resolve conflicts

28 files changed, 547 insertions, 91 deletions

diff --git a/usr.sbin/nsd/Makefile.in b/usr.sbin/nsd/Makefile.in
index d66bc40439d..a68cdfa8f79 100644
--- a/usr.sbin/nsd/Makefile.in
+++ b/usr.sbin/nsd/Makefile.in
@@ -82,6 +82,7 @@ ALL_OBJECTS	=			\
 	edns.o				\
 	ipc.o				\
 	iterated_hash.o			\
+	lookup3.o			\
 	namedb.o			\
 	netio.o				\
 	nsd-checkconf.o			\
@@ -96,6 +97,7 @@ ALL_OBJECTS	=			\
 	rbtree.o			\
 	rdata.o				\
 	region-allocator.o		\
+	rrl.o				\
 	server.o			\
 	tsig.o				\
 	tsig-openssl.o			\
@@ -122,6 +124,7 @@ NSD_OBJECTS	=				\
 	edns.o					\
 	ipc.o					\
 	iterated_hash.o				\
+	lookup3.o				\
 	namedb.o				\
 	netio.o					\
 	nsd.o					\
@@ -131,6 +134,7 @@ NSD_OBJECTS	=				\
 	rbtree.o				\
 	rdata.o					\
 	region-allocator.o			\
+	rrl.o					\
 	server.o				\
 	tsig.o					\
 	tsig-openssl.o				\
@@ -153,6 +157,7 @@ NSD_ZONEC_OBJECTS	=			\
 	dns.o					\
 	edns.o					\
 	iterated_hash.o				\
+	lookup3.o				\
 	namedb.o				\
 	nsec3.o					\
 	options.o				\
@@ -161,6 +166,7 @@ NSD_ZONEC_OBJECTS	=			\
 	rbtree.o				\
 	rdata.o					\
 	region-allocator.o			\
+	rrl.o					\
 	tsig.o					\
 	tsig-openssl.o				\
 	util.o					\
@@ -179,6 +185,7 @@ NSD_NOTIFY_OBJECTS	=			\
 	dns.o					\
 	edns.o					\
 	iterated_hash.o				\
+	lookup3.o				\
 	namedb.o				\
 	nsd-notify.o				\
 	nsec3.o					\
@@ -188,6 +195,7 @@ NSD_NOTIFY_OBJECTS	=			\
 	rbtree.o				\
 	rdata.o                                 \
 	region-allocator.o			\
+	rrl.o					\
 	tsig.o					\
 	tsig-openssl.o				\
 	util.o
@@ -203,6 +211,7 @@ NSD_XFER_OBJECTS	=			\
 	dns.o					\
 	edns.o					\
 	iterated_hash.o				\
+	lookup3.o				\
 	namedb.o				\
 	nsd-xfer.o				\
 	nsec3.o					\
@@ -212,6 +221,7 @@ NSD_XFER_OBJECTS	=			\
 	rbtree.o				\
 	rdata.o					\
 	region-allocator.o			\
+	rrl.o					\
 	tsig.o					\
 	tsig-openssl.o				\
 	util.o
@@ -227,6 +237,7 @@ NSD_CHECKCONF_OBJECTS	=			\
 	dns.o                                   \
 	edns.o					\
 	iterated_hash.o				\
+	lookup3.o				\
 	namedb.o                                \
 	nsd-checkconf.o                         \
 	nsec3.o					\
@@ -236,6 +247,7 @@ NSD_CHECKCONF_OBJECTS	=			\
 	rbtree.o                                \
 	rdata.o                                 \
 	region-allocator.o                      \
+	rrl.o					\
 	tsig.o					\
 	tsig-openssl.o				\
 	util.o
@@ -253,6 +265,7 @@ NSD_PATCH_OBJECTS	=			\
 	dns.o                                   \
 	edns.o					\
 	iterated_hash.o				\
+	lookup3.o				\
 	namedb.o				\
 	nsd-patch.o				\
 	nsec3.o					\
@@ -262,6 +275,7 @@ NSD_PATCH_OBJECTS	=			\
 	rbtree.o                                \
 	rdata.o                                 \
 	region-allocator.o                      \
+	rrl.o					\
 	tsig.o					\
 	tsig-openssl.o				\
 	util.o
@@ -281,6 +295,7 @@ CUTEST_OBJECTS		=			\
 	edns.o					\
 	ipc.o					\
 	iterated_hash.o				\
+	lookup3.o				\
 	namedb.o				\
 	netio.o					\
 	nsec3.o					\
@@ -289,6 +304,7 @@ CUTEST_OBJECTS		=			\
 	rbtree.o				\
 	rdata.o					\
 	region-allocator.o			\
+	rrl.o					\
 	server.o				\
 	tsig.o					\
 	tsig-openssl.o				\
@@ -304,6 +320,7 @@ CUTEST_OBJECTS		=			\
 	cutest_rbtree.o 			\
 	cutest_options.o 			\
 	cutest_region.o 			\
+	cutest_rrl.o 				\
 	cutest_util.o 				\
 	cutest.o
 
@@ -319,11 +336,11 @@ nsdc.sh:	$(srcdir)/nsdc.sh.in config.h
 
 nsd.conf.sample:	$(srcdir)/nsd.conf.sample.in config.h
 	rm -f nsd.conf.sample
-	$(EDIT) $(srcdir)/nsd.conf.sample.in > nsd.conf.sample
+	$(EDIT) $(srcdir)/nsd.conf.sample.in | awk '/RRLconfig'@ratelimit@'/ { while($$0 !~ /.*RRLend.*/) { getline; } getline; } {print} ' > nsd.conf.sample
 
 nsd.conf.5:	$(srcdir)/nsd.conf.5.in config.h
 	rm -f nsd.conf.5
-	$(EDIT) $(srcdir)/nsd.conf.5.in > nsd.conf.5
+	$(EDIT) $(srcdir)/nsd.conf.5.in | awk '/rrlstart'@ratelimit@'/ { while($$0 !~ /.*rrlend.*/) { getline; } getline; } {print} ' > nsd.conf.5
 
 nsd.8:	$(srcdir)/nsd.8.in config.h
 	rm -f nsd.8
@@ -491,6 +508,9 @@ cutest_run.o:	$(srcdir)/tpkg/cutest/cutest_run.c
 cutest_rbtree.o:	$(srcdir)/tpkg/cutest/cutest_rbtree.c
 	$(COMPILE) -c $(srcdir)/tpkg/cutest/cutest_rbtree.c -o $@
 
+cutest_rrl.o:	$(srcdir)/tpkg/cutest/cutest_rrl.c
+	$(COMPILE) -c $(srcdir)/tpkg/cutest/cutest_rrl.c -o $@
+
 cutest_options.o:	$(srcdir)/tpkg/cutest/cutest_options.c
 	$(COMPILE) -c $(srcdir)/tpkg/cutest/cutest_options.c -o $@
 
