diff -r -u bin/named/client.c-orig bin/named/client.c

--- bin/named/client.c-orig	2004-01-01 00:00:00.000000000 +0000

+++ bin/named/client.c	2004-01-01 00:00:00.000000000 +0000

@@ -994,6 +994,11 @@

 	}

 	if (result != ISC_R_SUCCESS)

 		goto done;

+	/*

+	 * Stop after the question if TC was set for rate limiting.

+	 */

+	if ((client->message->flags & DNS_MESSAGEFLAG_TC) != 0)

+		goto renderend;

 	result = dns_message_rendersection(client->message,

 					   DNS_SECTION_ANSWER,

 					   DNS_MESSAGERENDER_PARTIAL |

@@ -1134,6 +1139,51 @@

 #endif

 	/*

+	 * Try to rate limit error responses.

+	 */

+	if (client->view != NULL && client->view->rrl != NULL) {

+		isc_boolean_t wouldlog;

+		char log_buf[DNS_RRL_LOG_BUF_LEN];

+		dns_rrl_result_t rrl_result;

+

+		INSIST(rcode != dns_rcode_noerror &&

+		       rcode != dns_rcode_nxdomain);

+		wouldlog = isc_log_wouldlog(ns_g_lctx, DNS_RRL_LOG_DROP);

+		rrl_result = dns_rrl(client->view, &client->peeraddr,

+				     TCP_CLIENT(client),

+				     dns_rdataclass_in, dns_rdatatype_none,

+				     NULL, result, client->now,

+				     wouldlog, log_buf, sizeof(log_buf));

+		if (rrl_result != DNS_RRL_RESULT_OK) {

+			/*

+			 * Log dropped errors in the query category

+			 * so that they are not lost in silence.

+			 * Starts of rate-limited bursts are logged in

+			 * NS_LOGCATEGORY_RRL.

+			 */

+			if (wouldlog) {

+				ns_client_log(client,

+					      NS_LOGCATEGORY_QUERY_EERRORS,

+					      NS_LOGMODULE_CLIENT,

+					      DNS_RRL_LOG_DROP,

+					      "%s", log_buf);

+			}

+			/*

+			 * Some error responses cannot be 'slipped',

+			 * so don't try to slip any error responses.

+			 */

+			if (!client->view->rrl->log_only) {

+				isc_stats_increment(ns_g_server->nsstats,

+						dns_nsstatscounter_ratedropped);

+				isc_stats_increment(ns_g_server->nsstats,

+						dns_nsstatscounter_dropped);

+				ns_client_next(client, DNS_R_DROP);

+				return;

+			}

+		}

+	}

+

+	/*

 	 * Message may be an in-progress reply that we had trouble

 	 * with, in which case QR will be set.  We need to clear QR before

 	 * calling dns_message_reply() to avoid triggering an assertion.

diff -r -u bin/named/config.c-orig bin/named/config.c

--- bin/named/config.c-orig	2004-01-01 00:00:00.000000000 +0000

+++ bin/named/config.c	2004-01-01 00:00:00.000000000 +0000

@@ -228,6 +228,13 @@

 	notify no;\n\

 	allow-new-zones no;\n\

 \n\

+	# Prevent use of this zone in DNS amplified reflection DoS attacks\n\

+	rate-limit {\n\

+		responses-per-second 3;\n\

+		slip 0;\n\

+		min-table-size 10;\n\

+	};\n\

+\n\

 	zone \"version.bind\" chaos {\n\

 		type master;\n\

 		database \"_builtin version\";\n\

diff -r -u bin/named/include/named/query.h-orig bin/named/include/named/query.h

--- bin/named/include/named/query.h-orig	2004-01-01 00:00:00.000000000 +0000

+++ bin/named/include/named/query.h	2004-01-01 00:00:00.000000000 +0000

@@ -85,6 +85,7 @@

 #define NS_QUERYATTR_CACHEACLOK		0x2000

 #define NS_QUERYATTR_DNS64		0x4000

 #define NS_QUERYATTR_DNS64EXCLUDE	0x8000

+#define NS_QUERYATTR_RRL_CHECKED	0x10000

 isc_result_t

diff -r -u bin/named/include/named/server.h-orig bin/named/include/named/server.h

