bin/tests/sy
  	 smartsign sortlist spf staticstub stub tkey tsig tsiggss unknown
  	 upforwd verify views wildcard xfer xferquota zonechecks"
  
-diff -up bind-9.9.3rc2/bin/tests/system/README.rl bind-9.9.3rc2/bin/tests/system/README
---- bind-9.9.3rc2/bin/tests/system/README.rl	2013-04-30 08:38:46.000000000 +0200
-+++ bind-9.9.3rc2/bin/tests/system/README	2013-05-13 12:30:38.630659407 +0200
-@@ -17,6 +17,7 @@ involving a different DNS setup.  They a
-   nsupdate/	Dynamic update and IXFR tests
-   resolver/     Regression tests for resolver bugs that have been fixed
- 		(not a complete resolver test suite)
-+  rrl/		query rate limiting
-   rpz/		Tests of response policy zone (RPZ) rewriting
-   stub/		Tests of stub zone functionality
-   unknown/	Unknown type and class tests
-diff -up bind-9.9.3rc2/bin/tests/system/rrl/clean.sh.rl bind-9.9.3rc2/bin/tests/system/rrl/clean.sh
---- bind-9.9.3rc2/bin/tests/system/rrl/clean.sh.rl	2013-05-13 12:30:38.631659407 +0200
-+++ bind-9.9.3rc2/bin/tests/system/rrl/clean.sh	2013-05-13 12:30:38.631659407 +0200
+diff -r -u bin/tests/system/rrl/clean.sh-orig bin/tests/system/rrl/clean.sh
+--- bin/tests/system/rrl/clean.sh-orig	2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rrl/clean.sh	2004-01-01 00:00:00.000000000 +0000
 @@ -0,0 +1,21 @@
 +# Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
 +#
@@ -511,11 +514,11 @@ diff -up bind-9.9.3rc2/bin/tests/system/rrl/clean.sh.rl bind-9.9.3rc2/bin/tests/
 +# Clean up after rrl tests.
 +
 +rm -f dig.out*
-+rm -f  */named.memstats */named.run */named.stats */log */session.key
++rm -f  */named.memstats */named.run */named.stats */log-* */session.key
 +rm -f ns3/bl*.db */*.jnl */*.core */*.pid
-diff -up bind-9.9.3rc2/bin/tests/system/rrl/ns1/named.conf.rl bind-9.9.3rc2/bin/tests/system/rrl/ns1/named.conf
---- bind-9.9.3rc2/bin/tests/system/rrl/ns1/named.conf.rl	2013-05-13 12:30:38.631659407 +0200
-+++ bind-9.9.3rc2/bin/tests/system/rrl/ns1/named.conf	2013-05-13 12:30:38.631659407 +0200
+diff -r -u bin/tests/system/rrl/ns1/named.conf-orig bin/tests/system/rrl/ns1/named.conf
+--- bin/tests/system/rrl/ns1/named.conf-orig	2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rrl/ns1/named.conf	2004-01-01 00:00:00.000000000 +0000
 @@ -0,0 +1,32 @@
 +/*
 + * Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
@@ -549,9 +552,9 @@ diff -up bind-9.9.3rc2/bin/tests/system/rrl/ns1/named.conf.rl bind-9.9.3rc2/bin/
 +};
 +
 +zone "." {type master; file "root.db";};
-diff -up bind-9.9.3rc2/bin/tests/system/rrl/ns1/root.db.rl bind-9.9.3rc2/bin/tests/system/rrl/ns1/root.db
---- bind-9.9.3rc2/bin/tests/system/rrl/ns1/root.db.rl	2013-05-13 12:30:38.631659407 +0200
-+++ bind-9.9.3rc2/bin/tests/system/rrl/ns1/root.db	2013-05-13 12:30:38.631659407 +0200
+diff -r -u bin/tests/system/rrl/ns1/root.db-orig bin/tests/system/rrl/ns1/root.db
+--- bin/tests/system/rrl/ns1/root.db-orig	2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rrl/ns1/root.db	2004-01-01 00:00:00.000000000 +0000
 @@ -0,0 +1,31 @@
 +; Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
 +;
@@ -584,9 +587,9 @@ diff -up bind-9.9.3rc2/bin/tests/system/rrl/ns1/root.db.rl bind-9.9.3rc2/bin/tes
 +
 +; generate SERVFAIL
 +tld4.		NS	ns.tld3.
-diff -up bind-9.9.3rc2/bin/tests/system/rrl/ns2/hints.rl bind-9.9.3rc2/bin/tests/system/rrl/ns2/hints
---- bind-9.9.3rc2/bin/tests/system/rrl/ns2/hints.rl	2013-05-13 12:30:38.631659407 +0200
-+++ bind-9.9.3rc2/bin/tests/system/rrl/ns2/hints	2013-05-13 12:30:38.631659407 +0200
+diff -r -u bin/tests/system/rrl/ns2/hints-orig bin/tests/system/rrl/ns2/hints
+--- bin/tests/system/rrl/ns2/hints-orig	2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rrl/ns2/hints	2004-01-01 00:00:00.000000000 +0000
 @@ -0,0 +1,18 @@
 +; Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
 +;
@@ -606,10 +609,10 @@ diff -up bind-9.9.3rc2/bin/tests/system/rrl/ns2/hints.rl bind-9.9.3rc2/bin/tests
 +
 +.	0	NS	ns1.
 +ns1.	0	A	10.53.0.1
-diff -up bind-9.9.3rc2/bin/tests/system/rrl/ns2/named.conf.rl bind-9.9.3rc2/bin/tests/system/rrl/ns2/named.conf
---- bind-9.9.3rc2/bin/tests/system/rrl/ns2/named.conf.rl	2013-05-13 12:30:38.631659407 +0200
-+++ bind-9.9.3rc2/bin/tests/system/rrl/ns2/named.conf	2013-05-13 12:30:38.631659407 +0200
-@@ -0,0 +1,72 @@
+diff -r -u bin/tests/system/rrl/ns2/named.conf-orig bin/tests/system/rrl/ns2/named.conf
+--- bin/tests/system/rrl/ns2/named.conf-orig	2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rrl/ns2/named.conf	2004-01-01 00:00:00.000000000 +0000
+@@ -0,0 +1,71 @@
 +/*
 + * Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
 + *
@@ -643,16 +646,15 @@ diff -up bind-9.9.3rc2/bin/tests/system/rrl/ns2/named.conf.rl bind-9.9.3rc2/bin/
 +
 +	rate-limit {
 +	    responses-per-second 2;
-+	    all-per-second 70;
-+	    IPv4-prefix-length 24;
-+	    IPv6-prefix-length 64;
++	    all-per-second 50;
 +	    slip 3;
-+	    /* qps-scale 2; */
 +	    exempt-clients { 10.53.0.7; };
-+	    window 1;
-+	    max-table-size 100;
-+	    min-table-size 2;
++
++	    // small enough to force a table expansion
++	    min-table-size 75;
 +	};
++
++	additional-from-cache no;
 +};
 +
 +key rndc_key {
@@ -682,10 +684,10 @@ diff -up bind-9.9.3rc2/bin/tests/system/rrl/ns2/named.conf.rl bind-9.9.3rc2/bin/
 +zone "." { type hint; file "hints"; };
 +
 +zone "tld2."{ type master; file "tld2.db"; };
-diff -up bind-9.9.3rc2/bin/tests/system/rrl/ns2/tld2.db.rl bind-9.9.3rc2/bin/tests/system/rrl/ns2/tld2.db
---- bind-9.9.3rc2/bin/tests/system/rrl/ns2/tld2.db.rl	2013-05-13 12:30:38.631659407 +0200
-+++ bind-9.9.3rc2/bin/tests/system/rrl/ns2/tld2.db	2013-05-13 12:30:38.631659407 +0200
-@@ -0,0 +1,42 @@
+diff -r -u bin/tests/system/rrl/ns2/tld2.db-orig bin/tests/system/rrl/ns2/tld2.db
+--- bin/tests/system/rrl/ns2/tld2.db-orig	2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rrl/ns2/tld2.db	2004-01-01 00:00:00.000000000 +0000
+@@ -0,0 +1,47 @@
 +; Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
 +;
 +; Permission to use, copy, modify, and/or distribute this software for any
@@ -710,8 +712,10 @@ diff -up bind-9.9.3rc2/bin/tests/system/rrl/ns2/tld2.db.rl bind-9.9.3rc2/bin/tes
 +		NS	.
 +ns		A	10.53.0.2
 +
++; basic rate limiting
 +a1		A	192.0.2.1
 +
++; wildcards
 +*.a2		A	192.0.2.2
 +
 +; a3 is in tld3
@@ -726,11 +730,14 @@ diff -up bind-9.9.3rc2/bin/tests/system/rrl/ns2/tld2.db.rl bind-9.9.3rc2/bin/tes
 +
 +; a7 for SERVFAIL
 +
-+; a8 for all-per-second limit
-+$GENERATE 101-180 all$.a8 A 192.0.2.8
-diff -up bind-9.9.3rc2/bin/tests/system/rrl/ns3/hints.rl bind-9.9.3rc2/bin/tests/system/rrl/ns3/hints
---- bind-9.9.3rc2/bin/tests/system/rrl/ns3/hints.rl	2013-05-13 12:30:38.632659407 +0200
-+++ bind-9.9.3rc2/bin/tests/system/rrl/ns3/hints	2013-05-13 12:30:38.632659407 +0200
++; a8 for NODATA
++a8		A	192.0.2.8
++
++; a9 for all-per-second limit
++$GENERATE 101-180 all$.a9 A 192.0.2.8
+diff -r -u bin/tests/system/rrl/ns3/hints-orig bin/tests/system/rrl/ns3/hints
+--- bin/tests/system/rrl/ns3/hints-orig	2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rrl/ns3/hints	2004-01-01 00:00:00.000000000 +0000
 @@ -0,0 +1,18 @@
 +; Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
 +;
@@ -750,10 +757,10 @@ diff -up bind-9.9.3rc2/bin/tests/system/rrl/ns3/hints.rl bind-9.9.3rc2/bin/tests
 +
 +.	0	NS	ns1.