@@ -565,13 +585,15 @@ buffer.o: $(srcdir)/buffer.c config.h $(srcdir)/buffer.h $(srcdir)/region-alloca
 configlexer.o: configlexer.c $(srcdir)/configyyrename.h config.h $(srcdir)/options.h \
  $(srcdir)/region-allocator.h $(srcdir)/rbtree.h configparser.h
 configparser.o: configparser.c config.h $(srcdir)/options.h $(srcdir)/region-allocator.h \
- $(srcdir)/rbtree.h $(srcdir)/util.h $(srcdir)/configyyrename.h
+ $(srcdir)/rbtree.h $(srcdir)/util.h $(srcdir)/rrl.h $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/dns.h $(srcdir)/nsd.h \
+ $(srcdir)/edns.h $(srcdir)/packet.h $(srcdir)/tsig.h $(srcdir)/configyyrename.h
 dbaccess.o: $(srcdir)/dbaccess.c config.h $(srcdir)/dns.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h \
  $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/rbtree.h $(srcdir)/options.h
 dbcreate.o: $(srcdir)/dbcreate.c config.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h \
- $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/rbtree.h
-difffile.o: $(srcdir)/difffile.c config.h $(srcdir)/difffile.h $(srcdir)/rbtree.h $(srcdir)/region-allocator.h \
- $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/options.h $(srcdir)/packet.h $(srcdir)/rdata.h
+ $(srcdir)/region-allocator.h $(srcdir)/util.h config.h $(srcdir)/dns.h $(srcdir)/rbtree.h
+difffile.o: $(srcdir)/difffile.c config.h $(srcdir)/difffile.h $(srcdir)/rbtree.h \
+ $(srcdir)/region-allocator.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/options.h \
+ $(srcdir)/packet.h $(srcdir)/rdata.h $(srcdir)/nsec3.h
 dname.o: $(srcdir)/dname.c config.h $(srcdir)/dns.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h \
  $(srcdir)/util.h $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/rbtree.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/packet.h $(srcdir)/tsig.h
 dns.o: $(srcdir)/dns.c config.h $(srcdir)/dns.h $(srcdir)/zonec.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h \
@@ -581,41 +603,51 @@ ipc.o: $(srcdir)/ipc.c config.h $(srcdir)/ipc.h $(srcdir)/netio.h $(srcdir)/regi
  $(srcdir)/xfrd-tcp.h $(srcdir)/xfrd.h $(srcdir)/rbtree.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/dns.h $(srcdir)/options.h $(srcdir)/tsig.h $(srcdir)/nsd.h \
  $(srcdir)/edns.h $(srcdir)/xfrd-notify.h
 iterated_hash.o: $(srcdir)/iterated_hash.c config.h $(srcdir)/iterated_hash.h
+lookup3.o: $(srcdir)/lookup3.c config.h $(srcdir)/lookup3.h
 namedb.o: $(srcdir)/namedb.c config.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h \
  $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/rbtree.h
 netio.o: $(srcdir)/netio.c config.h $(srcdir)/netio.h $(srcdir)/region-allocator.h $(srcdir)/util.h
 nsd.o: $(srcdir)/nsd.c config.h $(srcdir)/nsd.h $(srcdir)/dns.h $(srcdir)/edns.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h \
- $(srcdir)/util.h $(srcdir)/options.h $(srcdir)/rbtree.h $(srcdir)/tsig.h $(srcdir)/dname.h
+ $(srcdir)/util.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/rbtree.h $(srcdir)/options.h $(srcdir)/tsig.h
 nsd-checkconf.o: $(srcdir)/nsd-checkconf.c config.h $(srcdir)/tsig.h $(srcdir)/buffer.h \
- $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/dname.h $(srcdir)/options.h $(srcdir)/rbtree.h
+ $(srcdir)/region-allocator.h $(srcdir)/util.h config.h $(srcdir)/dname.h $(srcdir)/options.h $(srcdir)/rbtree.h $(srcdir)/rrl.h \
+ $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/dns.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/packet.h
 nsd-notify.o: $(srcdir)/nsd-notify.c config.h $(srcdir)/tsig.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h \
- $(srcdir)/util.h $(srcdir)/dname.h $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/dns.h $(srcdir)/rbtree.h \
- $(srcdir)/region-allocator.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/buffer.h $(srcdir)/packet.h $(srcdir)/tsig.h
-nsd-patch.o: $(srcdir)/nsd-patch.c config.h $(srcdir)/options.h $(srcdir)/region-allocator.h $(srcdir)/rbtree.h \
- $(srcdir)/difffile.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/util.h $(srcdir)/dns.h
+ $(srcdir)/util.h config.h $(srcdir)/dname.h $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/dns.h $(srcdir)/rbtree.h \
+ $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/buffer.h $(srcdir)/packet.h $(srcdir)/tsig.h
+nsd-patch.o: $(srcdir)/nsd-patch.c config.h $(srcdir)/options.h $(srcdir)/region-allocator.h \
+ $(srcdir)/rbtree.h $(srcdir)/difffile.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/util.h $(srcdir)/dns.h
 nsd-xfer.o: $(srcdir)/nsd-xfer.c config.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h \
- $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/packet.h $(srcdir)/namedb.h $(srcdir)/rbtree.h $(srcdir)/query.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/tsig.h \
- $(srcdir)/rdata.h $(srcdir)/tsig-openssl.h $(srcdir)/zonec.h
-nsec3.o: $(srcdir)/nsec3.c config.h $(srcdir)/nsec3.h $(srcdir)/iterated_hash.h $(srcdir)/namedb.h $(srcdir)/dname.h \
- $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/rbtree.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/answer.h \
- $(srcdir)/packet.h $(srcdir)/query.h $(srcdir)/tsig.h
-options.o: $(srcdir)/options.c config.h $(srcdir)/options.h $(srcdir)/region-allocator.h $(srcdir)/rbtree.h \
- $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/packet.h \
- $(srcdir)/tsig.h $(srcdir)/difffile.h $(srcdir)/configyyrename.h configparser.h
+ $(srcdir)/util.h config.h $(srcdir)/dns.h $(srcdir)/packet.h $(srcdir)/namedb.h $(srcdir)/rbtree.h $(srcdir)/query.h $(srcdir)/nsd.h $(srcdir)/edns.h \
+ $(srcdir)/tsig.h $(srcdir)/tsig-openssl.h
+nsec3.o: $(srcdir)/nsec3.c config.h $(srcdir)/nsec3.h $(srcdir)/iterated_hash.h $(srcdir)/namedb.h \
+ $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/rbtree.h $(srcdir)/nsd.h $(srcdir)/edns.h \
+ $(srcdir)/answer.h $(srcdir)/packet.h $(srcdir)/query.h $(srcdir)/tsig.h
+options.o: $(srcdir)/options.c config.h $(srcdir)/options.h $(srcdir)/region-allocator.h \
+ $(srcdir)/rbtree.h $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/nsd.h $(srcdir)/edns.h \
+ $(srcdir)/packet.h $(srcdir)/tsig.h $(srcdir)/rrl.h $(srcdir)/configyyrename.h
 packet.o: $(srcdir)/packet.c config.h $(srcdir)/packet.h $(srcdir)/dns.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h \
- $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/rbtree.h $(srcdir)/query.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/tsig.h $(srcdir)/rdata.h
+ $(srcdir)/region-allocator.h $(srcdir)/util.h config.h $(srcdir)/rbtree.h $(srcdir)/query.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/tsig.h \
+ $(srcdir)/rdata.h
 query.o: $(srcdir)/query.c config.h $(srcdir)/answer.h $(srcdir)/dns.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h \
  $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/rbtree.h $(srcdir)/packet.h $(srcdir)/query.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/tsig.h \
- $(srcdir)/axfr.h $(srcdir)/options.h $(srcdir)/nsec3.h
+ $(srcdir)/axfr.h $(srcdir)/options.h $(srcdir)/nsec3.h config.h
 rbtree.o: $(srcdir)/rbtree.c config.h $(srcdir)/rbtree.h $(srcdir)/region-allocator.h
 rdata.o: $(srcdir)/rdata.c config.h $(srcdir)/rdata.h $(srcdir)/dns.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h \
  $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/rbtree.h $(srcdir)/zonec.h
 region-allocator.o: $(srcdir)/region-allocator.c config.h $(srcdir)/region-allocator.h $(srcdir)/util.h
+rrl.o: $(srcdir)/rrl.c config.h $(srcdir)/rrl.h $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h \
+ $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/rbtree.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/packet.h $(srcdir)/tsig.h \
+ $(srcdir)/lookup3.h $(srcdir)/options.h
+rrl-orig.o: $(srcdir)/rrl-orig.c config.h $(srcdir)/rrl.h $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h \
+ $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/rbtree.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/packet.h $(srcdir)/tsig.h \
+ $(srcdir)/lookup3.h $(srcdir)/options.h
 server.o: $(srcdir)/server.c config.h $(srcdir)/axfr.h $(srcdir)/nsd.h $(srcdir)/dns.h $(srcdir)/edns.h $(srcdir)/buffer.h \
  $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/rbtree.h $(srcdir)/packet.h \
- $(srcdir)/tsig.h $(srcdir)/netio.h $(srcdir)/xfrd.h $(srcdir)/options.h $(srcdir)/xfrd-tcp.h $(srcdir)/difffile.h $(srcdir)/nsec3.h $(srcdir)/ipc.h
+ $(srcdir)/tsig.h $(srcdir)/netio.h $(srcdir)/xfrd.h $(srcdir)/options.h $(srcdir)/xfrd-tcp.h $(srcdir)/difffile.h $(srcdir)/nsec3.h config.h \
+ $(srcdir)/ipc.h $(srcdir)/lookup3.h $(srcdir)/rrl.h
 tsig.o: $(srcdir)/tsig.c config.h $(srcdir)/tsig.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/dname.h \
- $(srcdir)/tsig-openssl.h $(srcdir)/dns.h $(srcdir)/packet.h $(srcdir)/namedb.h $(srcdir)/rbtree.h $(srcdir)/query.h $(srcdir)/nsd.h $(srcdir)/edns.h
+ $(srcdir)/tsig-openssl.h $(srcdir)/dns.h $(srcdir)/packet.h $(srcdir)/namedb.h $(srcdir)/rbtree.h
 tsig-openssl.o: $(srcdir)/tsig-openssl.c config.h $(srcdir)/tsig-openssl.h $(srcdir)/region-allocator.h \
  $(srcdir)/tsig.h $(srcdir)/buffer.h $(srcdir)/util.h $(srcdir)/dname.h
 util.o: $(srcdir)/util.c config.h $(srcdir)/util.h $(srcdir)/region-allocator.h $(srcdir)/dname.h $(srcdir)/buffer.h \
@@ -635,7 +667,7 @@ xfrd-tcp.o: $(srcdir)/xfrd-tcp.c config.h $(srcdir)/xfrd-tcp.h $(srcdir)/xfrd.h
 zlexer.o: zlexer.c config.h $(srcdir)/zonec.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h \
  $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/rbtree.h zparser.h
 zonec.o: $(srcdir)/zonec.c config.h $(srcdir)/zonec.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h \
- $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/rbtree.h $(srcdir)/rdata.h zparser.h $(srcdir)/options.h \
+ $(srcdir)/region-allocator.h $(srcdir)/util.h config.h $(srcdir)/dns.h $(srcdir)/rbtree.h $(srcdir)/rdata.h $(srcdir)/options.h \
  $(srcdir)/nsec3.h
 zparser.o: zparser.c config.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h \
  $(srcdir)/namedb.h $(srcdir)/dns.h $(srcdir)/rbtree.h $(srcdir)/zonec.h
@@ -656,20 +688,23 @@ strlcpy.o: $(srcdir)/compat/strlcpy.c config.h
 strptime.o: $(srcdir)/compat/strptime.c
 cutest.o: $(srcdir)/tpkg/cutest/cutest.c $(srcdir)/tpkg/cutest/cutest.h
 cutest_dname.o: $(srcdir)/tpkg/cutest/cutest_dname.c config.h $(srcdir)/tpkg/cutest/cutest.h \
- $(srcdir)/region-allocator.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h
+ $(srcdir)/region-allocator.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h config.h
 cutest_dns.o: $(srcdir)/tpkg/cutest/cutest_dns.c config.h $(srcdir)/tpkg/cutest/cutest.h \
  $(srcdir)/region-allocator.h $(srcdir)/dns.h
 cutest_iterated_hash.o: $(srcdir)/tpkg/cutest/cutest_iterated_hash.c config.h \
- $(srcdir)/tpkg/cutest/cutest.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/iterated_hash.h $(srcdir)/dname.h \
- $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h
+ $(srcdir)/tpkg/cutest/cutest.h $(srcdir)/region-allocator.h $(srcdir)/util.h config.h $(srcdir)/iterated_hash.h \
+ $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h
 cutest_options.o: $(srcdir)/tpkg/cutest/cutest_options.c config.h \
- $(srcdir)/tpkg/cutest/cutest.h $(srcdir)/region-allocator.h $(srcdir)/options.h $(srcdir)/region-allocator.h \
- $(srcdir)/rbtree.h $(srcdir)/util.h
+ $(srcdir)/tpkg/cutest/cutest.h $(srcdir)/region-allocator.h $(srcdir)/options.h config.h \
+ $(srcdir)/region-allocator.h $(srcdir)/rbtree.h $(srcdir)/util.h
 cutest_rbtree.o: $(srcdir)/tpkg/cutest/cutest_rbtree.c config.h \
  $(srcdir)/tpkg/cutest/cutest.h $(srcdir)/region-allocator.h $(srcdir)/rbtree.h $(srcdir)/region-allocator.h
 cutest_region.o: $(srcdir)/tpkg/cutest/cutest_region.c config.h \
- $(srcdir)/tpkg/cutest/cutest.h $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/rbtree.h \
+ $(srcdir)/tpkg/cutest/cutest.h $(srcdir)/region-allocator.h $(srcdir)/util.h config.h $(srcdir)/rbtree.h \
  $(srcdir)/region-allocator.h
+cutest_rrl.o: $(srcdir)/tpkg/cutest/cutest_rrl.c config.h $(srcdir)/tpkg/cutest/cutest.h \
+ $(srcdir)/rrl.h $(srcdir)/query.h $(srcdir)/namedb.h $(srcdir)/dname.h $(srcdir)/buffer.h $(srcdir)/region-allocator.h $(srcdir)/util.h \
+ config.h $(srcdir)/dns.h $(srcdir)/rbtree.h $(srcdir)/nsd.h $(srcdir)/edns.h $(srcdir)/packet.h $(srcdir)/tsig.h
 cutest_run.o: $(srcdir)/tpkg/cutest/cutest_run.c config.h $(srcdir)/tpkg/cutest/cutest.h
 cutest_util.o: $(srcdir)/tpkg/cutest/cutest_util.c config.h $(srcdir)/tpkg/cutest/cutest.h \
- $(srcdir)/region-allocator.h $(srcdir)/util.h
+ $(srcdir)/region-allocator.h $(srcdir)/util.h config.h
diff --git a/usr.sbin/nsd/axfr.c b/usr.sbin/nsd/axfr.c
index b921a45197e..0657fda84a7 100644
--- a/usr.sbin/nsd/axfr.c
+++ b/usr.sbin/nsd/axfr.c
@@ -60,8 +60,7 @@ query_axfr(struct nsd *nsd, struct query *query)
 			return QUERY_PROCESSED;
 		}
 