--- bin/named/include/named/server.h-orig	2004-01-01 00:00:00.000000000 +0000

+++ bin/named/include/named/server.h	2004-01-01 00:00:00.000000000 +0000

@@ -167,7 +167,10 @@

 	dns_nsstatscounter_rpz_rewrites = 36,

-	dns_nsstatscounter_max = 37

+	dns_nsstatscounter_ratedropped = 37,

+	dns_nsstatscounter_rateslipped = 38,

+

+	dns_nsstatscounter_max = 39

 };

 void

diff -r -u bin/named/query.c-orig bin/named/query.c

--- bin/named/query.c-orig	2004-01-01 00:00:00.000000000 +0000

+++ bin/named/query.c	2004-01-01 00:00:00.000000000 +0000

@@ -193,7 +193,7 @@

 #ifdef NEWSTATS

 	/* Do query type statistics

 	 *

-	 * We only increment per-type if we're using the authoriative

+	 * We only increment per-type if we're using the authoritative

 	 * answer counter, preventing double-counting.

 	 */

 	if (counter == dns_nsstatscounter_authans) {

@@ -5865,6 +5865,128 @@

  resume:

 	CTRACE("query_find: resume");

+	/*

+	 * Rate limit these responses to this client.

+	 * Do not delay counting and handling obvious referrals,

+	 *	since those won't come here again.

+	 * Delay handling delegations for which we are certain to recurse and

+	 *	return here (DNS_R_DELEGATION, not a child of one of our

+	 *	own zones, and recursion enabled)

+	 * Count each response at most once.

+	 */

+	if (client->view->rrl != NULL &&

+	    ((fname != NULL && dns_name_isabsolute(fname)) ||

+	     (result == ISC_R_NOTFOUND && !RECURSIONOK(client))) &&

+	    !(result == DNS_R_DELEGATION && !is_zone && RECURSIONOK(client)) &&

+	    (client->query.attributes & NS_QUERYATTR_RRL_CHECKED) == 0) {

+		dns_rdataset_t nc_rdataset;

+		isc_boolean_t wouldlog;

+		char log_buf[DNS_RRL_LOG_BUF_LEN];

+		isc_result_t nc_result, resp_result;

+		dns_rrl_result_t rrl_result;

+

+		client->query.attributes |= NS_QUERYATTR_RRL_CHECKED;

+

+		wouldlog = isc_log_wouldlog(ns_g_lctx, DNS_RRL_LOG_DROP);

+		tname = fname;

+		if (result == DNS_R_NXDOMAIN) {

+			/*

+			 * Use the database origin name to rate limit NXDOMAIN

+			 */

+			if (db != NULL)

+				tname = dns_db_origin(db);

+			resp_result = result;

+		} else if (result == DNS_R_NCACHENXDOMAIN &&

+			   rdataset != NULL &&

+			   dns_rdataset_isassociated(rdataset) &&

+			   (rdataset->attributes &

+			    DNS_RDATASETATTR_NEGATIVE) != 0) {

+			/*

+			 * Try to use owner name in the negative cache SOA.

+			 */

+			dns_fixedname_init(&fixed);

+			dns_rdataset_init(&nc_rdataset);

+			for (nc_result = dns_rdataset_first(rdataset);

+			     nc_result == ISC_R_SUCCESS;

+			     nc_result = dns_rdataset_next(rdataset)) {

+				dns_ncache_current(rdataset,

+						   dns_fixedname_name(&fixed),

+						   &nc_rdataset);

+				if (nc_rdataset.type == dns_rdatatype_soa) {

+					dns_rdataset_disassociate(&nc_rdataset);

+					tname = dns_fixedname_name(&fixed);

+					break;

+				}

+				dns_rdataset_disassociate(&nc_rdataset);

+			}

+			resp_result = DNS_R_NXDOMAIN;

+		} else if (result == DNS_R_NXRRSET ||

+			   result == DNS_R_EMPTYNAME) {

+			resp_result = DNS_R_NXRRSET;

+		} else if (result == DNS_R_DELEGATION) {

+			resp_result = result;

+		} else if (result == ISC_R_NOTFOUND) {

+			/*

+			 * Handle referral to ".", including when recursion

+			 * is off or not requested and the hints have not

+			 * been loaded or we have "additional-from-cache no".