 +ns1.	0	A	10.53.0.1
-diff -up bind-9.9.3rc2/bin/tests/system/rrl/ns3/named.conf.rl bind-9.9.3rc2/bin/tests/system/rrl/ns3/named.conf
---- bind-9.9.3rc2/bin/tests/system/rrl/ns3/named.conf.rl	2013-05-13 12:30:38.632659407 +0200
-+++ bind-9.9.3rc2/bin/tests/system/rrl/ns3/named.conf	2013-05-13 12:30:38.632659407 +0200
-@@ -0,0 +1,34 @@
+diff -r -u bin/tests/system/rrl/ns3/named.conf-orig bin/tests/system/rrl/ns3/named.conf
+--- bin/tests/system/rrl/ns3/named.conf-orig	2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rrl/ns3/named.conf	2004-01-01 00:00:00.000000000 +0000
+@@ -0,0 +1,50 @@
 +/*
 + * Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
 + *
@@ -783,14 +790,30 @@ diff -up bind-9.9.3rc2/bin/tests/system/rrl/ns3/named.conf.rl bind-9.9.3rc2/bin/
 +	listen-on { 10.53.0.3; };
 +	listen-on-v6 { none; };
 +	notify no;
++
++	// check that all of the options are parsed without limiting anything
++	rate-limit {
++	    responses-per-second 200;
++	    referrals-per-second 220;
++	    nodata-per-second 230;
++	    nxdomains-per-second 240;
++	    errors-per-second 250;
++	    all-per-second 700;
++	    ipv4-prefix-length 24;
++	    ipv6-prefix-length 64;
++	    qps-scale 10;
++	    window 1;
++	    max-table-size 1000;
++	};
++
 +};
 +
 +zone "." { type hint; file "hints"; };
 +
 +zone "tld3."{ type master; file "tld3.db"; };
-diff -up bind-9.9.3rc2/bin/tests/system/rrl/ns3/tld3.db.rl bind-9.9.3rc2/bin/tests/system/rrl/ns3/tld3.db
---- bind-9.9.3rc2/bin/tests/system/rrl/ns3/tld3.db.rl	2013-05-13 12:30:38.632659407 +0200
-+++ bind-9.9.3rc2/bin/tests/system/rrl/ns3/tld3.db	2013-05-13 12:30:38.632659407 +0200
+diff -r -u bin/tests/system/rrl/ns3/tld3.db-orig bin/tests/system/rrl/ns3/tld3.db
+--- bin/tests/system/rrl/ns3/tld3.db-orig	2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rrl/ns3/tld3.db	2004-01-01 00:00:00.000000000 +0000
 @@ -0,0 +1,25 @@
 +; Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
 +;
@@ -817,9 +840,9 @@ diff -up bind-9.9.3rc2/bin/tests/system/rrl/ns3/tld3.db.rl bind-9.9.3rc2/bin/tes
 +ns		A	10.53.0.3
 +
 +*.a3		A	192.0.3.3
-diff -up bind-9.9.3rc2/bin/tests/system/rrl/setup.sh.rl bind-9.9.3rc2/bin/tests/system/rrl/setup.sh
---- bind-9.9.3rc2/bin/tests/system/rrl/setup.sh.rl	2013-05-13 12:30:38.632659407 +0200
-+++ bind-9.9.3rc2/bin/tests/system/rrl/setup.sh	2013-05-13 12:30:38.632659407 +0200
+diff -r -u bin/tests/system/rrl/setup.sh-orig bin/tests/system/rrl/setup.sh
+--- bin/tests/system/rrl/setup.sh-orig	2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rrl/setup.sh	2004-01-01 00:00:00.000000000 +0000
 @@ -0,0 +1,21 @@
 +#!/bin/sh
 +#
@@ -842,10 +865,10 @@ diff -up bind-9.9.3rc2/bin/tests/system/rrl/setup.sh.rl bind-9.9.3rc2/bin/tests/
 +. $SYSTEMTESTTOP/conf.sh
 +. ./clean.sh
 +
-diff -up bind-9.9.3rc2/bin/tests/system/rrl/tests.sh.rl bind-9.9.3rc2/bin/tests/system/rrl/tests.sh
---- bind-9.9.3rc2/bin/tests/system/rrl/tests.sh.rl	2013-05-13 12:30:38.632659407 +0200
-+++ bind-9.9.3rc2/bin/tests/system/rrl/tests.sh	2013-05-13 12:30:38.632659407 +0200
-@@ -0,0 +1,225 @@
+diff -r -u bin/tests/system/rrl/tests.sh-orig bin/tests/system/rrl/tests.sh
+--- bin/tests/system/rrl/tests.sh-orig	2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rrl/tests.sh	2004-01-01 00:00:00.000000000 +0000
+@@ -0,0 +1,258 @@
 +# Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
 +#
 +# Permission to use, copy, modify, and/or distribute this software for any
@@ -867,7 +890,6 @@ diff -up bind-9.9.3rc2/bin/tests/system/rrl/tests.sh.rl bind-9.9.3rc2/bin/tests/
 +. $SYSTEMTESTTOP/conf.sh
 +
 +#set -x
-+#set -o noclobber
 +
 +ns1=10.53.0.1			    # root, defining the others
 +ns2=10.53.0.2			    # test server
@@ -912,15 +934,20 @@ diff -up bind-9.9.3rc2/bin/tests/system/rrl/tests.sh.rl bind-9.9.3rc2/bin/tests/
 +}
 +
 +
++# turn off ${HOME}/.digrc
++HOME=/dev/null; export HOME
++
 +#   $1=result name  $2=domain name  $3=dig options
 +digcmd () {
 +    OFILE=$1; shift
 +    DIG_DOM=$1; shift
-+    ARGS="+noadd +noauth +nosearch +time=1 +tries=1 +ignore $* -p 5300 $DIG_DOM @$ns2"
++    ARGS="+nosearch +time=1 +tries=1 +ignore -p 5300 $* $DIG_DOM @$ns2"
 +    #echo I:dig $ARGS 1>&2
 +    START=`date +%y%m%d%H%M.%S`
 +    RESULT=`$DIG $ARGS 2>&1 | tee $OFILE=TEMP				\
-+	    | sed -n -e  's/^[^;].*	\([^	 ]\{1,\}\)$/\1/p'	\
++	    | sed -n -e '/^;; AUTHORITY/,/^$/d'				\
++		-e '/^;; ADDITIONAL/,/^$/d'				\
++		-e  's/^[^;].*	\([^	 ]\{1,\}\)$/\1/p'		\
 +		-e 's/;; flags.* tc .*/TC/p'				\
 +		-e 's/;; .* status: NXDOMAIN.*/NXDOMAIN/p'		\
 +		-e 's/;; .* status: SERVFAIL.*/SERVFAIL/p'		\
@@ -933,22 +960,16 @@ diff -up bind-9.9.3rc2/bin/tests/system/rrl/tests.sh.rl bind-9.9.3rc2/bin/tests/
 +
 +
 +#   $1=number of tests  $2=target domain  $3=dig options
-+CNT=1
++QNUM=1
 +burst () {
 +    BURST_LIMIT=$1; shift
 +    BURST_DOM_BASE="$1"; shift
 +    while test "$BURST_LIMIT" -ge 1; do
-+	if test $CNT -lt 10; then
-+	    CNT="00$CNT"
-+	else
-+	    if test $CNT -lt 100; then
-+		CNT="0$CNT"
-+	    fi
-+	fi
++	CNT=`expr "00$QNUM" : '.*\(...\)'`
 +	eval BURST_DOM="$BURST_DOM_BASE"
 +	FILE="dig.out-$BURST_DOM-$CNT"
 +	digcmd $FILE $BURST_DOM $* &
-+	CNT=`expr $CNT + 1`
++	QNUM=`expr $QNUM + 1`
 +	BURST_LIMIT=`expr "$BURST_LIMIT" - 1`
 +    done
 +}
@@ -959,29 +980,32 @@ diff -up bind-9.9.3rc2/bin/tests/system/rrl/tests.sh.rl bind-9.9.3rc2/bin/tests/
 +ck_result() {
 +    BAD=
 +    wait
-+    ADDRS=`ls dig.out-$1-*=$2		2>/dev/null	| wc -l | tr -d ' '`
-+    TC=`ls dig.out-$1-*=TC		2>/dev/null	| wc -l | tr -d ' '`
-+    DROP=`ls dig.out-$1-*=drop		2>/dev/null	| wc -l | tr -d ' '`
-+    NXDOMAIN=`ls dig.out-$1-*=NXDOMAIN	2>/dev/null	| wc -l | tr -d ' '`
-+    SERVFAIL=`ls dig.out-$1-*=SERVFAIL	2>/dev/null	| wc -l | tr -d ' '`
++    ADDRS=`ls dig.out-$1-*=$2				2>/dev/null | wc -l`
++    # count simple truncated and truncated NXDOMAIN as TC
++    TC=`ls dig.out-$1-*=TC dig.out-$1-*=NXDOMAINTC	2>/dev/null | wc -l`
++    DROP=`ls dig.out-$1-*=drop				2>/dev/null | wc -l`
++    # count NXDOMAIN and truncated NXDOMAIN as NXDOMAIN
++    NXDOMAIN=`ls dig.out-$1-*=NXDOMAIN  dig.out-$1-*=NXDOMAINTC	2>/dev/null \
++							| wc -l`
++    SERVFAIL=`ls dig.out-$1-*=SERVFAIL			2>/dev/null | wc -l`
 +    if test $ADDRS -ne "$3"; then
-+	setret "I:$ADDRS instead of $3 $2 responses for $1"
++	setret "I:"$ADDRS" instead of $3 '$2' responses for $1"
 +	BAD=yes
 +    fi
 +    if test $TC -ne "$4"; then
-+	setret "I:$TC instead of $4 truncation responses for $1"
++	setret "I:"$TC" instead of $4 truncation responses for $1"
 +	BAD=yes
 +    fi
 +    if test $DROP -ne "$5"; then
-+	setret "I:$DROP instead of $5 dropped responses for $1"
++	setret "I:"$DROP" instead of $5 dropped responses for $1"
 +	BAD=yes
 +    fi
 +    if test $NXDOMAIN -ne "$6"; then
-+	setret "I:$NXDOMAIN instead of $6 NXDOMAIN responses for $1"
++	setret "I:"$NXDOMAIN" instead of $6 NXDOMAIN responses for $1"
 +	BAD=yes
 +    fi
 +    if test $SERVFAIL -ne "$7"; then
-+	setret "I:$SERVFAIL instead of $7 error responses for $1"
++	setret "I:"$SERVFAIL" instead of $7 error responses for $1"
 +	BAD=yes
 +    fi
 +    if test -z "$BAD"; then
@@ -990,91 +1014,123 @@ diff -up bind-9.9.3rc2/bin/tests/system/rrl/tests.sh.rl bind-9.9.3rc2/bin/tests/
 +}
 +
 +
++ckstats () {
++    LABEL="$1"; shift
++    TYPE="$1"; shift
++    EXPECTED="$1"; shift
++    C=`sed -n -e "s/[	 ]*\([0-9]*\).responses $TYPE for rate limits.*/\1/p"  \
++	    ns2/named.stats | tail -1`
++    C=`expr 0$C + 0`
++    if test "$C" -ne $EXPECTED; then
++	setret "I:wrong $LABEL $TYPE statistics of $C instead of $EXPECTED"
++    fi
++}
++
++
 +#########
 +sec_start
 +
++# Tests of referrals to "." must be done before the hints are loaded
++#   or with "additional-from-cache no"
++burst 5 a1.tld3 +norec
 +# basic rate limiting
 +burst 3 a1.tld2
 +# 1 second delay allows an additional response.