-		query->axfr_current_domain
-			= (domain_type *) rbtree_first(nsd->db->domains->names_to_domains);
+		query->axfr_current_domain = query->domain;
 		query->axfr_current_rrset = NULL;
 		query->axfr_current_rr = 0;
 		if(query->tsig.status == TSIG_OK) {
@@ -93,7 +92,7 @@ query_axfr(struct nsd *nsd, struct query *query)
 	/* Add zone RRs until answer is full.  */
 	assert(query->axfr_current_domain);
 
-	while ((rbnode_t *) query->axfr_current_domain != RBTREE_NULL) {
+	do {
 		if (!query->axfr_current_rrset) {
 			query->axfr_current_rrset = domain_find_any_rrset(
 				query->axfr_current_domain,
@@ -123,6 +122,10 @@ query_axfr(struct nsd *nsd, struct query *query)
 		query->axfr_current_domain
 			= (domain_type *) rbtree_next((rbnode_t *) query->axfr_current_domain);
 	}
+	while ((rbnode_t *) query->axfr_current_domain != RBTREE_NULL
+			&& dname_is_subdomain(
+				domain_dname(query->axfr_current_domain),
+				domain_dname(query->axfr_zone->apex)));
 
 	/* Add terminating SOA RR.  */
 	assert(query->axfr_zone->soa_rrset->rr_count == 1);
diff --git a/usr.sbin/nsd/config.h.in b/usr.sbin/nsd/config.h.in
index a9e30685cea..32990903134 100644
--- a/usr.sbin/nsd/config.h.in
+++ b/usr.sbin/nsd/config.h.in
@@ -344,6 +344,9 @@
 /* Pathname to the NSD pidfile */
 #undef PIDFILE
 
+/* Define this to enable rate limiting. */
+#undef RATELIMIT
+
 /* Define as the return type of signal handlers (`int' or `void'). */
 #undef RETSIGTYPE
 
diff --git a/usr.sbin/nsd/configparser.y b/usr.sbin/nsd/configparser.y
index a5c3cd3270e..68e0193756a 100644
--- a/usr.sbin/nsd/configparser.y
+++ b/usr.sbin/nsd/configparser.y
@@ -18,6 +18,7 @@
 
 #include "options.h"
 #include "util.h"
+#include "rrl.h"
 #include "configyyrename.h"
 int c_lex(void);
 void c_error(const char *message);
@@ -58,6 +59,7 @@ static int server_settings_seen = 0;
 %token VAR_ALGORITHM VAR_SECRET
 %token VAR_AXFR VAR_UDP
 %token VAR_VERBOSITY VAR_HIDE_VERSION
+%token VAR_RRL_SIZE VAR_RRL_RATELIMIT VAR_RRL_WHITELIST_RATELIMIT VAR_RRL_WHITELIST
 