+			 */

+			tname = dns_rootname;

+			resp_result = DNS_R_DELEGATION;

+		} else {

+			resp_result = ISC_R_SUCCESS;

+		}

+		rrl_result = dns_rrl(client->view, &client->peeraddr,

+				     ISC_TF((client->attributes

+					     & NS_CLIENTATTR_TCP) != 0),

+				     client->message->rdclass, qtype, tname,

+				     resp_result, client->now,

+				     wouldlog, log_buf, sizeof(log_buf));

+		if (rrl_result != DNS_RRL_RESULT_OK) {

+			/*

+			 * Log dropped or slipped responses in the query

+			 * category so that requests are not silently lost.

+			 * Starts of rate-limited bursts are logged in

+			 * DNS_LOGCATEGORY_RRL.

+			 *

+			 * Dropped responses are counted with dropped queries

+			 * in QryDropped while slipped responses are counted

+			 * with other truncated responses in RespTruncated.

+			 */

+			if (wouldlog) {

+				ns_client_log(client,

+					      NS_LOGCATEGORY_QUERY_EERRORS,

+					      NS_LOGMODULE_QUERY,

+					      DNS_RRL_LOG_DROP,

+					      "%s", log_buf);

+			}

+			if (!client->view->rrl->log_only) {

+				if (rrl_result == DNS_RRL_RESULT_DROP) {

+					/*

+					 * These will also be counted in

+					 * dns_nsstatscounter_dropped

+					 */

+					inc_stats(client,

+						dns_nsstatscounter_ratedropped);

+					QUERY_ERROR(DNS_R_DROP);

+				} else {

+					/*

+					 * These will also be counted in

+					 * dns_nsstatscounter_truncatedresp

+					 */

+					inc_stats(client,

+						dns_nsstatscounter_rateslipped);

+					client->message->flags |=

+						DNS_MESSAGEFLAG_TC;

+					if (resp_result == DNS_R_NXDOMAIN)

+						client->message->rcode =

+							dns_rcode_nxdomain;

+				}

+				goto cleanup;

+			}

+		}

+	}

+

 	if (!ISC_LIST_EMPTY(client->view->rpz_zones) &&

 	    (RECURSIONOK(client) || !client->view->rpz_recursive_only) &&

 	    rpz_ck_dnssec(client, result, rdataset, sigrdataset) &&

@@ -7318,12 +7440,14 @@

 	}

 	if (eresult != ISC_R_SUCCESS &&

-	    (!PARTIALANSWER(client) || WANTRECURSION(client))) {

+	    (!PARTIALANSWER(client) || WANTRECURSION(client)

+	     || eresult == DNS_R_DROP)) {

 		if (eresult == DNS_R_DUPLICATE || eresult == DNS_R_DROP) {

 			/*

 			 * This was a duplicate query that we are

-			 * recursing on.  Don't send a response now.

-			 * The original query will still cause a response.

+			 * recursing on or the result of rate limiting.

+			 * Don't send a response now for a duplicate query,

+			 * because the original will still cause a response.

 			 */

 			query_next(client, eresult);

 		} else {

diff -r -u bin/named/server.c-orig bin/named/server.c

--- bin/named/server.c-orig	2004-01-01 00:00:00.000000000 +0000

+++ bin/named/server.c	2004-01-01 00:00:00.000000000 +0000

@@ -1639,6 +1639,168 @@

 	return (ISC_R_SUCCESS);

 }

+#define CHECK_RRL(cond, pat, val1, val2)				\

+	do {								\

+		if (!(cond)) {						\

+			cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,	\

+				    pat, val1, val2);			\

+			result = ISC_R_RANGE;				\

+			goto cleanup;					\

+		    }							\

+	} while (0)

+

+#define CHECK_RRL_RATE(rate, def, max_rate, name)			\

+	do {								\

+		obj = NULL;						\

+		rrl->rate.str = name;					\

+		result = cfg_map_get(map, name, &obj);			\

+		if (result == ISC_R_SUCCESS) {				\

+			rrl->rate.r = cfg_obj_asuint32(obj);		\

+			CHECK_RRL(rrl->rate.r <= max_rate,		\

+				  name" %d > %d",			\

+				  rrl->rate.r, max_rate);		\

+		} else {						\

+			rrl->rate.r = def;				\

+		}							\

+		rrl->rate.scaled = rrl->rate.r;				\

+	} while (0)

+

+static isc_result_t

+configure_rrl(dns_view_t *view, const cfg_obj_t *config, const cfg_obj_t *map) {

+	const cfg_obj_t *obj;

+	dns_rrl_t *rrl;

+	isc_result_t result;

+ 	int min_entries, i, j;

+

+	/*

+	 * Most DNS servers have few clients, but intentinally open

+	 * recursive and authoritative servers often have many.