 +sleep 1
-+burst 21 a1.tld2
-+# request 30 different qnames to try a wild card
++burst 10 a1.tld2
++# Request 30 different qnames to try a wildcard.
 +burst 30 'x$CNT.a2.tld2'
++# These should be counted and limited but are not.  See RT33138.
++burst 10 'y.x$CNT.a2.tld2'
 +
 +#					IP      TC      drop  NXDOMAIN SERVFAIL
-+# check for 24 results
-+# including the 1 second delay
-+ck_result   a1.tld2	192.0.2.1	3	7	14	0	0
++# referrals to "."
++ck_result   a1.tld3	''		2	1	2	0	0
++# check 13 results including 1 second delay that allows an additional response
++ck_result   a1.tld2	192.0.2.1	3	4	6	0	0
 +
 +# Check the wild card answers.
 +# The parent name of the 30 requests is counted.
 +ck_result 'x*.a2.tld2'	192.0.2.2	2	10	18	0	0
 +
++# These should be limited but are not.  See RT33138.
++ck_result 'y.x*.a2.tld2' 192.0.2.2	10	0	0	0	0
 +
 +#########
 +sec_start
 +
-+burst 1 'y$CNT.a3.tld3'; wait; burst 20 'y$CNT.a3.tld3'
-+burst 20 'z$CNT.a4.tld2'
++burst 10 'x.a3.tld3'
++burst 10 'y$CNT.a3.tld3'
++burst 10 'z$CNT.a4.tld2'
 +
-+# Recursion.
-+#   The first answer is counted separately because it is counted against
-+#   the rate limit on recursing to the server for a3.tld3.  The remaining 20
-+#   are counted as local responses from the cache.
-+ck_result 'y*.a3.tld3'	192.0.3.3	3	6	12	0	0
++# 10 identical recursive responses are limited
++ck_result 'x.a3.tld3'	192.0.3.3	2	3	5	0	0
 +
-+# NXDOMAIN responses are also limited based on the parent name.
-+ck_result 'z*.a4.tld2'	x		0	6	12	2	0
-+
-+
-+#########
-+sec_start
-+
-+burst 20 a5.tld2 +tcp
-+burst 20 a6.tld2 -b $ns7
-+burst 20 a7.tld4
-+
-+# TCP responses are not rate limited
-+ck_result a5.tld2	192.0.2.5	20	0	0	0	0
-+
-+# whitelisted client is not rate limited
-+ck_result a6.tld2	192.0.2.6	20	0	0	0	0
-+
-+# Errors such as SERVFAIL are rate limited.  The numbers are confusing, because
-+#   other rate limiting can be triggered before the SERVFAIL limit is reached.
-+ck_result a7.tld4	192.0.2.1	0	6	12	0	2
-+
-+
-+#########
-+sec_start
-+
-+# all-per-second
-+#   The qnames are all unique but the client IP address is constant.
-+CNT=101
-+burst 80 'all$CNT.a8.tld2'
-+ck_result 'a*.a8.tld2'	192.0.2.8	70	0	10	0	0
++# 10 different recursive responses are not limited
++ck_result 'y*.a3.tld3'	192.0.3.3	10	0	0	0	0
 +
++# 10 different NXDOMAIN responses are limited based on the parent name.
++#   We count 13 responses because we count truncated NXDOMAIN responses
++#   as both truncated and NXDOMAIN.
++ck_result 'z*.a4.tld2'	x		0	3	5	5	0
 +
 +$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s $ns2 stats
-+ckstats () {
-+    CNT=`sed -n -e "s/[	 ]*\([0-9]*\).responses $1 for rate limits.*/\1/p"  \
-+		ns2/named.stats`
-+    CNT=`expr 0$CNT + 0`
-+    if test "$CNT" -ne $2; then
-+	setret "I:wrong $1 statistics of $CNT instead of $2"
-+    fi
-+}
-+ckstats dropped 77
-+ckstats truncated 35
++ckstats first dropped 36
++ckstats first truncated 21
++
++
++#########
++sec_start
++
++burst 10 a5.tld2 +tcp
++burst 10 a6.tld2 -b $ns7
++burst 10 a7.tld4
++burst 2 a8.tld2 AAAA
++burst 2 a8.tld2 TXT
++burst 2 a8.tld2 SPF
++
++#					IP      TC      drop  NXDOMAIN SERVFAIL
++# TCP responses are not rate limited
++ck_result a5.tld2	192.0.2.5	10	0	0	0	0
++
++# whitelisted client is not rate limited
++ck_result a6.tld2	192.0.2.6	10	0	0	0	0
++
++# Errors such as SERVFAIL are rate limited.
++ck_result a7.tld4	x		0	0	8	0	2
++
++# NODATA responses are counted as the same regardless of qtype.
++ck_result a8.tld2	''		2	2	2	0	0
++
++$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s $ns2 stats
++ckstats second dropped 46
++ckstats second truncated 23
++
++
++#########
++sec_start
++
++#					IP      TC      drop  NXDOMAIN SERVFAIL
++# all-per-second
++#   The qnames are all unique but the client IP address is constant.
++QNUM=101
++burst 60 'all$CNT.a9.tld2'
++
++ck_result 'a*.a9.tld2'	192.0.2.8	50	0	10	0	0
++
++$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s $ns2 stats
++ckstats final dropped 56
++ckstats final truncated 23
++
 +
 +echo "I:exit status: $ret"
 +# exit $ret
 +[ $ret -ne 0 ] && echo "I:test failure overridden"
 +exit 0
-diff -up bind-9.9.3rc2/doc/arm/Bv9ARM-book.xml.rl bind-9.9.3rc2/doc/arm/Bv9ARM-book.xml
---- bind-9.9.3rc2/doc/arm/Bv9ARM-book.xml.rl	2013-04-30 08:38:46.000000000 +0200
-+++ bind-9.9.3rc2/doc/arm/Bv9ARM-book.xml	2013-05-13 12:30:38.635659407 +0200
-@@ -4818,6 +4818,34 @@ category notify { null; };
+diff -r -u doc/arm/Bv9ARM-book.xml-orig doc/arm/Bv9ARM-book.xml
+--- doc/arm/Bv9ARM-book.xml-orig	2004-01-01 00:00:00.000000000 +0000
++++ doc/arm/Bv9ARM-book.xml	2004-01-01 00:00:00.000000000 +0000
+@@ -4818,6 +4818,32 @@
  		    </para>
  		  </entry>
  		</row>
@@ -1100,29 +1156,38 @@ diff -up bind-9.9.3rc2/doc/arm/Bv9ARM-book.xml.rl bind-9.9.3rc2/doc/arm/Bv9ARM-b
 +		    </para>
 +		    <para>
 +		      Rate limiting of individual requests
-+		      is logged in the <command>queries</command> category
-+		      and can be controlled with the
-+		      <command>querylog</command> option.
++		      is logged in the <command>query-errors</command> category.
 +		    </para>
 +		  </entry>
 +		</row>
  	      </tbody>
  	    </tgroup>
  	  </informaltable>
-@@ -5351,6 +5379,21 @@ badresp:1,adberr:0,findfail:0,valfail:0]
+@@ -5318,7 +5344,7 @@
+     <optional> match-mapped-addresses <replaceable>yes_or_no</replaceable>; </optional>
+     <optional> filter-aaaa-on-v4 ( <replaceable>yes_or_no</replaceable> | <replaceable>break-dnssec</replaceable> ); </optional>
+     <optional> filter-aaaa { <replaceable>address_match_list</replaceable> }; </optional>
+-    <optional> dns64 <replaceable>IPv6-prefix</replaceable> {
++    <optional> dns64 <replaceable>ipv6-prefix</replaceable> {
+ 	<optional> clients { <replaceable>address_match_list</replaceable> }; </optional>
+ 	<optional> mapped { <replaceable>address_match_list</replaceable> }; </optional>
+         <optional> exclude { <replaceable>address_match_list</replaceable> }; </optional>
+@@ -5351,6 +5377,23 @@
      <optional> resolver-query-timeout <replaceable>number</replaceable> ; </optional>
      <optional> deny-answer-addresses { <replaceable>address_match_list</replaceable> } <optional> except-from { <replaceable>namelist</replaceable> } </optional>;</optional>
      <optional> deny-answer-aliases { <replaceable>namelist</replaceable> } <optional> except-from { <replaceable>namelist</replaceable> } </optional>;</optional>
 +    <optional> rate-limit {
 +	<optional> responses-per-second <replaceable>number</replaceable> ; </optional>
-+	<optional> errors-per-second <replaceable>number</replaceable> ; </optional>
++	<optional> referrals-per-second <replaceable>number</replaceable> ; </optional>
++	<optional> nodata-per-second <replaceable>number</replaceable> ; </optional>
 +	<optional> nxdomains-per-second <replaceable>number</replaceable> ; </optional>
++	<optional> errors-per-second <replaceable>number</replaceable> ; </optional>
 +	<optional> all-per-second <replaceable>number</replaceable> ; </optional>
 +	<optional> window <replaceable>number</replaceable> ; </optional>
 +	<optional> log-only <replaceable>yes_or_no</replaceable> ; </optional>
 +	<optional> qps-scale <replaceable>number</replaceable> ; </optional>
-+	<optional> IPv4-prefix-length <replaceable>number</replaceable> ; </optional>
-+	<optional> IPv6-prefix-length <replaceable>number</replaceable> ; </optional>
++	<optional> ipv4-prefix-length <replaceable>number</replaceable> ; </optional>
++	<optional> ipv6-prefix-length <replaceable>number</replaceable> ; </optional>
 +	<optional> slip <replaceable>number</replaceable> ; </optional>
 +	<optional> exempt-clients  { <replaceable>address_match_list</replaceable> } ; </optional>
 +	<optional> max-table-size <replaceable>number</replaceable> ; </optional>
@@ -1131,67 +1196,101 @@ diff -up bind-9.9.3rc2/doc/arm/Bv9ARM-book.xml.rl bind-9.9.3rc2/doc/arm/Bv9ARM-b
      <optional> response-policy { <replaceable>zone_name</replaceable>
  	<optional> policy given | disabled | passthru | nxdomain | nodata | cname <replaceable>domain</replaceable> </optional>
  	<optional> recursive-only <replaceable>yes_or_no</replaceable> </optional> <optional> max-policy-ttl <replaceable>number</replaceable> </optional> ;
-@@ -9896,6 +9939,215 @@ ns.domain.com.rpz-nsdname   CNAME   .