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -81,7 +83,8 @@ content_server: server_ip_address | server_debug_mode | server_ip4_only |
 	server_username | server_zonesdir |
 	server_difffile | server_xfrdfile | server_xfrd_reload_timeout |
 	server_tcp_query_count | server_tcp_timeout | server_ipv4_edns_size |
-	server_ipv6_edns_size | server_verbosity | server_hide_version;
+	server_ipv6_edns_size | server_verbosity | server_hide_version |
+	server_rrl_size | server_rrl_ratelimit | server_rrl_whitelist_ratelimit;
 server_ip_address: VAR_IP_ADDRESS STRING 
 	{ 
 		OUTYY(("P(server_ip_address:%s)\n", $2)); 
@@ -163,7 +166,7 @@ server_nsid: VAR_NSID STRING
 
 		OUTYY(("P(server_nsid:%s)\n", $2));
 
-                if (strlen($2) % 2 != 0) {
+		if (strlen($2) % 2 != 0) {
 			yyerror("the NSID must be a hex string of an even length.");
 		} else {
 			nsid_len = strlen($2) / 2;
@@ -294,6 +297,32 @@ server_ipv6_edns_size: VAR_IPV6_EDNS_SIZE STRING
 		cfg_parser->opt->ipv6_edns_size = atoi($2);
 	}
 	;
+server_rrl_size: VAR_RRL_SIZE STRING
+	{ 
+		OUTYY(("P(server_rrl_size:%s)\n", $2)); 
+#ifdef RATELIMIT
+		if(atoi($2) <= 0)
+			yyerror("number greater than zero expected");
+		cfg_parser->opt->rrl_size = atoi($2);
+#endif
+	}
+	;
+server_rrl_ratelimit: VAR_RRL_RATELIMIT STRING
+	{ 
+		OUTYY(("P(server_rrl_ratelimit:%s)\n", $2)); 
+#ifdef RATELIMIT
+		cfg_parser->opt->rrl_ratelimit = atoi($2);
+#endif
+	}
+	;
+server_rrl_whitelist_ratelimit: VAR_RRL_WHITELIST_RATELIMIT STRING
+	{ 
+		OUTYY(("P(server_rrl_whitelist_ratelimit:%s)\n", $2)); 
+#ifdef RATELIMIT
+		cfg_parser->opt->rrl_whitelist_ratelimit = atoi($2);
+#endif
+	}
+	;
 
 /* zone: declaration */
 zonestart: VAR_ZONE
@@ -321,7 +350,7 @@ zonestart: VAR_ZONE
 contents_zone: contents_zone content_zone | content_zone;
 content_zone: zone_name | zone_zonefile | zone_allow_notify | 
 	zone_request_xfr | zone_notify | zone_notify_retry | zone_provide_xfr | 
-	zone_outgoing_interface | zone_allow_axfr_fallback;
+	zone_outgoing_interface | zone_allow_axfr_fallback | zone_rrl_whitelist;
 zone_name: VAR_NAME STRING
 	{ 
 		OUTYY(("P(zone_name:%s)\n", $2)); 
@@ -446,6 +475,14 @@ zone_allow_axfr_fallback: VAR_ALLOW_AXFR_FALLBACK STRING
 		else cfg_parser->current_zone->allow_axfr_fallback = (strcmp($2, "yes")==0);
 	}
 	;
+zone_rrl_whitelist: VAR_RRL_WHITELIST STRING
+	{ 
+		OUTYY(("P(zone_rrl_whitelist:%s)\n", $2)); 
+#ifdef RATELIMIT
+		cfg_parser->current_zone->rrl_whitelist |= rrlstr2type($2);
+#endif
+	}
+	;
 
 /* key: declaration */
 keystart: VAR_KEY
diff --git a/usr.sbin/nsd/configure b/usr.sbin/nsd/configure
index 7a2dceb34d4..f8dc9f98729 100644
--- a/usr.sbin/nsd/configure
+++ b/usr.sbin/nsd/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.68 for NSD 3.2.14.
+# Generated by GNU Autoconf 2.68 for NSD 3.2.15.
 #
 # Report bugs to <nsd-bugs@nlnetlabs.nl>.
 #
@@ -560,8 +560,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='NSD'
 PACKAGE_TARNAME='nsd'
-PACKAGE_VERSION='3.2.14'
-PACKAGE_STRING='NSD 3.2.14'
+PACKAGE_VERSION='3.2.15'
+PACKAGE_STRING='NSD 3.2.15'
 PACKAGE_BUGREPORT='nsd-bugs@nlnetlabs.nl'
 PACKAGE_URL=''
 
@@ -604,6 +604,7 @@ ac_includes_default="\
 ac_subst_vars='LTLIBOBJS
 zonestatsfile
 HAVE_SSL
+ratelimit
 LIBOBJS
 YFLAGS
 YACC
@@ -698,6 +699,7 @@ enable_root_server
 enable_ipv6
 enable_bind8_stats
 enable_checking
+enable_ratelimit
 with_ssl
 enable_nsec3
 enable_full_prehash
@@ -1258,7 +1260,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures NSD 3.2.14 to adapt to many kinds of systems.
+\`configure' configures NSD 3.2.15 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1319,7 +1321,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of NSD 3.2.14:";;
+     short | recursive ) echo "Configuration of NSD 3.2.15:";;
    esac
   cat <<\_ACEOF
 
@@ -1332,6 +1334,7 @@ Optional Features:
   --disable-ipv6          Disables IPv6 support
   --enable-bind8-stats    Enables BIND8 like NSTATS & XSTATS
   --enable-checking       Enable internal runtime checks
+  --enable-ratelimit      Enable rate limiting
   --disable-nsec3         Disable NSEC3 support
   --disable-full-prehash  Disables NSEC3 full prehashing
   --disable-minimal-responses
@@ -1447,7 +1450,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-NSD configure 3.2.14
+NSD configure 3.2.15
 generated by GNU Autoconf 2.68
 
 Copyright (C) 2010 Free Software Foundation, Inc.
@@ -1927,7 +1930,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by NSD $as_me 3.2.14, which was
+It was created by NSD $as_me 3.2.15, which was
 generated by GNU Autoconf 2.68.  Invocation command line was
 
   $ $0 $@
@@ -6815,7 +6818,7 @@ _ACEOF
 fi
 done
 
-for ac_func in tzset alarm chroot dup2 endpwent gethostname memset memcpy socket strcasecmp strchr strdup strerror strncasecmp strtol writev getaddrinfo getnameinfo freeaddrinfo gai_strerror sigaction sigprocmask strptime setusercontext initgroups setresuid setreuid setresgid setregid getpwnam
+for ac_func in tzset alarm chroot dup2 endpwent gethostname memset memcpy socket strcasecmp strchr strdup strerror strncasecmp strtol writev getaddrinfo getnameinfo freeaddrinfo gai_strerror sigaction sigprocmask strptime setusercontext initgroups setresuid setreuid setresgid setregid getpwnam mmap
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -7301,6 +7304,37 @@ $as_echo "no" >&6; }
 
 fi
 
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC supports -Wdeclaration-after-statement" >&5
+$as_echo_n "checking whether $CC supports -Wdeclaration-after-statement... " >&6; }
+cache=`echo Wdeclaration-after-statement | sed 'y%.=/+-%___p_%'`
+if eval \${cv_prog_cc_flag_$cache+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+
+echo 'void f(){}' >conftest.c
+if test -z "`$CC -Wdeclaration-after-statement -c conftest.c 2>&1`"; then
+eval "cv_prog_cc_flag_$cache=yes"
+else
+eval "cv_prog_cc_flag_$cache=no"
+fi
+rm -f conftest*
+
+fi
+
+if eval "test \"`echo '$cv_prog_cc_flag_'$cache`\" = yes"; then
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+:
+ CFLAGS="$CFLAGS -Wdeclaration-after-statement"
+else
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+:
+
+fi
+
 		;;
         no|*)
 
@@ -7309,6 +7343,26 @@ $as_echo "#define NDEBUG /**/" >>confdefs.h
                 ;;
 esac
 
+# Check whether --enable-ratelimit was given.
+if test "${enable_ratelimit+set}" = set; then :
+  enableval=$enable_ratelimit;
+fi
+
+case "$enable_ratelimit" in
+	yes)
+
+cat >>confdefs.h <<_ACEOF
+#define RATELIMIT /**/
+_ACEOF
+
+				ratelimit="xx"
+		;;
+	no|*)
+		ratelimit=""
+		;;
+esac
+
+
 # we need SSL for TSIG (and maybe also for NSEC3).
 