+	 * So start with a small number of entries unless told otherwise

+	 * to reduce cold-start costs.

+	 */

+	min_entries = 500;

+	obj = NULL;

+	result = cfg_map_get(map, "min-table-size", &obj);

+	if (result == ISC_R_SUCCESS) {

+		min_entries = cfg_obj_asuint32(obj);

+		if (min_entries < 1)

+			min_entries = 1;

+	}

+	result = dns_rrl_init(&rrl, view, min_entries);

+	if (result != ISC_R_SUCCESS)

+		return (result);

+

+	i = ISC_MAX(20000, min_entries);

+	obj = NULL;

+	result = cfg_map_get(map, "max-table-size", &obj);

+	if (result == ISC_R_SUCCESS) {

+		i = cfg_obj_asuint32(obj);

+		CHECK_RRL(i >= min_entries,

+			  "max-table-size %d < min-table-size %d",

+			  i, min_entries);

+	}

+	rrl->max_entries = i;

+

+	CHECK_RRL_RATE(responses_per_second, 0, DNS_RRL_MAX_RATE,

+		       "responses-per-second");

+	CHECK_RRL_RATE(referrals_per_second,

+		       rrl->responses_per_second.r, DNS_RRL_MAX_RATE,

+		       "referrals-per-second");

+	CHECK_RRL_RATE(nodata_per_second,

+		       rrl->responses_per_second.r, DNS_RRL_MAX_RATE,

+		       "nodata-per-second");

+	CHECK_RRL_RATE(nxdomains_per_second,

+		       rrl->responses_per_second.r, DNS_RRL_MAX_RATE,

+		       "nxdomains-per-second");

+	CHECK_RRL_RATE(errors_per_second,

+		       rrl->responses_per_second.r, DNS_RRL_MAX_RATE,

+		       "errors-per-second");

+

+	CHECK_RRL_RATE(all_per_second, 0, DNS_RRL_MAX_RATE,

+		       "all-per-second");

+

+	CHECK_RRL_RATE(slip, 2, DNS_RRL_MAX_SLIP,

+		       "slip");

+

+	i = 15;

+	obj = NULL;

+	result = cfg_map_get(map, "window", &obj);

+	if (result == ISC_R_SUCCESS) {

+		i = cfg_obj_asuint32(obj);

+		CHECK_RRL(i >= 1 && i <= DNS_RRL_MAX_WINDOW,

+			  "window %d < 1 or > %d", i, DNS_RRL_MAX_WINDOW);

+	}

+	rrl->window = i;

+

+	i = 0;

+	obj = NULL;

+	result = cfg_map_get(map, "qps-scale", &obj);

+	if (result == ISC_R_SUCCESS) {

+		i = cfg_obj_asuint32(obj);

+		CHECK_RRL(i >= 1, "invalid 'qps-scale %d'%s", i, "");

+	}

+	rrl->qps_scale = i;

+	rrl->qps = 1.0;

+

+	i = 24;

+	obj = NULL;

+	result = cfg_map_get(map, "ipv4-prefix-length", &obj);

+	if (result == ISC_R_SUCCESS) {

+		i = cfg_obj_asuint32(obj);

+		CHECK_RRL(i >= 8 && i <= 32,

+			  "invalid 'ipv4-prefix-length %d'%s", i, "");

+	}

+	rrl->ipv4_prefixlen = i;

+	if (i == 32)

+		rrl->ipv4_mask = 0xffffffff;

+	else

+		rrl->ipv4_mask = htonl(0xffffffff << (32-i));

+

+	i = 56;

+	obj = NULL;

+	result = cfg_map_get(map, "ipv6-prefix-length", &obj);

+	if (result == ISC_R_SUCCESS) {

+		i = cfg_obj_asuint32(obj);

+		CHECK_RRL(i >= 16 && i <= DNS_RRL_MAX_PREFIX,

+			  "ipv6-prefix-length %d < 16 or > %d",

+			  i, DNS_RRL_MAX_PREFIX);