+@@ -9897,6 +9940,223 @@
              <command>RPZRewrites</command> statistics.
            </para>
          </sect3>
 +
 +	<sect3>
-+	  <title>Rate Limiting</title>
++	  <title>Response Rate Limiting</title>
 +	  <para>
-+	    Excessive essentially identical UDP <emphasis>responses</emphasis>
-+	    can be discarded by configuring a
++	    Excessive almost-identical UDP <emphasis>responses</emphasis>
++	    can be controlled by configuring a
 +	    <command>rate-limit</command> clause in an
-+	    <command>options</command> statement.
-+	    This mechanism keeps BIND 9 from being used
-+	    in amplifying reflection denial of service attacks
-+	    as well as partially protecting BIND 9 itself from
-+	    some denial of service attacks.
-+	    Very short truncated responses can be sent to provide
-+	    rate-limited responses to legitimate
-+	    clients within a range of attacked and forged IP addresses,
-+	    Legitimate clients react to truncated response by retrying
-+	    with TCP.
++	    <command>options</command> or <command>view</command> statement.
++	    This mechanism keeps authoritative BIND 9 from being used
++	    in amplifying reflection denial of service (DoS) attacks.
++	    Short truncated (TC=1) responses can be sent to provide
++	    rate-limited responses to legitimate clients within
++	    a range of forged, attacked IP addresses.
++	    Legitimate clients react to dropped or truncated response
++	    by retrying with UDP or with TCP respectively.
 +	  </para>
 +
 +	  <para>
-+	    Rate limiting works by setting
-+	    <command>responses-per-second</command>
-+	    to a number of repetitions per second for responses for a given name
-+	    and record type to a DNS client.
++	    This mechanism is intended for authoritative DNS servers.
++	    It can be used on recursive servers but can slow
++	    applications such as SMTP servers (mail receivers) and
++	    HTTP clients (web browsers) that repeatedly request the
++	    same domains.
++	    When possible, closing "open" recursive servers is better.
 +	  </para>
 +
 +	  <para>
-+	    <command>Responses-per-second</command> is a limit on
-+	    identical responses instead of a limit on all responses or
-+	    even all responses to a single client.
-+	    10 identical responses per second is a generous limit except perhaps
-+	    when many clients are using a single IP address via network
-+	    address translation (NAT).
-+	    The default limit of zero specifies an unbounded limit to turn off
-+	    rate-limiting in a view or to only rate-limit NXDOMAIN or other
-+	    errors.
++	    Response rate limiting uses a "credit" or "token bucket" scheme.
++	    Each combination of identical response and client
++	    has a conceptual account that earns a specified number
++	    of credits every second.
++	    A prospective response debits its account by one.
++	    Responses are dropped or truncated
++	    while the account is negative.
++            Responses are tracked within a rolling window of time
++            which defaults to 15 seconds, but can be configured with
++            the <command>window</command> option to any value from
++            1 to 3600 seconds (1 hour).
++	    The account cannot become more positive than
++	    the per-second limit
++	    or more negative than <command>window</command>
++	    times the per-second limit.
++            When the specified number of credits for a class of
++            responses is set to 0, those responses are not rate limited.
 +	  </para>
 +
 +	  <para>
-+	    The notion of "identical responses"
-+	    and "single DNS client" cannot be simplistic.
-+	    All responses to a CIDR block with prefix
-+	    length specified with <command>IPv4-prefix-length</command>
-+	    (default 24) or <command>IPv6-prefix-length</command>
-+	    (default 56) are assumed to come from a single DNS client.
-+	    Requests for a name that result in DNS NXDOMAIN
-+	    errors are considered identical.
++	    The notions of "identical response" and "DNS client"
++	    for rate limiting are not simplistic.
++	    All responses to an address block are counted as if to a
++	    single client.
++	    The prefix lengths of addresses blocks are
++	    specified with <command>ipv4-prefix-length</command> (default 24)
++	    and <command>ipv6-prefix-length</command> (default 56).
++	  </para>
++
++	  <para>
++	    All non-empty responses for a valid domain name (qname)
++	    and record type (qtype) are identical and have a limit specified
++	    with <command>responses-per-second</command>
++	    (default 0 or no limit).
++	    All empty (NODATA) responses for a valid domain,
++	    regardless of query type, are identical.
++	    Responses in the NODATA class are limited by
++	    <command>nodata-per-second</command>
++	    (default <command>responses-per-second</command>).
++	    Requests for any and all undefined subdomains of a given
++            valid domain result in NXDOMAIN errors, and are identical
++            regardless of query type.
++	    They are limited by <command>nxdomain-per-second</command>
++	    (default <command>responses-per-second</command>).
 +	    This controls some attacks using random names, but
-+	    accommodates servers that expect many legitimate NXDOMAIN responses
-+	    such as anti-spam blacklists.
-+	    By default the limit on NXDOMAIN errors is the same as the
-+	    <command>responses-per-second</command> value,
-+	    but it can be set separately with
-+	    <command>nxdomains-per-second</command>.
-+	    All requests for all names or types that result in DNS errors
-+	    such as SERVFAIL and FORMERR (but not NXDOMAIN) are considered
-+	    identical.
++	    can be relaxed or turned off (set to 0)
++	    on servers that expect many legitimate
++	    NXDOMAIN responses, such as from anti-spam blacklists.
++	    Referrals or delegations to the server of a given
++	    domain are identical and are limited by
++	    <command>referrals-per-second</command>
++	    (default <command>responses-per-second</command>).
++	  </para>
++
++	  <para>
++	    Responses generated from local wildcards are counted and limited
++	    as if they were for the parent domain name.
++	    This controls flooding using random.wild.example.com.
++	  </para>
++
++	  <para>
++            All requests that result in DNS errors other
++	    than NXDOMAIN, such as SERVFAIL and FORMERR, are identical
++            regardless of requested name (qname) or record type (qtype).
 +	    This controls attacks using invalid requests or distant,
 +	    broken authoritative servers.
 +	    By default the limit on errors is the same as the
@@ -1201,33 +1300,6 @@ diff -up bind-9.9.3rc2/doc/arm/Bv9ARM-book.xml.rl bind-9.9.3rc2/doc/arm/Bv9ARM-b
 +	  </para>
 +
 +	  <para>
-+	    Rate limiting uses a "credit" or "token bucket" scheme.
-+	    Each identical response has a conceptual account
-+	    that is given <command>responses-per-second</command>,
-+	    <command>errors-per-second</command>, and
-+	    <command>nxdomains-per-second</command> credits every second.
-+	    A DNS request triggering some desired response debits
-+	    the account by one.
-+	    Responses are not sent while the account is negative.
-+	    The account cannot become more positive than
-+	    the per-second limit
-+	    or more negative than <command>window</command>
-+	    times the per-second limit.
-+	    A DNS client that sends requests that are not
-+	    answered can be penalized for up to <command>window</command>
-+	    seconds (default 15).
-+	  </para>
-+
-+	  <para>
-+	    Responses generated from local wildcards are counted and limited
-+	    as if they were for the parent domain name.
-+	    This prevents flooding by requesting random.wild.example.com.
-+	    For similar reasons, NXDOMAIN responses are counted and rate
-+	    limited by the valid domain name nearest to the
-+	    query name with an SOA record.
-+	  </para>
-+
-+	  <para>
 +	    Many attacks using DNS involve UDP requests with forged source
 +	    addresses.
 +	    Rate limiting prevents the use of BIND 9 to flood a network
@@ -1236,14 +1308,15 @@ diff -up bind-9.9.3rc2/doc/arm/Bv9ARM-book.xml.rl bind-9.9.3rc2/doc/arm/Bv9ARM-b
 +	    There is a mechanism that can answer some legitimate
 +	    requests from a client whose address is being forged in a flood.
 +	    Setting <command>slip</command> to 2 (its default) causes every
-+	    other UDP request to be answered with a small response
-+	    claiming that the response would have been truncated.
-+	    The small size and relative infrequency of the response make
-+	    it unattractive for abuse.
-+	    <command>Slip</command> must be between 0 and 10.
-+	    A value of 0 does not "slip"
-+	    or sends no rate limiting truncated responses.
-+	    Some error responses includinge REFUSED and SERVFAIL
++	    other UDP request to be answered with a small truncated (TC=1)
++	    response.
++	    The small size and reduced frequency, and so lack of
++	    amplification, of "slipped" responses make them unattractive
++	    for reflection DoS attacks.
++	    <command>slip</command> must be between 0 and 10.
++	    A value of 0 does not "slip";
++	    no truncated responses are sent due to rate limiting.
++	    Some error responses including REFUSED and SERVFAIL
 +	    cannot be replaced with truncated responses and are instead
 +	    leaked at the <command>slip</command> rate.
 +	  </para>
@@ -1273,8 +1346,8 @@ diff -up bind-9.9.3rc2/doc/arm/Bv9ARM-book.xml.rl bind-9.9.3rc2/doc/arm/Bv9ARM-b
 +	    <command>rate-limit</command> statements in <command>view</command>
 +	    statements instead of the global <command>option</command>
 +	    statement.
-+	    A <command>rate-limit</command> statement in a view replaces
-+	    instead of being merged with a <command>rate-limit</command>
++	    A <command>rate-limit</command> statement in a view replaces,
++	    rather than supplementing, a <command>rate-limit</command>
 +	    statement among the main options.
 +	    DNS clients within a view can be exempted from rate limits
 +	    with the <command>exempt-clients</command> clause.
@@ -1347,7 +1420,7 @@ diff -up bind-9.9.3rc2/doc/arm/Bv9ARM-book.xml.rl bind-9.9.3rc2/doc/arm/Bv9ARM-b
        </sect2>
  
        <sect2 id="server_statement_grammar">
-@@ -14648,6 +14900,32 @@ HOST-127.EXAMPLE. MX 0 .