 
@@ -8162,7 +8216,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by NSD $as_me 3.2.14, which was
+This file was extended by NSD $as_me 3.2.15, which was
 generated by GNU Autoconf 2.68.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -8224,7 +8278,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-NSD config.status 3.2.14
+NSD config.status 3.2.15
 configured by $0, generated by GNU Autoconf 2.68,
   with options \\"\$ac_cs_config\\"
 
diff --git a/usr.sbin/nsd/configure.ac b/usr.sbin/nsd/configure.ac
index d03e0753bc1..7ebf963bccc 100644
--- a/usr.sbin/nsd/configure.ac
+++ b/usr.sbin/nsd/configure.ac
@@ -4,7 +4,7 @@ dnl
 
 sinclude(acx_nlnetlabs.m4)
 
-AC_INIT(NSD,3.2.14,nsd-bugs@nlnetlabs.nl)
+AC_INIT(NSD,3.2.15,nsd-bugs@nlnetlabs.nl)
 AC_CONFIG_HEADER([config.h])
 
 AC_AIX
@@ -474,7 +474,7 @@ AC_TYPE_SIGNAL
 AC_FUNC_FSEEKO
 AC_SYS_LARGEFILE
 AC_CHECK_FUNCS([arc4random arc4random_uniform])
-AC_CHECK_FUNCS([tzset alarm chroot dup2 endpwent gethostname memset memcpy socket strcasecmp strchr strdup strerror strncasecmp strtol writev getaddrinfo getnameinfo freeaddrinfo gai_strerror sigaction sigprocmask strptime setusercontext initgroups setresuid setreuid setresgid setregid getpwnam])
+AC_CHECK_FUNCS([tzset alarm chroot dup2 endpwent gethostname memset memcpy socket strcasecmp strchr strdup strerror strncasecmp strtol writev getaddrinfo getnameinfo freeaddrinfo gai_strerror sigaction sigprocmask strptime setusercontext initgroups setresuid setreuid setresgid setregid getpwnam mmap])
 
 # check if setreuid en setregid fail, on MacOSX10.4(darwin8).
 if echo $build_os | grep darwin8 > /dev/null; then
@@ -592,12 +592,26 @@ case "$enable_checking" in
 		CHECK_COMPILER_FLAG(W, [ CFLAGS="$CFLAGS -W" ])
 		CHECK_COMPILER_FLAG(Wall, [ CFLAGS="$CFLAGS -Wall" ])
 		CHECK_COMPILER_FLAG(Wextra, [ CFLAGS="$CFLAGS -Wextra" ])
+		CHECK_COMPILER_FLAG(Wdeclaration-after-statement, [ CFLAGS="$CFLAGS -Wdeclaration-after-statement" ])
 		;;
         no|*)
                 AC_DEFINE([NDEBUG], [], [Undefine this to enable internal runtime checks.])
                 ;;
 esac
 
+AC_ARG_ENABLE(ratelimit, AC_HELP_STRING([--enable-ratelimit], [Enable rate limiting]))
+case "$enable_ratelimit" in
+	yes)
+		AC_DEFINE_UNQUOTED([RATELIMIT], [], [Define this to enable rate limiting.])
+		dnl causes awk to not match the exclusion start marker.
+		ratelimit="xx"
+		;;
+	no|*)
+		ratelimit=""
+		;;
+esac
+AC_SUBST(ratelimit)
+
 # we need SSL for TSIG (and maybe also for NSEC3).
 CHECK_SSL
 
diff --git a/usr.sbin/nsd/dns.c b/usr.sbin/nsd/dns.c
index f0f05823309..85ac6e78401 100644
--- a/usr.sbin/nsd/dns.c
+++ b/usr.sbin/nsd/dns.c
@@ -402,6 +402,30 @@ static rrtype_descriptor_type rrtype_descriptors[(RRTYPE_DESCRIPTORS_LENGTH+1)]
 	    RDATA_ZF_TEXT, RDATA_ZF_TEXT, RDATA_ZF_TEXT, RDATA_ZF_TEXT,
 	    RDATA_ZF_TEXT, RDATA_ZF_TEXT, RDATA_ZF_TEXT, RDATA_ZF_TEXT,
 	    RDATA_ZF_TEXT, RDATA_ZF_TEXT, RDATA_ZF_TEXT, RDATA_ZF_TEXT } },
+	/* 100 */
+	{ 100, NULL, T_UTYPE, 1, 1, { RDATA_WF_BINARY }, { RDATA_ZF_UNKNOWN } },
+	/* 101 */
+	{ 101, NULL, T_UTYPE, 1, 1, { RDATA_WF_BINARY }, { RDATA_ZF_UNKNOWN } },
+	/* 102 */
+	{ 102, NULL, T_UTYPE, 1, 1, { RDATA_WF_BINARY }, { RDATA_ZF_UNKNOWN } },
+	/* 103 */
+	{ 103, NULL, T_UTYPE, 1, 1, { RDATA_WF_BINARY }, { RDATA_ZF_UNKNOWN } },
+	/* 104 */
+	{ TYPE_NID, "NID", T_NID, 2, 2,
+	  { RDATA_WF_SHORT, RDATA_WF_ILNP64 },
+	  { RDATA_ZF_SHORT, RDATA_ZF_ILNP64 } },
+	/* 105 */
+	{ TYPE_L32, "L32", T_L32, 2, 2,
+	  { RDATA_WF_SHORT, RDATA_WF_A },
+	  { RDATA_ZF_SHORT, RDATA_ZF_A } },
+	/* 106 */
+	{ TYPE_L64, "L64", T_L64, 2, 2,
+	  { RDATA_WF_SHORT, RDATA_WF_ILNP64 },
+	  { RDATA_ZF_SHORT, RDATA_ZF_ILNP64 } },
+	/* 107 */
+	{ TYPE_LP, "LP", T_LP, 2, 2,
+	  { RDATA_WF_SHORT, RDATA_WF_UNCOMPRESSED_DNAME },
+	  { RDATA_ZF_SHORT, RDATA_ZF_DNAME } },
 	/* 32769 */
 	{ TYPE_DLV, "DLV", T_DLV, 4, 4,
 	  { RDATA_WF_SHORT, RDATA_WF_BYTE, RDATA_WF_BYTE, RDATA_WF_BINARY },
diff --git a/usr.sbin/nsd/dns.h b/usr.sbin/nsd/dns.h
index f4cd1f8334a..ba526d8f994 100644
--- a/usr.sbin/nsd/dns.h
+++ b/usr.sbin/nsd/dns.h
@@ -139,6 +139,11 @@ typedef enum nsd_rc nsd_rc_type;
 
 #define TYPE_SPF        99      /* RFC 4408 */
 
+#define TYPE_NID        104     /* RFC 6742 */
+#define TYPE_L32        105     /* RFC 6742 */
+#define TYPE_L64        106     /* RFC 6742 */
+#define TYPE_LP         107     /* RFC 6742 */
+
 #define TYPE_TSIG	250
 #define TYPE_IXFR	251
 #define TYPE_AXFR	252
@@ -152,7 +157,7 @@ typedef enum nsd_rc nsd_rc_type;
 #define MAXLABELLEN	63
 #define MAXDOMAINLEN	255
 
-#define MAXRDATALEN	64      /* This is more than enough, think multiple TXT.  */
+#define MAXRDATALEN	64      /* This is more than enough, think multiple TXT. */
 #define MAX_RDLENGTH	65535
 
 /* Maximum size of a single RR.  */
@@ -180,7 +185,8 @@ enum rdata_wireformat
 	RDATA_WF_BINARY, 	     /* Binary data (unknown length).  */
 	RDATA_WF_BINARYWITHLENGTH,   /* Binary data preceded by 1 byte length */
 	RDATA_WF_APL,		     /* APL data.  */
-	RDATA_WF_IPSECGATEWAY	     /* IPSECKEY gateway ip4, ip6 or dname. */
+	RDATA_WF_IPSECGATEWAY,	     /* IPSECKEY gateway ip4, ip6 or dname. */
+	RDATA_WF_ILNP64	     /* 64-bit uncompressed IPv6 address.  */
 };
 typedef enum rdata_wireformat rdata_wireformat_type;
 