+	}

+	rrl->ipv6_prefixlen = i;

+	for (j = 0; j < 4; ++j) {

+		if (i <= 0) {

+			rrl->ipv6_mask[j] = 0;

+		} else if (i < 32) {

+			rrl->ipv6_mask[j] = htonl(0xffffffff << (32-i));

+		} else {

+			rrl->ipv6_mask[j] = 0xffffffff;

+		}

+		i -= 32;

+	}

+

+	obj = NULL;

+	result = cfg_map_get(map, "exempt-clients", &obj);

+	if (result == ISC_R_SUCCESS) {

+		result = cfg_acl_fromconfig(obj, config, ns_g_lctx,

+					    ns_g_aclconfctx, ns_g_mctx,

+					    0, &rrl->exempt);

+		CHECK_RRL(result == ISC_R_SUCCESS,

+			  "invalid %s%s", "address match list", "");

+	}

+

+	obj = NULL;

+	result = cfg_map_get(map, "log-only", &obj);

+	if (result == ISC_R_SUCCESS && cfg_obj_asboolean(obj))

+		rrl->log_only = ISC_TRUE;

+	else

+		rrl->log_only = ISC_FALSE;

+

+	return (ISC_R_SUCCESS);

+

+ cleanup:

+	dns_rrl_view_destroy(view);

+	return (result);

+}

+

 /*

  * Configure 'view' according to 'vconfig', taking defaults from 'config'

  * where values are missing in 'vconfig'.

@@ -3043,6 +3205,14 @@

 		}

 	}

+	obj = NULL;

+	result = ns_config_get(maps, "rate-limit", &obj);

+	if (result == ISC_R_SUCCESS) {

+		result = configure_rrl(view, config, obj);

+		if (result != ISC_R_SUCCESS)

+			goto cleanup;

+	}

+

 	result = ISC_R_SUCCESS;

  cleanup:

diff -r -u bin/named/statschannel.c-orig bin/named/statschannel.c

--- bin/named/statschannel.c-orig	2004-01-01 00:00:00.000000000 +0000

+++ bin/named/statschannel.c	2004-01-01 00:00:00.000000000 +0000

@@ -206,6 +206,10 @@

 	SET_NSSTATDESC(updatebadprereq,

 		       "updates rejected due to prerequisite failure",

 		       "UpdateBadPrereq");

+	SET_NSSTATDESC(ratedropped, "responses dropped for rate limits",

+		       "RateDropped");

+	SET_NSSTATDESC(rateslipped, "responses truncated for rate limits",

+		       "RateSlipped");

 	SET_NSSTATDESC(rpz_rewrites, "response policy zone rewrites",

 		       "RPZRewrites");

 	INSIST(i == dns_nsstatscounter_max);

diff -r -u bin/tests/system/README-orig bin/tests/system/README

--- bin/tests/system/README-orig	2004-01-01 00:00:00.000000000 +0000

+++ bin/tests/system/README	2004-01-01 00:00:00.000000000 +0000

@@ -17,6 +17,7 @@

   nsupdate/	Dynamic update and IXFR tests

   resolver/     Regression tests for resolver bugs that have been fixed

 		(not a complete resolver test suite)

+  rrl/		query rate limiting

   rpz/		Tests of response policy zone (RPZ) rewriting

   stub/		Tests of stub zone functionality

   unknown/	Unknown type and class tests

diff -r -u bin/tests/system/conf.sh.in-orig bin/tests/system/conf.sh.in

--- bin/tests/system/conf.sh.in-orig	2004-01-01 00:00:00.000000000 +0000

+++ bin/tests/system/conf.sh.in	2004-01-01 00:00:00.000000000 +0000

@@ -62,7 +62,7 @@

          database dlv dlvauto dlz dlzexternal dname dns64 dnssec ecdsa

          formerr forward glue gost ixfr inline limits logfileconfig

          lwresd masterfile masterformat metadata notify nsupdate pending

-	 pkcs11 redirect resolver rndc rpz rrsetorder rsabigexponent

+	 pkcs11 redirect resolver rndc rpz rrl rrsetorder rsabigexponent

 	 smartsign sortlist spf staticstub stub tkey tsig tsiggss unknown

 	 upforwd verify views wildcard xfer xferquota zonechecks"

diff -r -u bin/tests/system/rrl/clean.sh-orig bin/tests/system/rrl/clean.sh

--- bin/tests/system/rrl/clean.sh-orig	2004-01-01 00:00:00.000000000 +0000

+++ bin/tests/system/rrl/clean.sh	2004-01-01 00:00:00.000000000 +0000

@@ -0,0 +1,21 @@

+# Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")

+#

+# Permission to use, copy, modify, and/or distribute this software for any

+# purpose with or without fee is hereby granted, provided that the above

+# copyright notice and this permission notice appear in all copies.