+@@ -14649,6 +14909,32 @@
  		      </para>
  		    </entry>
  		  </row>
@@ -1380,10 +1453,33 @@ diff -up bind-9.9.3rc2/doc/arm/Bv9ARM-book.xml.rl bind-9.9.3rc2/doc/arm/Bv9ARM-b
  		</tbody>
                </tgroup>
              </informaltable>
-diff -up bind-9.9.3rc2/lib/dns/include/dns/log.h.rl bind-9.9.3rc2/lib/dns/include/dns/log.h
---- bind-9.9.3rc2/lib/dns/include/dns/log.h.rl	2013-05-13 12:30:38.489659430 +0200
-+++ bind-9.9.3rc2/lib/dns/include/dns/log.h	2013-05-13 12:30:38.636659406 +0200
-@@ -43,6 +43,7 @@ LIBDNS_EXTERNAL_DATA extern isc_logmodul
+diff -r -u lib/dns/Makefile.in-orig lib/dns/Makefile.in
+--- lib/dns/Makefile.in-orig	2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/Makefile.in	2004-01-01 00:00:00.000000000 +0000
+@@ -67,8 +67,8 @@
+ 		portlist.@O@ private.@O@ \
+ 		rbt.@O@ rbtdb.@O@ rbtdb64.@O@ rcode.@O@ rdata.@O@ \
+ 		rdatalist.@O@ rdataset.@O@ rdatasetiter.@O@ rdataslab.@O@ \
+-		request.@O@ resolver.@O@ result.@O@ rootns.@O@ rpz.@O@ \
+-		rriterator.@O@ sdb.@O@ \
++		request.@O@ resolver.@O@ result.@O@ rootns.@O@ \
++		rpz.@O@ rrl.@O@ rriterator.@O@ sdb.@O@ \
+ 		sdlz.@O@ soa.@O@ ssu.@O@ ssu_external.@O@ \
+ 		stats.@O@ tcpmsg.@O@ time.@O@ timer.@O@ tkey.@O@ \
+ 		tsec.@O@ tsig.@O@ ttl.@O@ update.@O@ validator.@O@ \
+@@ -95,7 +95,7 @@
+ 		name.c ncache.c nsec.c nsec3.c order.c peer.c portlist.c \
+ 		rbt.c rbtdb.c rbtdb64.c rcode.c rdata.c rdatalist.c \
+ 		rdataset.c rdatasetiter.c rdataslab.c request.c \
+-		resolver.c result.c rootns.c rpz.c rriterator.c \
++		resolver.c result.c rootns.c rpz.c rrl.c rriterator.c \
+ 		sdb.c sdlz.c soa.c ssu.c ssu_external.c \
+ 		stats.c tcpmsg.c time.c timer.c tkey.c \
+ 		tsec.c tsig.c ttl.c update.c validator.c \
+diff -r -u lib/dns/include/dns/log.h-orig lib/dns/include/dns/log.h
+--- lib/dns/include/dns/log.h-orig	2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/include/dns/log.h	2004-01-01 00:00:00.000000000 +0000
+@@ -43,6 +43,7 @@
  #define DNS_LOGCATEGORY_DELEGATION_ONLY	(&dns_categories[10])
  #define DNS_LOGCATEGORY_EDNS_DISABLED	(&dns_categories[11])
  #define DNS_LOGCATEGORY_RPZ		(&dns_categories[12])
@@ -1391,10 +1487,10 @@ diff -up bind-9.9.3rc2/lib/dns/include/dns/log.h.rl bind-9.9.3rc2/lib/dns/includ
  
  /* Backwards compatibility. */
  #define DNS_LOGCATEGORY_GENERAL		ISC_LOGCATEGORY_GENERAL
-diff -up bind-9.9.3rc2/lib/dns/include/dns/rrl.h.rl bind-9.9.3rc2/lib/dns/include/dns/rrl.h
---- bind-9.9.3rc2/lib/dns/include/dns/rrl.h.rl	2013-05-13 12:30:38.636659406 +0200
-+++ bind-9.9.3rc2/lib/dns/include/dns/rrl.h	2013-05-13 12:30:38.636659406 +0200
-@@ -0,0 +1,273 @@
+diff -r -u lib/dns/include/dns/rrl.h-orig lib/dns/include/dns/rrl.h
+--- lib/dns/include/dns/rrl.h-orig	2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/include/dns/rrl.h	2004-01-01 00:00:00.000000000 +0000
+@@ -0,0 +1,278 @@
 +/*
 + * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
 + *
@@ -1468,7 +1564,8 @@ diff -up bind-9.9.3rc2/lib/dns/include/dns/rrl.h.rl bind-9.9.3rc2/lib/dns/includ
 +typedef enum {
 +	DNS_RRL_RTYPE_FREE = 0,
 +	DNS_RRL_RTYPE_QUERY,
-+	DNS_RRL_RTYPE_DELEGATION,
++	DNS_RRL_RTYPE_REFERRAL,
++	DNS_RRL_RTYPE_NODATA,
 +	DNS_RRL_RTYPE_NXDOMAIN,
 +	DNS_RRL_RTYPE_ERROR,
 +	DNS_RRL_RTYPE_ALL,
@@ -1587,6 +1684,13 @@ diff -up bind-9.9.3rc2/lib/dns/include/dns/rrl.h.rl bind-9.9.3rc2/lib/dns/includ
 +	dns_fixedname_t	    qname;
 +};
 +
++typedef struct dns_rrl_rate dns_rrl_rate_t;
++struct dns_rrl_rate {
++	int	    r;
++	int	    scaled;
++	const char  *str;
++};
++
 +/*
 + * Per-view query rate limit parameters and a pointer to database.
 + */
@@ -1596,12 +1700,14 @@ diff -up bind-9.9.3rc2/lib/dns/include/dns/rrl.h.rl bind-9.9.3rc2/lib/dns/includ
 +	isc_mem_t	*mctx;
 +
 +	isc_boolean_t	log_only;
-+	int		responses_per_second;
-+	int		errors_per_second;
-+	int		nxdomains_per_second;
-+	int		all_per_second;
++	dns_rrl_rate_t	responses_per_second;
++	dns_rrl_rate_t	referrals_per_second;
++	dns_rrl_rate_t	nodata_per_second;
++	dns_rrl_rate_t	nxdomains_per_second;
++	dns_rrl_rate_t	errors_per_second;
++	dns_rrl_rate_t	all_per_second;
++	dns_rrl_rate_t	slip;
 +	int		window;
-+	int		slip;
 +	double		qps_scale;
 +	int		max_entries;
 +
@@ -1612,11 +1718,6 @@ diff -up bind-9.9.3rc2/lib/dns/include/dns/rrl.h.rl bind-9.9.3rc2/lib/dns/includ
 +	int		qps_responses;
 +	isc_stdtime_t	qps_time;
 +	double		qps;
-+	int		scaled_responses_per_second;
-+	int		scaled_errors_per_second;
-+	int		scaled_nxdomains_per_second;
-+	int		scaled_all_per_second;
-+	int		scaled_slip;
 +
 +	unsigned int	probes;
 +	unsigned int	searches;
@@ -1668,9 +1769,9 @@ diff -up bind-9.9.3rc2/lib/dns/include/dns/rrl.h.rl bind-9.9.3rc2/lib/dns/includ
 +ISC_LANG_ENDDECLS
 +
 +#endif /* DNS_RRL_H */
-diff -up bind-9.9.3rc2/lib/dns/include/dns/view.h.rl bind-9.9.3rc2/lib/dns/include/dns/view.h
---- bind-9.9.3rc2/lib/dns/include/dns/view.h.rl	2013-04-30 08:38:46.000000000 +0200
-+++ bind-9.9.3rc2/lib/dns/include/dns/view.h	2013-05-13 12:30:38.636659406 +0200
+diff -r -u lib/dns/include/dns/view.h-orig lib/dns/include/dns/view.h
+--- lib/dns/include/dns/view.h-orig	2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/include/dns/view.h	2004-01-01 00:00:00.000000000 +0000
 @@ -73,6 +73,7 @@
  
  #include <dns/acl.h>
@@ -1679,7 +1780,7 @@ diff -up bind-9.9.3rc2/lib/dns/include/dns/view.h.rl bind-9.9.3rc2/lib/dns/inclu
  #include <dns/rdatastruct.h>
  #include <dns/rpz.h>
  #include <dns/types.h>
-@@ -142,6 +143,7 @@ struct dns_view {
+@@ -142,6 +143,7 @@
  	dns_rbt_t *			answeracl_exclude;
  	dns_rbt_t *			denyanswernames;
  	dns_rbt_t *			answernames_exclude;
@@ -1687,10 +1788,10 @@ diff -up bind-9.9.3rc2/lib/dns/include/dns/view.h.rl bind-9.9.3rc2/lib/dns/inclu
  	isc_boolean_t			provideixfr;
  	isc_boolean_t			requestnsid;
  	dns_ttl_t			maxcachettl;
-diff -up bind-9.9.3rc2/lib/dns/log.c.rl bind-9.9.3rc2/lib/dns/log.c
---- bind-9.9.3rc2/lib/dns/log.c.rl	2013-05-13 12:30:38.489659430 +0200
-+++ bind-9.9.3rc2/lib/dns/log.c	2013-05-13 12:30:38.637659406 +0200
-@@ -45,6 +45,7 @@ LIBDNS_EXTERNAL_DATA isc_logcategory_t d
+diff -r -u lib/dns/log.c-orig lib/dns/log.c
+--- lib/dns/log.c-orig	2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/log.c	2004-01-01 00:00:00.000000000 +0000
+@@ -45,6 +45,7 @@
  	{ "delegation-only", 0 },
  	{ "edns-disabled", 0 },
  	{ "rpz",	0 },
@@ -1698,33 +1799,10 @@ diff -up bind-9.9.3rc2/lib/dns/log.c.rl bind-9.9.3rc2/lib/dns/log.c
  	{ NULL, 	0 }
  };
  
-diff -up bind-9.9.3rc2/lib/dns/Makefile.in.rl bind-9.9.3rc2/lib/dns/Makefile.in
---- bind-9.9.3rc2/lib/dns/Makefile.in.rl	2013-05-13 12:30:38.515659426 +0200
-+++ bind-9.9.3rc2/lib/dns/Makefile.in	2013-05-13 12:30:38.636659406 +0200
-@@ -63,8 +63,8 @@ DNSOBJS =	acache.@O@ acl.@O@ adb.@O@ bya
- 		portlist.@O@ private.@O@ \
- 		rbt.@O@ rbtdb.@O@ rbtdb64.@O@ rcode.@O@ rdata.@O@ \
- 		rdatalist.@O@ rdataset.@O@ rdatasetiter.@O@ rdataslab.@O@ \
--		request.@O@ resolver.@O@ result.@O@ rootns.@O@ rpz.@O@ \
--		rriterator.@O@ sdb.@O@ \
-+		request.@O@ resolver.@O@ result.@O@ rootns.@O@ \
-+		rpz.@O@ rrl.@O@ rriterator.@O@ sdb.@O@ \
- 		sdlz.@O@ soa.@O@ ssu.@O@ ssu_external.@O@ \
- 		stats.@O@ tcpmsg.@O@ time.@O@ timer.@O@ tkey.@O@ \