@@ -214,6 +220,7 @@ enum rdata_zoneformat
 	RDATA_ZF_NXT,		/* NXT type bitmap.  */
 	RDATA_ZF_NSEC,		/* NSEC type bitmap.  */
 	RDATA_ZF_LOC,		/* Location data.  */
+	RDATA_ZF_ILNP64,	/* 64-bit uncompressed IPv6 address.  */
 	RDATA_ZF_UNKNOWN	/* Unknown data.  */
 };
 typedef enum rdata_zoneformat rdata_zoneformat_type;
@@ -234,9 +241,9 @@ typedef struct rrtype_descriptor rrtype_descriptor_type;
  * Indexed by type.  The special type "0" can be used to get a
  * descriptor for unknown types (with one binary rdata).
  *
- * spf + 1
+ * lp + 1
  */
-#define RRTYPE_DESCRIPTORS_LENGTH  (TYPE_SPF + 1)
+#define RRTYPE_DESCRIPTORS_LENGTH  (TYPE_LP + 1)
 rrtype_descriptor_type *rrtype_descriptor_by_name(const char *name);
 rrtype_descriptor_type *rrtype_descriptor_by_type(uint16_t type);
 
diff --git a/usr.sbin/nsd/nsd-checkconf.8.in b/usr.sbin/nsd/nsd-checkconf.8.in
index ef7ff02c18e..5d18060c54b 100644
--- a/usr.sbin/nsd/nsd-checkconf.8.in
+++ b/usr.sbin/nsd/nsd-checkconf.8.in
@@ -1,4 +1,4 @@
-.TH "nsd\-checkconf" "8" "Nov  1, 2012" "NLnet Labs" "nsd 3.2.14"
+.TH "nsd\-checkconf" "8" "Feb  4, 2013" "NLnet Labs" "nsd 3.2.15"
 .\" Copyright (c) 2001\-2011, NLnet Labs. All rights reserved.
 .\" See LICENSE for the license.
 .SH "NAME"
diff --git a/usr.sbin/nsd/nsd-checkconf.c b/usr.sbin/nsd/nsd-checkconf.c
index cf5a7cde9bf..1ebc3b24937 100644
--- a/usr.sbin/nsd/nsd-checkconf.c
+++ b/usr.sbin/nsd/nsd-checkconf.c
@@ -6,7 +6,7 @@
  * See LICENSE for the license.
  *
  */
-#include <config.h>
+#include "config.h"
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
@@ -16,6 +16,7 @@
 #include "options.h"
 #include "util.h"
 #include "dname.h"
+#include "rrl.h"
 
 extern char *optarg;
 extern int optind;
@@ -45,6 +46,12 @@ extern int optind;
 		printf("%s\n", zone->NAME?"yes":"no"); 	\
 	}
 
+#define ZONE_GET_RRL(NAME, VAR, PATTERN) 			\
+	if (strcasecmp(#NAME, (VAR)) == 0) { 		\
+		zone_print_rrl_whitelist("", PATTERN->NAME);	\
+		return;					\
+	}
+
 #define SERV_GET_BIN(NAME, VAR) 			\
 	if (strcasecmp(#NAME, (VAR)) == 0) { 		\
 		printf("%s\n", opt->NAME?"yes":"no"); 	\
@@ -71,6 +78,21 @@ extern int optind;
 		return;						\
 	}
 
+#ifdef RATELIMIT
+static void zone_print_rrl_whitelist(const char* s, uint16_t w)
+{
+	int i;
+	if(w==rrl_type_all) {
+		printf("%sall\n", s);
+		return;
+	}
+	for(i=0x01; i <= 0x80; i<<=1) {
+		if( (w&i) )
+			printf("%s%s\n", s, rrltype2str(i));
+	}
+}
+#endif /* RATELIMIT */
+
 static char buf[BUFSIZ];
 
 static char *
@@ -248,6 +270,9 @@ config_print_zone(nsd_options_t* opt, const char* k, int s, const char *o, const
 				ZONE_GET_BIN(notify_retry, o);
 				ZONE_GET_OUTGOING(outgoing_interface, o);
 				ZONE_GET_BIN(allow_axfr_fallback, o);
+#ifdef RATELIMIT
+				ZONE_GET_RRL(rrl_whitelist, o, zone);
+#endif
 				printf("Zone option not handled: %s %s\n", z, o);
 				exit(1);
 			}
@@ -287,6 +312,11 @@ config_print_zone(nsd_options_t* opt, const char* k, int s, const char *o, const
 		SERV_GET_INT(statistics, o);
 		SERV_GET_INT(xfrd_reload_timeout, o);
 		SERV_GET_INT(verbosity, o);
+#ifdef RATELIMIT
+		SERV_GET_INT(rrl_size, o);
+		SERV_GET_INT(rrl_ratelimit, o);
+		SERV_GET_INT(rrl_whitelist_ratelimit, o);
+#endif
 
 		if(strcasecmp(o, "zones") == 0) {
 			RBTREE_FOR(zone, zone_options_t*, opt->zone_options)
@@ -334,6 +364,11 @@ config_test_print_server(nsd_options_t* opt)
 	print_string_var("xfrdfile:", opt->xfrdfile);
 	printf("\txfrd_reload_timeout: %d\n", opt->xfrd_reload_timeout);
 	printf("\tverbosity: %d\n", opt->verbosity);
+#ifdef RATELIMIT
+	printf("\trrl-size: %d\n", (int)opt->rrl_size);
+	printf("\trrl-ratelimit: %d\n", (int)opt->rrl_ratelimit);
+	printf("\trrl-whitelist-ratelimit: %d\n", (int)opt->rrl_whitelist_ratelimit);
+#endif
 
 	for(ip = opt->ip_addresses; ip; ip=ip->next)
 	{
@@ -351,6 +386,9 @@ config_test_print_server(nsd_options_t* opt)
 		printf("\nzone:\n");
 		print_string_var("name:", zone->name);
 		print_string_var("zonefile:", zone->zonefile);
+#ifdef RATELIMIT
+		zone_print_rrl_whitelist("\trrl-whitelist: ", zone->rrl_whitelist);
+#endif
 		print_acl("allow-notify:", zone->allow_notify);
 		print_acl("request-xfr:", zone->request_xfr);
 		printf("\tnotify-retry: %d\n", zone->notify_retry);
diff --git a/usr.sbin/nsd/nsd-notify.8.in b/usr.sbin/nsd/nsd-notify.8.in
index 6106f3e841d..1ca8298eca4 100644
--- a/usr.sbin/nsd/nsd-notify.8.in
+++ b/usr.sbin/nsd/nsd-notify.8.in
@@ -1,4 +1,4 @@
-.TH "nsd\-notify" "8" "Nov  1, 2012" "NLnet Labs" "nsd 3.2.14"
+.TH "nsd\-notify" "8" "Feb  4, 2013" "NLnet Labs" "nsd 3.2.15"
 .\" Copyright (c) 2001\-2011, NLnet Labs. All rights reserved.
 .\" See LICENSE for the license.
 .SH "NAME"
diff --git a/usr.sbin/nsd/nsd-patch.8.in b/usr.sbin/nsd/nsd-patch.8.in
index 77c4af9ab68..7044deada67 100644
--- a/usr.sbin/nsd/nsd-patch.8.in
+++ b/usr.sbin/nsd/nsd-patch.8.in
@@ -1,10 +1,10 @@
-.TH "nsd\-patch" "8" "Nov  1, 2012" "NLnet Labs" "nsd 3.2.14"
+.TH "nsd\-patch" "8" "Feb  4, 2013" "NLnet Labs" "nsd 3.2.15"
 .\" Copyright (c) 2001\-2011, NLnet Labs. All rights reserved.
 .\" See LICENSE for the license.
 .SH "NAME"
 .LP
 .B nsd\-patch
-\- NSD zone patcher version 3.2.14.
+\- NSD zone patcher version 3.2.15.
 .SH "SYNOPSIS"
 .B nsd\-patch
 .RB [ \-c
diff --git a/usr.sbin/nsd/nsd-xfer.8.in b/usr.sbin/nsd/nsd-xfer.8.in
index 938ee7f0cb7..c65964d36c6 100644
--- a/usr.sbin/nsd/nsd-xfer.8.in
+++ b/usr.sbin/nsd/nsd-xfer.8.in
@@ -1,4 +1,4 @@
-.TH "nsd\-xfer" "8" "Nov  1, 2012" "NLnet Labs" "nsd 3.2.14"
+.TH "nsd\-xfer" "8" "Feb  4, 2013" "NLnet Labs" "nsd 3.2.15"
 .\" Copyright (c) 2001\-2011, NLnet Labs. All rights reserved.
 .\" See LICENSE for the license.
 .SH "NAME"
diff --git a/usr.sbin/nsd/nsd-xfer.c b/usr.sbin/nsd/nsd-xfer.c
index 551ae816da1..1d91993b10a 100644
--- a/usr.sbin/nsd/nsd-xfer.c
+++ b/usr.sbin/nsd/nsd-xfer.c
@@ -168,6 +168,27 @@ connection, including optional source port.\n"
 