+#

+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH

+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY

+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,

+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM

+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE

+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR

+# PERFORMANCE OF THIS SOFTWARE.

+

+

+

+# Clean up after rrl tests.

+

+rm -f dig.out*

+rm -f  */named.memstats */named.run */named.stats */log-* */session.key

+rm -f ns3/bl*.db */*.jnl */*.core */*.pid

diff -r -u bin/tests/system/rrl/ns1/named.conf-orig bin/tests/system/rrl/ns1/named.conf

--- bin/tests/system/rrl/ns1/named.conf-orig	2004-01-01 00:00:00.000000000 +0000

+++ bin/tests/system/rrl/ns1/named.conf	2004-01-01 00:00:00.000000000 +0000

@@ -0,0 +1,32 @@

+/*

+ * Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")

+ *

+ * Permission to use, copy, modify, and/or distribute this software for any

+ * purpose with or without fee is hereby granted, provided that the above

+ * copyright notice and this permission notice appear in all copies.

+ *

+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH

+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY

+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,

+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM

+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE

+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR

+ * PERFORMANCE OF THIS SOFTWARE.

+ */

+

+

+controls { /* empty */ };

+

+options {

+	query-source address 10.53.0.1;

+	notify-source 10.53.0.1;

+	transfer-source 10.53.0.1;

+	port 5300;

+	session-keyfile "session.key";

+	pid-file "named.pid";

+	listen-on { 10.53.0.1; };

+	listen-on-v6 { none; };

+	notify no;

+};

+

+zone "." {type master; file "root.db";};

diff -r -u bin/tests/system/rrl/ns1/root.db-orig bin/tests/system/rrl/ns1/root.db

--- bin/tests/system/rrl/ns1/root.db-orig	2004-01-01 00:00:00.000000000 +0000

+++ bin/tests/system/rrl/ns1/root.db	2004-01-01 00:00:00.000000000 +0000

@@ -0,0 +1,31 @@

+; Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")

+;

+; Permission to use, copy, modify, and/or distribute this software for any

+; purpose with or without fee is hereby granted, provided that the above

+; copyright notice and this permission notice appear in all copies.

+;

+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH

+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY

+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,

+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM

+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE

+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR

+; PERFORMANCE OF THIS SOFTWARE.

+

+

+$TTL	120

+@		SOA	ns. hostmaster.ns. ( 1 3600 1200 604800 60 )

+@		NS	ns.

+ns.		A	10.53.0.1

+.		A	10.53.0.1

+

+; limit responses from here

+tld2.		NS	ns.tld2.

+ns.tld2.	A	10.53.0.2

+

+; limit recursion to here

+tld3.		NS	ns.tld3.

+ns.tld3.	A	10.53.0.3

+

+; generate SERVFAIL

+tld4.		NS	ns.tld3.

diff -r -u bin/tests/system/rrl/ns2/hints-orig bin/tests/system/rrl/ns2/hints

--- bin/tests/system/rrl/ns2/hints-orig	2004-01-01 00:00:00.000000000 +0000

+++ bin/tests/system/rrl/ns2/hints	2004-01-01 00:00:00.000000000 +0000

@@ -0,0 +1,18 @@

+; Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")

+;

+; Permission to use, copy, modify, and/or distribute this software for any

+; purpose with or without fee is hereby granted, provided that the above

+; copyright notice and this permission notice appear in all copies.

+;

+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH

+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY

+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,

+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM

+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE

+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR

+; PERFORMANCE OF THIS SOFTWARE.

+

+

+

+.	0	NS	ns1.