- 		tsec.@O@ tsig.@O@ ttl.@O@ update.@O@ validator.@O@ \
-@@ -91,7 +91,7 @@ DNSSRCS =	acache.c acl.c adb.c byaddr.c
- 		name.c ncache.c nsec.c nsec3.c order.c peer.c portlist.c \
- 		rbt.c rbtdb.c rbtdb64.c rcode.c rdata.c rdatalist.c \
- 		rdataset.c rdatasetiter.c rdataslab.c request.c \
--		resolver.c result.c rootns.c rpz.c rriterator.c \
-+		resolver.c result.c rootns.c rpz.c rrl.c rriterator.c \
- 		sdb.c sdlz.c soa.c ssu.c ssu_external.c \
- 		stats.c tcpmsg.c time.c timer.c tkey.c \
- 		tsec.c tsig.c ttl.c update.c validator.c \
-diff -up bind-9.9.3rc2/lib/dns/rrl.c.rl bind-9.9.3rc2/lib/dns/rrl.c
---- bind-9.9.3rc2/lib/dns/rrl.c.rl	2013-05-13 12:30:38.637659406 +0200
-+++ bind-9.9.3rc2/lib/dns/rrl.c	2013-05-13 12:30:38.637659406 +0200
-@@ -0,0 +1,1335 @@
+diff -r -u lib/dns/rrl.c-orig lib/dns/rrl.c
+--- lib/dns/rrl.c-orig	2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/rrl.c	2004-01-01 00:00:00.000000000 +0000
+@@ -0,0 +1,1324 @@
 +/*
 + * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
 + *
@@ -1894,11 +1972,11 @@ diff -up bind-9.9.3rc2/lib/dns/rrl.c.rl bind-9.9.3rc2/lib/dns/rrl.c
 +	if (ts >= DNS_RRL_MAX_TS) {
 +		ts_gen = (ts_gen + 1) % DNS_RRL_TS_BASES;
 +		for (e_old = ISC_LIST_TAIL(rrl->lru), i = 0;
-+		     e_old != NULL && e_old->ts_gen == ts_gen;
++		     e_old != NULL && (e_old->ts_gen == ts_gen ||
++				       !ISC_LINK_LINKED(e_old, hlink));
 +		     e_old = ISC_LIST_PREV(e_old, lru), ++i)
 +		{
-+			if (e_old->ts_valid)
-+				e_old->ts_valid = ISC_FALSE;
++			e_old->ts_valid = ISC_FALSE;
 +		}
 +		if (i != 0)
 +			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
@@ -2130,9 +2208,16 @@ diff -up bind-9.9.3rc2/lib/dns/rrl.c.rl bind-9.9.3rc2/lib/dns/rrl.c
 +	memset(key, 0, sizeof(*key));
 +
 +	key->s.rtype = rtype;
-+	if (rtype == DNS_RRL_RTYPE_QUERY || rtype == DNS_RRL_RTYPE_DELEGATION) {
-+		key->s.qclass = qclass & 0xff;
++	if (rtype == DNS_RRL_RTYPE_QUERY) {
 +		key->s.qtype = qtype;
++		key->s.qclass = qclass & 0xff;
++	} else if (rtype == DNS_RRL_RTYPE_REFERRAL ||
++		   rtype == DNS_RRL_RTYPE_NODATA) {
++		/*
++		 * Because there is no qtype in the empty answer sections of
++		 * referral and NODATA responses, count them as the same.
++		 */
++		key->s.qclass = qclass & 0xff;
 +	}
 +
 +	if (qname != NULL && qname->labels != 0) {
@@ -2167,33 +2252,40 @@ diff -up bind-9.9.3rc2/lib/dns/rrl.c.rl bind-9.9.3rc2/lib/dns/rrl.c
 +	}
 +}
 +
-+static inline int
-+response_balance(const dns_rrl_t *rrl, const dns_rrl_entry_t *e, int age) {
-+	int balance, rate = 0;
-+
-+	balance = e->responses;
-+	if (balance < 0)
-+		switch (e->key.s.rtype) {
-+		case DNS_RRL_RTYPE_QUERY:
-+		case DNS_RRL_RTYPE_DELEGATION:
-+			rate = rrl->scaled_responses_per_second;
-+			break;
-+		case DNS_RRL_RTYPE_NXDOMAIN:
-+			rate = rrl->scaled_nxdomains_per_second;
-+			break;
-+		case DNS_RRL_RTYPE_ERROR:
-+			rate = rrl->scaled_errors_per_second;
-+			break;
-+		case DNS_RRL_RTYPE_ALL:
-+			rate = rrl->scaled_all_per_second;
-+			break;
-+		case DNS_RRL_RTYPE_TCP:
-+			rate = 1;
-+			break;
-+		default:
-+			INSIST(0);
++static inline dns_rrl_rate_t *
++get_rate(dns_rrl_t *rrl, dns_rrl_rtype_t rtype) {
++	switch (rtype) {
++	case DNS_RRL_RTYPE_QUERY:
++		return (&rrl->responses_per_second);
++	case DNS_RRL_RTYPE_REFERRAL:
++		return (&rrl->referrals_per_second);
++	case DNS_RRL_RTYPE_NODATA:
++		return (&rrl->nodata_per_second);
++	case DNS_RRL_RTYPE_NXDOMAIN:
++		return (&rrl->nxdomains_per_second);
++	case DNS_RRL_RTYPE_ERROR:
++		return (&rrl->errors_per_second);
++	case DNS_RRL_RTYPE_ALL:
++		return (&rrl->all_per_second);
++	default:
++		INSIST(0);
 +	}
-+	balance += age * rate;
++	return (NULL);
++}
++
++static int
++response_balance(dns_rrl_t *rrl, const dns_rrl_entry_t *e, int age) {
++	dns_rrl_rate_t *ratep;
++	int balance, rate;
++
++	if (e->key.s.rtype == DNS_RRL_RTYPE_TCP) {
++		rate = 1;
++	} else {
++		ratep = get_rate(rrl, e->key.s.rtype);
++		rate = ratep->scaled;
++	}
++
++	balance = e->responses + age * rate;
 +	if (balance > rate)
 +		balance = rate;
 +	return (balance);
@@ -2278,7 +2370,7 @@ diff -up bind-9.9.3rc2/lib/dns/rrl.c.rl bind-9.9.3rc2/lib/dns/rrl.c
 +			e = NULL;
 +			break;
 +		}
-+		if (!e->logged && response_balance(rrl, e, age) >= 0)
++		if (!e->logged && response_balance(rrl, e, age) > 0)
 +			break;
 +	}
 +	if (e == NULL) {
@@ -2325,35 +2417,16 @@ diff -up bind-9.9.3rc2/lib/dns/rrl.c.rl bind-9.9.3rc2/lib/dns/rrl.c
 +		const isc_sockaddr_t *client_addr, isc_stdtime_t now,
 +		char *log_buf, unsigned int log_buf_len)
 +{
-+	int rate, new_rate, *ratep, slip, new_slip, age, log_secs, min;
-+	const char *rate_str = NULL;
++	int rate, new_rate, slip, new_slip, age, log_secs, min;
++	dns_rrl_rate_t *ratep;
 +	dns_rrl_entry_t const *credit_e;
 +
 +	/*
 +	 * Pick the rate counter.
 +	 * Optionally adjust the rate by the estimated query/second rate.
 +	 */
-+	switch (e->key.s.rtype) {
-+	case DNS_RRL_RTYPE_QUERY:
-+	case DNS_RRL_RTYPE_DELEGATION:
-+		rate = rrl->responses_per_second;
-+		ratep = &rrl->scaled_responses_per_second;
-+		break;
-+	case DNS_RRL_RTYPE_NXDOMAIN:
-+		rate = rrl->nxdomains_per_second;
-+		ratep = &rrl->scaled_nxdomains_per_second;
-+		break;
-+	case DNS_RRL_RTYPE_ERROR:
-+		rate = rrl->errors_per_second;
-+		ratep = &rrl->scaled_errors_per_second;
-+		break;
-+	case DNS_RRL_RTYPE_ALL:
-+		rate = rrl->all_per_second;
-+		ratep = &rrl->scaled_all_per_second;
-+		break;
-+	default:
-+		INSIST(0);
-+	}
++	ratep = get_rate(rrl, e->key.s.rtype);
++	rate = ratep->r;
 +	if (rate == 0)
 +		return (DNS_RRL_RESULT_OK);
 +
@@ -2375,36 +2448,16 @@ diff -up bind-9.9.3rc2/lib/dns/rrl.c.rl bind-9.9.3rc2/lib/dns/rrl.c
 +		new_rate = (int) (rate * scale);
 +		if (new_rate < 1)
 +			new_rate = 1;
-+		if (*ratep != new_rate) {
-+			if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG1)) {
-+				switch (e->key.s.rtype) {
-+				case DNS_RRL_RTYPE_QUERY:
-+				case DNS_RRL_RTYPE_DELEGATION:
-+					rate_str = "responses-per-second";
-+					break;
-+				case DNS_RRL_RTYPE_NXDOMAIN:
-+					rate_str = "nxdomains-per-second";
-+					break;
-+				case DNS_RRL_RTYPE_ERROR:
-+					rate_str = "errors-per-second";
-+					break;
-+				case DNS_RRL_RTYPE_ALL:
-+					rate_str = "all-per-second";
-+					break;
-+				case DNS_RRL_RTYPE_FREE:
-+				case DNS_RRL_RTYPE_TCP:
-+					INSIST(0);
-+				}
-+				isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
-+					      DNS_LOGMODULE_REQUEST,
-+					      DNS_RRL_LOG_DEBUG1,
-+					      "%d qps scaled %s by %.2f"
-+					      " from %d to %d",
-+					      (int)qps, rate_str, scale,
-+					      rate, new_rate);
-+			}
++		if (ratep->scaled != new_rate) {
++			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
++				      DNS_LOGMODULE_REQUEST,
++				      DNS_RRL_LOG_DEBUG1,
++				      "%d qps scaled %s by %.2f"
++				      " from %d to %d",
++				      (int)qps, ratep->str, scale,
++				      rate, new_rate);
 +			rate = new_rate;
-+			*ratep = rate;
++			ratep->scaled = rate;
 +		}
 +	}
 +
@@ -2463,22 +2516,21 @@ diff -up bind-9.9.3rc2/lib/dns/rrl.c.rl bind-9.9.3rc2/lib/dns/rrl.c
 +	/*
 +	 * Drop this response unless it should slip or leak.