 
 /*
+ * Find an HMAC algorithm based on its id.
+ */
+static tsig_algorithm_type *
+tsig_get_algorithm_by_id(uint8_t alg)
+{
+	if (alg == TSIG_HMAC_MD5)
+		return tsig_get_algorithm_by_name("hmac-md5");
+#ifdef HAVE_EVP_SHA1
+	if (alg == TSIG_HMAC_SHA1)
+		return tsig_get_algorithm_by_name("hmac-sha1");
+#endif /* HAVE_EVP_SHA1 */
+#ifdef HAVE_EVP_SHA256
+	if (alg == TSIG_HMAC_SHA256)
+		return tsig_get_algorithm_by_name("hmac-sha256");
+#endif /* HAVE_EVP_SHA256 */
+
+        return NULL;
+}
+
+
+/*
  * Signal handler for timeouts (SIGALRM). This function is called when
  * the alarm() value that was set counts down to zero.  This indicates
  * that we haven't received a response from the server.
diff --git a/usr.sbin/nsd/nsd.8.in b/usr.sbin/nsd/nsd.8.in
index 144af781ffa..6fb4d5fadd9 100644
--- a/usr.sbin/nsd/nsd.8.in
+++ b/usr.sbin/nsd/nsd.8.in
@@ -1,10 +1,10 @@
-.TH "NSD" "8" "Nov  1, 2012" "NLnet Labs" "NSD 3.2.14"
+.TH "NSD" "8" "Feb  4, 2013" "NLnet Labs" "NSD 3.2.15"
 .\" Copyright (c) 2001\-2011, NLnet Labs. All rights reserved.
 .\" See LICENSE for the license.
 .SH "NAME"
 .LP
 .B nsd
-\- Name Server Daemon (NSD) version 3.2.14.
+\- Name Server Daemon (NSD) version 3.2.15.
 .SH "SYNOPSIS"
 .LP
 .B nsd
diff --git a/usr.sbin/nsd/nsd.c b/usr.sbin/nsd/nsd.c
index 8599c01db3c..6414dc43f49 100644
--- a/usr.sbin/nsd/nsd.c
+++ b/usr.sbin/nsd/nsd.c
@@ -465,7 +465,7 @@ main(int argc, char *argv[])
 	struct sigaction action;
 	FILE* dbfd;
 #ifdef HAVE_GETPWNAM
-	struct passwd *pwd;
+	struct passwd *pwd = NULL;
 #endif /* HAVE_GETPWNAM */
 
 	/* For initialising the address info structures */
diff --git a/usr.sbin/nsd/nsd.conf.5.in b/usr.sbin/nsd/nsd.conf.5.in
index 92c778f54a9..662d04613aa 100644
--- a/usr.sbin/nsd/nsd.conf.5.in
+++ b/usr.sbin/nsd/nsd.conf.5.in
@@ -1,4 +1,4 @@
-.TH "nsd.conf" "5" "Nov  1, 2012" "NLnet Labs" "nsd 3.2.14"
+.TH "nsd.conf" "5" "Feb  4, 2013" "NLnet Labs" "nsd 3.2.15"
 .\" Copyright (c) 2001\-2011, NLnet Labs. All rights reserved.
 .\" See LICENSE for the license.
 .SH "NAME"
@@ -185,7 +185,7 @@ If not present no statistics are dumped. Statistics are produced
 every number seconds. Same as commandline option 
 .BR \-s .
 .TP
-.B zone-stats-file:\fR <filename>
+.B zone\-stats\-file:\fR <filename>
 If per zone statistics is enabled, file to dump the statistics.
 .TP
 .B chroot:\fR <directory>
@@ -235,6 +235,25 @@ zone transfers. 2 lists soft warnings that are encountered.
 .B hide\-version:\fR <yes or no>
 Prevent NSD from replying with the version string on CHAOS class 
 queries.
+.\" rrlstart
+.TP
+.B rrl\-size:\fR <numbuckets>
+This option gives the size of the hashtable. Default 1000000. More buckets
+use more memory, and reduce the chance of hash collisions.
+.TP
+.B rrl\-ratelimit:\fR <qps>
+The max qps allowed (from one query source). Default 200 qps. If set to 0
+then it is disabled (unlimited rate), also set the whilelist\-ratelimit
+to 0 to disable ratelimit processing.  If you set verbosity to 2 the
+blocked and unblocked subnets are logged.  Blocked queries are blocked
+and some receive TCP fallback replies.
+.TP
+.B rrl\-whitelist\-ratelimit:\fR <qps>
+The max qps for query sorts for a source, which have been
+whitelisted. Default 2000 qps. With the rrl\-whitelist option you can set
+specific queries to receive this qps limit instead of the normal limit.
+With the value 0 the rate is unlimited.
+.\" rrlend
 .SS "Zone Options"
 .LP 
 For every zone the options need to be specified in one 
@@ -284,12 +303,12 @@ made to the master server.
 If the UDP option is given, the secondary will use UDP to transmit the IXFR 
 requests. You should deploy TSIG when allowing UDP transport, to authenticate
 notifies and zone transfers. Otherwise, NSD is more vulnerable for 
-Kaminsky-style attacks. If the UDP option is left out then IXFR will be 
+Kaminsky\-style attacks. If the UDP option is left out then IXFR will be 
 transmitted using TCP.
 .RE
 .TP
 .B allow\-axfr\-fallback:\fR <yes or no>
-This option should be accompanied by request-xfr. It (dis)allows NSD (as secondary) 
+This option should be accompanied by request\-xfr. It (dis)allows NSD (as secondary) 
 to fallback to AXFR if the primary name server does not support IXFR. Default is yes.
 .TP
 .B notify:\fR <ip\-address> <key\-name | NOKEY>
@@ -328,6 +347,18 @@ The ip\-address is a plain IP address (IPv4 or IPv6).
 A port number can be added using a suffix of @number, for example 
 1.2.3.4@5300.
 .RE
+\" rrlstart
+.TP
+.B rrl\-whitelist:\fR <rrltype>
+This option causes queries of this rrltype to be whitelisted, for this
+zone. They receive the whitelist\-ratelimit. You can give multiple lines,
+each enables a new rrltype to be whitelisted for the zone. Default has
+none whitelisted. The rrltype is the query classification that the NSD RRL
+employs to make different types not interfere with one another.  The types
+are logged in the loglines when a subnet is blocked (in verbosity 2).
+The RRL classification types are: nxdomain, error, referral, any, rrsig,
+wildcard, nodata, dnskey, positive, all.
+.\" rrlend
 .SS "Key Declarations"
 The 
 .B key: 
@@ -509,8 +540,8 @@ default
 configuration file
 .SH "SEE ALSO" 
 .LP
-nsd(8), nsdc(8), nsd\-checkconf(8), nsd-notify(8), 
-nsd-patch(8), nsd-xfer(8), nsd\-zonec(8)
+nsd(8), nsdc(8), nsd\-checkconf(8), nsd\-notify(8), 
+nsd\-patch(8), nsd\-xfer(8), nsd\-zonec(8)
 .SH "AUTHORS"
 .LP
 .B NSD
diff --git a/usr.sbin/nsd/nsdc.8.in b/usr.sbin/nsd/nsdc.8.in
index ac17ad66492..57e047a3210 100644
--- a/usr.sbin/nsd/nsdc.8.in
+++ b/usr.sbin/nsd/nsdc.8.in
@@ -1,4 +1,4 @@
-.TH "NSDC" "8" "Nov  1, 2012" "NLnet Labs" "NSDC 3.2.14"
+.TH "NSDC" "8" "Feb  4, 2013" "NLnet Labs" "NSDC 3.2.15"
 .\" Copyright (c) 2001\-2011, NLnet Labs. All rights reserved.
 .\" See LICENSE for the license.
 .SH "NAME"
diff --git a/usr.sbin/nsd/nsec3.c b/usr.sbin/nsd/nsec3.c
index 4a08bff5181..e3654517bf2 100644
--- a/usr.sbin/nsd/nsec3.c
+++ b/usr.sbin/nsd/nsec3.c
@@ -435,7 +435,7 @@ prehash_zone_incremental(struct namedb *db, struct zone *zone)
 			node = rbtree_next(node);
 			continue;
 		}
-		if (!walk->nsec3_cover) {
+		if (walk->nsec3_cover != NULL) {
 			node = rbtree_next(node);
 			continue;
 		}
diff --git a/usr.sbin/nsd/query.c b/usr.sbin/nsd/query.c
index 5c26d32d7f3..4d0d3c02dbb 100644
--- a/usr.sbin/nsd/query.c
+++ b/usr.sbin/nsd/query.c
@@ -225,6 +225,10 @@ query_reset(query_type *q, size_t maxlen, int is_tcp)
 	q->axfr_current_domain = NULL;
 	q->axfr_current_rrset = NULL;
 	q->axfr_current_rr = 0;
+
+#ifdef RATELIMIT
+	q->wildcard_domain = NULL;
+#endif
 }
 