+ns1.	0	A	10.53.0.1

diff -r -u bin/tests/system/rrl/ns2/named.conf-orig bin/tests/system/rrl/ns2/named.conf

--- bin/tests/system/rrl/ns2/named.conf-orig	2004-01-01 00:00:00.000000000 +0000

+++ bin/tests/system/rrl/ns2/named.conf	2004-01-01 00:00:00.000000000 +0000

@@ -0,0 +1,71 @@

+/*

+ * Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")

+ *

+ * Permission to use, copy, modify, and/or distribute this software for any

+ * purpose with or without fee is hereby granted, provided that the above

+ * copyright notice and this permission notice appear in all copies.

+ *

+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH

+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY

+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,

+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM

+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE

+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR

+ * PERFORMANCE OF THIS SOFTWARE.

+ */

+

+

+controls { /* empty */ };

+

+options {

+	query-source address 10.53.0.2;

+	notify-source 10.53.0.2;

+	transfer-source 10.53.0.2;

+	port 5300;

+	session-keyfile "session.key";

+	pid-file "named.pid";

+	statistics-file	"named.stats";

+	listen-on { 10.53.0.2; };

+	listen-on-v6 { none; };

+	notify no;

+

+	rate-limit {

+	    responses-per-second 2;

+	    all-per-second 50;

+	    slip 3;

+	    exempt-clients { 10.53.0.7; };

+

+	    // small enough to force a table expansion

+	    min-table-size 75;

+	};

+

+	additional-from-cache no;

+};

+

+key rndc_key {

+	secret "1234abcd8765";

+	algorithm hmac-md5;

+};

+controls {

+	inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };

+};

+

+/*

+ * These log settings have no effect unless "-g" is removed from ../../start.pl

+ */

+logging {

+	channel debug {

+	    file "log-debug";

+	    print-category yes; print-severity yes; severity debug 10;

+	};

+	channel queries {

+	    file "log-queries";

+	    print-category yes; print-severity yes; severity info;

+	};

+	category rate-limit { debug; queries; };

+	category queries { debug; queries; };

+};

+

+zone "." { type hint; file "hints"; };

+

+zone "tld2."{ type master; file "tld2.db"; };

diff -r -u bin/tests/system/rrl/ns2/tld2.db-orig bin/tests/system/rrl/ns2/tld2.db

--- bin/tests/system/rrl/ns2/tld2.db-orig	2004-01-01 00:00:00.000000000 +0000

+++ bin/tests/system/rrl/ns2/tld2.db	2004-01-01 00:00:00.000000000 +0000

@@ -0,0 +1,47 @@

+; Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")

+;

+; Permission to use, copy, modify, and/or distribute this software for any

+; purpose with or without fee is hereby granted, provided that the above

+; copyright notice and this permission notice appear in all copies.

+;

+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH

+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY

+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,

+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM

+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE

+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR

+; PERFORMANCE OF THIS SOFTWARE.

+

+

+

+; rate limit response from this zone

+

+$TTL	120

+@		SOA	tld2.  hostmaster.ns.tld2. ( 1 3600 1200 604800 60 )

+		NS	ns

+		NS	.

+ns		A	10.53.0.2

+

+; basic rate limiting

+a1		A	192.0.2.1

+

+; wildcards

+*.a2		A	192.0.2.2

+

+; a3 is in tld3

+

+; a4 does not exist to give NXDOMAIN

+

+; a5 for TCP requests

+a5		A	192.0.2.5

+

+; a6 for whitelisted clients

+a6		A	192.0.2.6

+

+; a7 for SERVFAIL

+

+; a8 for NODATA

+a8		A	192.0.2.8

+

+; a9 for all-per-second limit

+$GENERATE 101-180 all$.a9 A 192.0.2.8

diff -r -u bin/tests/system/rrl/ns3/hints-orig bin/tests/system/rrl/ns3/hints

--- bin/tests/system/rrl/ns3/hints-orig	2004-01-01 00:00:00.000000000 +0000

+++ bin/tests/system/rrl/ns3/hints	2004-01-01 00:00:00.000000000 +0000

@@ -0,0 +1,18 @@

+; Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")

+;

+; Permission to use, copy, modify, and/or distribute this software for any

+; purpose with or without fee is hereby granted, provided that the above

+; copyright notice and this permission notice appear in all copies.

+;

+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH

+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY

+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,

+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM

+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE

+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR

+; PERFORMANCE OF THIS SOFTWARE.