 +	 */
-+	slip = rrl->slip;
++	slip = rrl->slip.r;
 +	if (slip > 2 && scale < 1.0) {
 +		new_slip = (int) (slip * scale);
 +		if (new_slip < 2)
 +			new_slip = 2;
-+		if (rrl->scaled_slip != new_slip) {
-+			if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG1))
-+				isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
-+					      DNS_LOGMODULE_REQUEST,
-+					      DNS_RRL_LOG_DEBUG1,
-+					      "%d qps scaled slip"
-+					      " by %.2f from %d to %d",
-+					      (int)qps, scale,
-+					      slip, new_slip);
++		if (rrl->slip.scaled != new_slip) {
++			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
++				      DNS_LOGMODULE_REQUEST,
++				      DNS_RRL_LOG_DEBUG1,
++				      "%d qps scaled slip"
++				      " by %.2f from %d to %d",
++				      (int)qps, scale,
++				      slip, new_slip);
 +			slip = new_slip;
-+			rrl->scaled_slip = slip;
++			rrl->slip.scaled = slip;
 +		}
 +	}
 +	if (slip != 0 && e->key.s.rtype != DNS_RRL_RTYPE_ALL) {
@@ -2580,34 +2632,36 @@ diff -up bind-9.9.3rc2/lib/dns/rrl.c.rl bind-9.9.3rc2/lib/dns/rrl.c
 +
 +	switch (e->key.s.rtype) {
 +	case DNS_RRL_RTYPE_QUERY:
-+		ADD_LOG_CSTR(&lb, "response");
 +		break;
-+	case DNS_RRL_RTYPE_DELEGATION:
-+		ADD_LOG_CSTR(&lb, "referral");
++	case DNS_RRL_RTYPE_REFERRAL:
++		ADD_LOG_CSTR(&lb, "referral ");
++		break;
++	case DNS_RRL_RTYPE_NODATA:
++		ADD_LOG_CSTR(&lb, "NODATA ");
 +		break;
 +	case DNS_RRL_RTYPE_NXDOMAIN:
-+		ADD_LOG_CSTR(&lb, "NXDOMAIN response");
++		ADD_LOG_CSTR(&lb, "NXDOMAIN ");
 +		break;
 +	case DNS_RRL_RTYPE_ERROR:
 +		if (resp_result == ISC_R_SUCCESS) {
-+			ADD_LOG_CSTR(&lb, "error response");
++			ADD_LOG_CSTR(&lb, "error ");
 +		} else {
 +			rstr = isc_result_totext(resp_result);
 +			add_log_str(&lb, rstr, strlen(rstr));
-+			ADD_LOG_CSTR(&lb, " response");
++			ADD_LOG_CSTR(&lb, " error ");
 +		}
 +		break;
 +	case DNS_RRL_RTYPE_ALL:
-+		ADD_LOG_CSTR(&lb, "all response");
++		ADD_LOG_CSTR(&lb, "all ");
 +		break;
 +	default:
 +		INSIST(0);
 +	}
 +
 +	if (plural)
-+		ADD_LOG_CSTR(&lb, "s to ");
++		ADD_LOG_CSTR(&lb, "responses to ");
 +	else
-+		ADD_LOG_CSTR(&lb, " to ");
++		ADD_LOG_CSTR(&lb, "response to ");
 +
 +	memset(&cidr, 0, sizeof(cidr));
 +	if (e->key.s.ipv6) {
@@ -2626,7 +2680,8 @@ diff -up bind-9.9.3rc2/lib/dns/rrl.c.rl bind-9.9.3rc2/lib/dns/rrl.c
 +	add_log_str(&lb, strbuf, strlen(strbuf));
 +
 +	if (e->key.s.rtype == DNS_RRL_RTYPE_QUERY ||
-+	    e->key.s.rtype == DNS_RRL_RTYPE_DELEGATION ||
++	    e->key.s.rtype == DNS_RRL_RTYPE_REFERRAL ||
++	    e->key.s.rtype == DNS_RRL_RTYPE_NODATA ||
 +	    e->key.s.rtype == DNS_RRL_RTYPE_NXDOMAIN) {
 +		qbuf = get_qname(rrl, e);
 +		if (save_qname && qbuf == NULL &&
@@ -2674,8 +2729,10 @@ diff -up bind-9.9.3rc2/lib/dns/rrl.c.rl bind-9.9.3rc2/lib/dns/rrl.c
 +		if (e->key.s.rtype != DNS_RRL_RTYPE_NXDOMAIN) {
 +			ADD_LOG_CSTR(&lb, " ");
 +			(void)dns_rdataclass_totext(e->key.s.qclass, &lb);
-+			ADD_LOG_CSTR(&lb, " ");
-+			(void)dns_rdatatype_totext(e->key.s.qtype, &lb);
++			if (e->key.s.rtype == DNS_RRL_RTYPE_QUERY) {
++				ADD_LOG_CSTR(&lb, " ");
++				(void)dns_rdatatype_totext(e->key.s.qtype, &lb);
++			}
 +		}
 +		snprintf(strbuf, sizeof(strbuf), "  (%08x)",
 +			 e->key.s.qname_hash);
@@ -2844,14 +2901,23 @@ diff -up bind-9.9.3rc2/lib/dns/rrl.c.rl bind-9.9.3rc2/lib/dns/rrl.c
 +	 * Find the right kind of entry, creating it if necessary.
 +	 * If that is impossible, then nothing more can be done
 +	 */
-+	if (resp_result == ISC_R_SUCCESS)
++	switch (resp_result) {
++	case ISC_R_SUCCESS:
 +		rtype = DNS_RRL_RTYPE_QUERY;
-+	else if (resp_result == DNS_R_DELEGATION)
-+		rtype = DNS_RRL_RTYPE_DELEGATION;
-+	else if (resp_result == DNS_R_NXDOMAIN)
++		break;
++	case DNS_R_DELEGATION:
++		rtype = DNS_RRL_RTYPE_REFERRAL;
++		break;
++	case DNS_R_NXRRSET:
++		rtype = DNS_RRL_RTYPE_NODATA;
++		break;
++	case DNS_R_NXDOMAIN:
 +		rtype = DNS_RRL_RTYPE_NXDOMAIN;
-+	else
++		break;
++	default:
 +		rtype = DNS_RRL_RTYPE_ERROR;
++		break;
++	}
 +	e = get_entry(rrl, client_addr, qclass, qtype, qname, rtype,
 +		      now, ISC_TRUE, log_buf, log_buf_len);
 +	if (e == NULL) {
@@ -2875,7 +2941,7 @@ diff -up bind-9.9.3rc2/lib/dns/rrl.c.rl bind-9.9.3rc2/lib/dns/rrl.c
 +	rrl_result = debit_rrl_entry(rrl, e, qps, scale, client_addr, now,
 +				     log_buf, log_buf_len);
 +
-+	if (rrl->all_per_second != 0) {
++	if (rrl->all_per_second.r != 0) {
 +		/*
 +		 * We must debit the all-per-second token bucket if we have
 +		 * an all-per-second limit for the IP address.
@@ -2958,7 +3024,8 @@ diff -up bind-9.9.3rc2/lib/dns/rrl.c.rl bind-9.9.3rc2/lib/dns/rrl.c
 +	 * Make a log message for the caller.
 +	 */
 +	if (wouldlog)
-+		make_log_buf(rrl, e, rrl->log_only ? "would " : NULL,
++		make_log_buf(rrl, e,
++			     rrl->log_only ? "would rate limit " : "rate limit ",
 +			     NULL, ISC_FALSE, qname, ISC_FALSE,
 +			     rrl_result, resp_result, log_buf, log_buf_len);
 +
@@ -3060,9 +3127,9 @@ diff -up bind-9.9.3rc2/lib/dns/rrl.c.rl bind-9.9.3rc2/lib/dns/rrl.c
 +	*rrlp = rrl;
 +	return (ISC_R_SUCCESS);
 +}
-diff -up bind-9.9.3rc2/lib/dns/view.c.rl bind-9.9.3rc2/lib/dns/view.c
---- bind-9.9.3rc2/lib/dns/view.c.rl	2013-04-30 08:38:46.000000000 +0200
-+++ bind-9.9.3rc2/lib/dns/view.c	2013-05-13 12:30:38.638659406 +0200
+diff -r -u lib/dns/view.c-orig lib/dns/view.c
+--- lib/dns/view.c-orig	2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/view.c	2004-01-01 00:00:00.000000000 +0000
 @@ -49,6 +49,7 @@
  #include <dns/masterdump.h>
  #include <dns/order.h>
@@ -3071,7 +3138,7 @@ diff -up bind-9.9.3rc2/lib/dns/view.c.rl bind-9.9.3rc2/lib/dns/view.c
  #include <dns/rbt.h>
  #include <dns/rdataset.h>
  #include <dns/request.h>
-@@ -184,6 +185,7 @@ dns_view_create(isc_mem_t *mctx, dns_rda
+@@ -184,6 +185,7 @@
  	view->answeracl_exclude = NULL;
  	view->denyanswernames = NULL;
  	view->answernames_exclude = NULL;
@@ -3079,7 +3146,7 @@ diff -up bind-9.9.3rc2/lib/dns/view.c.rl bind-9.9.3rc2/lib/dns/view.c
  	view->provideixfr = ISC_TRUE;
  	view->maxcachettl = 7 * 24 * 3600;
  	view->maxncachettl = 3 * 3600;
-@@ -335,9 +337,11 @@ destroy(dns_view_t *view) {
+@@ -335,9 +337,11 @@
  		dns_acache_detach(&view->acache);
  	}
  	dns_rpz_view_destroy(view);
@@ -3091,10 +3158,10 @@ diff -up bind-9.9.3rc2/lib/dns/view.c.rl bind-9.9.3rc2/lib/dns/view.c
  #endif
  	if (view->requestmgr != NULL)
  		dns_requestmgr_detach(&view->requestmgr);
-diff -up bind-9.9.3rc2/lib/dns/win32/libdns.def.rl bind-9.9.3rc2/lib/dns/win32/libdns.def
---- bind-9.9.3rc2/lib/dns/win32/libdns.def.rl	2013-04-30 08:38:46.000000000 +0200
-+++ bind-9.9.3rc2/lib/dns/win32/libdns.def	2013-05-13 12:30:38.638659406 +0200
-@@ -656,6 +656,9 @@ dns_rriterator_init
+diff -r -u lib/dns/win32/libdns.def-orig lib/dns/win32/libdns.def
+--- lib/dns/win32/libdns.def-orig	2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/win32/libdns.def	2004-01-01 00:00:00.000000000 +0000
+@@ -657,6 +657,9 @@
  dns_rriterator_next
  dns_rriterator_nextrrset
  dns_rriterator_pause
@@ -3104,10 +3171,10 @@ diff -up bind-9.9.3rc2/lib/dns/win32/libdns.def.rl bind-9.9.3rc2/lib/dns/win32/l
  dns_sdb_putnamedrr
  dns_sdb_putrdata
  dns_sdb_putrr
-diff -up bind-9.9.3rc2/lib/dns/win32/libdns.dsp.rl bind-9.9.3rc2/lib/dns/win32/libdns.dsp
---- bind-9.9.3rc2/lib/dns/win32/libdns.dsp.rl	2013-04-30 08:38:46.000000000 +0200
-+++ bind-9.9.3rc2/lib/dns/win32/libdns.dsp	2013-05-13 12:30:38.638659406 +0200
-@@ -346,6 +346,10 @@ SOURCE=..\include\dns\rpz.h
+diff -r -u lib/dns/win32/libdns.dsp-orig lib/dns/win32/libdns.dsp
+--- lib/dns/win32/libdns.dsp-orig	2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/win32/libdns.dsp	2004-01-01 00:00:00.000000000 +0000
+@@ -346,6 +346,10 @@
  # End Source File
  # Begin Source File
  
@@ -3118,7 +3185,7 @@ diff -up bind-9.9.3rc2/lib/dns/win32/libdns.dsp.rl bind-9.9.3rc2/lib/dns/win32/l
  SOURCE=..\include\dns\rriterator.h
  # End Source File
  # Begin Source File
-@@ -650,6 +654,10 @@ SOURCE=..\rpz.c
+@@ -650,6 +654,10 @@
  # End Source File
  # Begin Source File
  
@@ -3129,10 +3196,10 @@ diff -up bind-9.9.3rc2/lib/dns/win32/libdns.dsp.rl bind-9.9.3rc2/lib/dns/win32/l
  SOURCE=..\rriterator.c
  # End Source File
  # Begin Source File
-diff -up bind-9.9.3rc2/lib/dns/win32/libdns.mak.rl bind-9.9.3rc2/lib/dns/win32/libdns.mak
---- bind-9.9.3rc2/lib/dns/win32/libdns.mak.rl	2013-04-30 08:38:46.000000000 +0200
-+++ bind-9.9.3rc2/lib/dns/win32/libdns.mak	2013-05-13 12:30:38.638659406 +0200
-@@ -184,6 +184,7 @@ CLEAN :
+diff -r -u lib/dns/win32/libdns.mak-orig lib/dns/win32/libdns.mak
+--- lib/dns/win32/libdns.mak-orig	2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/win32/libdns.mak	2004-01-01 00:00:00.000000000 +0000
+@@ -184,6 +184,7 @@
  	-@erase "$(INTDIR)\result.obj"
  	-@erase "$(INTDIR)\rootns.obj"
  	-@erase "$(INTDIR)\rpz.obj"
@@ -3140,7 +3207,7 @@ diff -up bind-9.9.3rc2/lib/dns/win32/libdns.mak.rl bind-9.9.3rc2/lib/dns/win32/l
  	-@erase "$(INTDIR)\sdb.obj"
  	-@erase "$(INTDIR)\sdlz.obj"
  	-@erase "$(INTDIR)\soa.obj"
-@@ -309,6 +310,7 @@ LINK32_OBJS= \
+@@ -309,6 +310,7 @@
  	"$(INTDIR)\result.obj" \
  	"$(INTDIR)\rootns.obj" \
  	"$(INTDIR)\rpz.obj" \
@@ -3148,7 +3215,7 @@ diff -up bind-9.9.3rc2/lib/dns/win32/libdns.mak.rl bind-9.9.3rc2/lib/dns/win32/l
  	"$(INTDIR)\rriterator.obj" \
  	"$(INTDIR)\sdb.obj" \
  	"$(INTDIR)\sdlz.obj" \
-@@ -505,6 +507,8 @@ CLEAN :
+@@ -505,6 +507,8 @@
  	-@erase "$(INTDIR)\rootns.sbr"
  	-@erase "$(INTDIR)\rpz.obj"
  	-@erase "$(INTDIR)\rpz.sbr"
@@ -3157,7 +3224,7 @@ diff -up bind-9.9.3rc2/lib/dns/win32/libdns.mak.rl bind-9.9.3rc2/lib/dns/win32/l
  	-@erase "$(INTDIR)\rriterator.obj"
  	-@erase "$(INTDIR)\rriterator.sbr"
  	-@erase "$(INTDIR)\sdb.obj"
-@@ -651,6 +655,7 @@ BSC32_SBRS= \
+@@ -651,6 +655,7 @@
  	"$(INTDIR)\result.sbr" \
  	"$(INTDIR)\rootns.sbr" \
  	"$(INTDIR)\rpz.sbr" \
@@ -3165,7 +3232,7 @@ diff -up bind-9.9.3rc2/lib/dns/win32/libdns.mak.rl bind-9.9.3rc2/lib/dns/win32/l
  	"$(INTDIR)\rriterator.sbr" \
  	"$(INTDIR)\sdb.sbr" \
  	"$(INTDIR)\sdlz.sbr" \
-@@ -748,6 +753,7 @@ LINK32_OBJS= \
+@@ -748,6 +753,7 @@
  	"$(INTDIR)\result.obj" \
  	"$(INTDIR)\rootns.obj" \
  	"$(INTDIR)\rpz.obj" \
@@ -3173,12 +3240,10 @@ diff -up bind-9.9.3rc2/lib/dns/win32/libdns.mak.rl bind-9.9.3rc2/lib/dns/win32/l
  	"$(INTDIR)\rriterator.obj" \
  	"$(INTDIR)\sdb.obj" \
  	"$(INTDIR)\sdlz.obj" \
-@@ -1724,6 +1730,24 @@ SOURCE=..\rpz.c
- 	$(CPP) $(CPP_PROJ) $(SOURCE)
+@@ -1726,6 +1732,24 @@
  
+ !ENDIF 
  
-+!ENDIF 
-+
 +SOURCE=..\rrl.c
 +
 +!IF  "$(CFG)" == "libdns - Win32 Release"
@@ -3195,13 +3260,15 @@ diff -up bind-9.9.3rc2/lib/dns/win32/libdns.mak.rl bind-9.9.3rc2/lib/dns/win32/l
 +	$(CPP) $(CPP_PROJ) $(SOURCE)
 +
 +
- !ENDIF 
- 
++!ENDIF 
++
  SOURCE=..\rriterator.c
-diff -up bind-9.9.3rc2/lib/isccfg/namedconf.c.rl bind-9.9.3rc2/lib/isccfg/namedconf.c
---- bind-9.9.3rc2/lib/isccfg/namedconf.c.rl	2013-05-13 12:30:38.490659430 +0200
-+++ bind-9.9.3rc2/lib/isccfg/namedconf.c	2013-05-13 12:30:38.639659406 +0200
-@@ -1272,6 +1272,39 @@ static cfg_type_t cfg_type_rpz = {
+ 
+ !IF  "$(CFG)" == "libdns - Win32 Release"
+diff -r -u lib/isccfg/namedconf.c-orig lib/isccfg/namedconf.c
+--- lib/isccfg/namedconf.c-orig	2004-01-01 00:00:00.000000000 +0000
++++ lib/isccfg/namedconf.c	2004-01-01 00:00:00.000000000 +0000
+@@ -1270,6 +1270,40 @@
  };
  
  
@@ -3210,16 +3277,17 @@ diff -up bind-9.9.3rc2/lib/isccfg/namedconf.c.rl bind-9.9.3rc2/lib/isccfg/namedc
 + */
 +static cfg_clausedef_t rrl_clauses[] = {
 +	{ "responses-per-second", &cfg_type_uint32, 0 },
-+	{ "errors-per-second", &cfg_type_uint32, 0 },
++	{ "referrals-per-second", &cfg_type_uint32, 0 },
++	{ "nodata-per-second", &cfg_type_uint32, 0 },
 +	{ "nxdomains-per-second", &cfg_type_uint32, 0 },
-+	{ "responses-per-second", &cfg_type_uint32, 0 },
++	{ "errors-per-second", &cfg_type_uint32, 0 },
 +	{ "all-per-second", &cfg_type_uint32, 0 },
 +	{ "slip", &cfg_type_uint32, 0 },
 +	{ "window", &cfg_type_uint32, 0 },
 +	{ "log-only", &cfg_type_boolean, 0 },
 +	{ "qps-scale", &cfg_type_uint32, 0 },
-+	{ "IPv4-prefix-length", &cfg_type_uint32, 0 },
-+	{ "IPv6-prefix-length", &cfg_type_uint32, 0 },
++	{ "ipv4-prefix-length", &cfg_type_uint32, 0 },
++	{ "ipv6-prefix-length", &cfg_type_uint32, 0 },
 +	{ "exempt-clients", &cfg_type_bracketed_aml, 0 },
 +	{ "max-table-size", &cfg_type_uint32, 0 },
 +	{ "min-table-size", &cfg_type_uint32, 0 },
@@ -3241,7 +3309,7 @@ diff -up bind-9.9.3rc2/lib/isccfg/namedconf.c.rl bind-9.9.3rc2/lib/isccfg/namedc
  /*%
   * dnssec-lookaside
   */
-@@ -1425,6 +1458,7 @@ view_clauses[] = {
+@@ -1423,6 +1457,7 @@
  	   CFG_CLAUSEFLAG_NOTCONFIGURED },
  #endif
  	{ "response-policy", &cfg_type_rpz, 0 },
@@ -3249,4 +3317,14 @@ diff -up bind-9.9.3rc2/lib/isccfg/namedconf.c.rl bind-9.9.3rc2/lib/isccfg/namedc
  	{ NULL, NULL, 0 }
  };
  
-diff -up bind-9.9.3rc2/version.rl bind-9.9.3rc2/version
+diff -r -u version-orig version
+--- version-orig	2004-01-01 00:00:00.000000000 +0000
++++ version	2004-01-01 00:00:00.000000000 +0000
+@@ -7,6 +7,6 @@
+ DESCRIPTION="(Extended Support Version)"
+ MAJORVER=9
+ MINORVER=9
+-PATCHVER=3
++PATCHVER=3-rl.150.20
+ RELEASETYPE=
+ RELEASEVER=