+

+

+

+.	0	NS	ns1.

+ns1.	0	A	10.53.0.1

diff -r -u bin/tests/system/rrl/ns3/named.conf-orig bin/tests/system/rrl/ns3/named.conf

--- bin/tests/system/rrl/ns3/named.conf-orig	2004-01-01 00:00:00.000000000 +0000

+++ bin/tests/system/rrl/ns3/named.conf	2004-01-01 00:00:00.000000000 +0000

@@ -0,0 +1,50 @@

+/*

+ * Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")

+ *

+ * Permission to use, copy, modify, and/or distribute this software for any

+ * purpose with or without fee is hereby granted, provided that the above

+ * copyright notice and this permission notice appear in all copies.

+ *

+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH

+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY

+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,

+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM

+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE

+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR

+ * PERFORMANCE OF THIS SOFTWARE.

+ */

+

+

+controls { /* empty */ };

+

+options {

+	query-source address 10.53.0.3;

+	notify-source 10.53.0.3;

+	transfer-source 10.53.0.3;

+	port 5300;

+	session-keyfile "session.key";

+	pid-file "named.pid";

+	listen-on { 10.53.0.3; };

+	listen-on-v6 { none; };

+	notify no;

+

+	// check that all of the options are parsed without limiting anything

+	rate-limit {

+	    responses-per-second 200;

+	    referrals-per-second 220;

+	    nodata-per-second 230;

+	    nxdomains-per-second 240;

+	    errors-per-second 250;

+	    all-per-second 700;

+	    ipv4-prefix-length 24;

+	    ipv6-prefix-length 64;

+	    qps-scale 10;

+	    window 1;

+	    max-table-size 1000;

+	};

+

+};

+

+zone "." { type hint; file "hints"; };

+

+zone "tld3."{ type master; file "tld3.db"; };

diff -r -u bin/tests/system/rrl/ns3/tld3.db-orig bin/tests/system/rrl/ns3/tld3.db

--- bin/tests/system/rrl/ns3/tld3.db-orig	2004-01-01 00:00:00.000000000 +0000

+++ bin/tests/system/rrl/ns3/tld3.db	2004-01-01 00:00:00.000000000 +0000

@@ -0,0 +1,25 @@

+; Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")

+;

+; Permission to use, copy, modify, and/or distribute this software for any

+; purpose with or without fee is hereby granted, provided that the above

+; copyright notice and this permission notice appear in all copies.

+;

+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH

+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY

+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,

+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM

+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE

+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR

+; PERFORMANCE OF THIS SOFTWARE.

+

+

+

+; rate limit response from this zone

+

+$TTL	120

+@		SOA	tld3.  hostmaster.ns.tld3. ( 1 3600 1200 604800 60 )

+		NS	ns

+		NS	.

+ns		A	10.53.0.3

+

+*.a3		A	192.0.3.3

diff -r -u bin/tests/system/rrl/setup.sh-orig bin/tests/system/rrl/setup.sh

--- bin/tests/system/rrl/setup.sh-orig	2004-01-01 00:00:00.000000000 +0000

+++ bin/tests/system/rrl/setup.sh	2004-01-01 00:00:00.000000000 +0000

@@ -0,0 +1,21 @@

+#!/bin/sh

+#

+# Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")

+#

+# Permission to use, copy, modify, and/or distribute this software for any

+# purpose with or without fee is hereby granted, provided that the above

+# copyright notice and this permission notice appear in all copies.

+#

+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH

+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY

+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,

+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM

+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE

+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR

+# PERFORMANCE OF THIS SOFTWARE.

+

+

+SYSTEMTESTTOP=..

+. $SYSTEMTESTTOP/conf.sh

+. ./clean.sh

+

diff -r -u bin/tests/system/rrl/tests.sh-orig bin/tests/system/rrl/tests.sh

--- bin/tests/system/rrl/tests.sh-orig	2004-01-01 00:00:00.000000000 +0000

+++ bin/tests/system/rrl/tests.sh	2004-01-01 00:00:00.000000000 +0000

@@ -0,0 +1,258 @@

+# Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")

+#

+# Permission to use, copy, modify, and/or distribute this software for any

+# purpose with or without fee is hereby granted, provided that the above

+# copyright notice and this permission notice appear in all copies.

+#