 /* get a temporary domain number (or 0=failure) */
@@ -359,8 +363,9 @@ process_tsig(struct query* q)
 		return NSD_RC_FORMAT;
 	if(q->tsig.status == TSIG_OK) {
 		if(!tsig_from_query(&q->tsig)) {
-			log_msg(LOG_ERR, "query tsig unknown key/algorithm");
-			return NSD_RC_REFUSE;
+			log_msg(LOG_ERR, "query: bad tsig (%s)",
+				tsig_error(q->tsig.error_code));
+			return NSD_RC_NOTAUTH;
 		}
 		buffer_set_limit(q->packet, q->tsig.position);
 		ARCOUNT_SET(q->packet, ARCOUNT(q->packet) - 1);
@@ -369,7 +374,7 @@ process_tsig(struct query* q)
 		if(!tsig_verify(&q->tsig)) {
 			log_msg(LOG_ERR, "query: bad tsig signature for key %s",
 				dname_to_string(q->tsig.key->name, NULL));
-			return NSD_RC_REFUSE;
+			return NSD_RC_NOTAUTH;
 		}
 		DEBUG(DEBUG_XFRD,1, (LOG_INFO, "query good tsig signature for %s",
 			dname_to_string(q->tsig.key->name, NULL)));
@@ -416,14 +421,13 @@ answer_notify(struct nsd* nsd, struct query *query)
 		uint32_t acl_send = htonl(acl_num);
 		uint32_t acl_xfr;
 		size_t pos;
+		assert(why);
 
 		/* Find priority candidate for request XFR. -1 if no match */
 		acl_num_xfr = acl_check_incoming(
 			zone_opt->request_xfr, query, NULL);
-
 		acl_xfr = htonl(acl_num_xfr);
 
-		assert(why);
 		DEBUG(DEBUG_XFRD,1, (LOG_INFO, "got notify %s passed acl %s %s",
 			dname_to_string(query->qname, NULL),
 			why->ip_address_spec,
@@ -863,10 +867,8 @@ answer_nodata(struct query *query, answer_type *answer, domain_type *original)
 static void
 answer_nxdomain(query_type *query, answer_type *answer)
 {
-	if (query->cname_count == 0) {
-		RCODE_SET(query->packet, RCODE_NXDOMAIN);
-		answer_soa(query, answer);
-	}
+	RCODE_SET(query->packet, RCODE_NXDOMAIN);
+	answer_soa(query, answer);
 }
 
 
@@ -1039,6 +1041,9 @@ answer_authoritative(struct nsd   *nsd,
 	} else if (domain_wildcard_child(closest_encloser)) {
 		/* Generate the domain from the wildcard.  */
 		domain_type *wildcard_child = domain_wildcard_child(closest_encloser);
+#ifdef RATELIMIT
+		q->wildcard_domain = wildcard_child;
+#endif
 
 		match = (domain_type *) region_alloc(q->region,
 						     sizeof(domain_type));
diff --git a/usr.sbin/nsd/rdata.c b/usr.sbin/nsd/rdata.c
index 15c03cb7ade..806a081f01f 100644
--- a/usr.sbin/nsd/rdata.c
+++ b/usr.sbin/nsd/rdata.c
@@ -222,6 +222,20 @@ rdata_aaaa_to_string(buffer_type *output, rdata_atom_type rdata,
 }
 
 static int
+rdata_ilnp64_to_string(buffer_type *output, rdata_atom_type rdata,
+	rr_type* ATTR_UNUSED(rr))
+{
+	uint8_t* data = rdata_atom_data(rdata);
+	uint16_t a1 = read_uint16(data);
+	uint16_t a2 = read_uint16(data+2);
+	uint16_t a3 = read_uint16(data+4);
+	uint16_t a4 = read_uint16(data+6);
+
+	buffer_printf(output, "%.4x:%.4x:%.4x:%.4x", a1, a2, a3, a4);
+	return 1;
+}
+
+static int
 rdata_rrtype_to_string(buffer_type *output, rdata_atom_type rdata,
 	rr_type* ATTR_UNUSED(rr))
 {
@@ -578,6 +592,7 @@ static rdata_to_string_type rdata_to_string_table[RDATA_ZF_UNKNOWN + 1] = {
 	rdata_nxt_to_string,
 	rdata_nsec_to_string,
 	rdata_loc_to_string,
+	rdata_ilnp64_to_string,
 	rdata_unknown_to_string
 };
 
@@ -653,6 +668,9 @@ rdata_wireformat_to_rdata_atoms(region_type *region,
 		case RDATA_WF_AAAA:
 			length = IP6ADDRLEN;
 			break;
+		case RDATA_WF_ILNP64:
+			length = IP6ADDRLEN/2;
+			break;
 		case RDATA_WF_BINARY:
 			/* Remaining RDATA is binary.  */
 			length = end - buffer_position(packet);
diff --git a/usr.sbin/nsd/region-allocator.c b/usr.sbin/nsd/region-allocator.c
index 698d5137ada..a5fbf41dc61 100644
--- a/usr.sbin/nsd/region-allocator.c
+++ b/usr.sbin/nsd/region-allocator.c
@@ -442,7 +442,7 @@ region_log_stats(region_type *region)
 {
 	char buf[10240], *str=buf;
 	int strl = sizeof(buf);
-	int len=0;
+	int len;
 	len=snprintf(str, strl, "%lu objects (%lu small/%lu large), %lu bytes allocated (%lu wasted) in %lu chunks, %lu cleanups, %lu in recyclebin",
 		(unsigned long) (region->small_objects + region->large_objects),
 		(unsigned long) region->small_objects,
diff --git a/usr.sbin/nsd/server.c b/usr.sbin/nsd/server.c
index aa0c659cb98..6ac7ee9b51c 100644
--- a/usr.sbin/nsd/server.c
+++ b/usr.sbin/nsd/server.c
@@ -34,6 +34,8 @@
 #define SHUT_WR 1
 #endif
 
+#include <openssl/rand.h>
+
 #include "axfr.h"
 #include "namedb.h"
 #include "netio.h"
@@ -42,6 +44,8 @@
 #include "difffile.h"
 #include "nsec3.h"
 #include "ipc.h"
+#include "lookup3.h"
+#include "rrl.h"
 
 /*
  * Data for the UDP handlers.
@@ -87,17 +91,17 @@ struct tcp_handler_data
 	 * data, including this structure.  This region is destroyed
 	 * when the connection is closed.
 	 */
-	region_type     *region;
+	region_type*		region;
 
 	/*
 	 * The global nsd structure.
 	 */
-	struct nsd      *nsd;
+	struct nsd*			nsd;
 
 	/*
 	 * The current query data for this TCP connection.
 	 */
-	query_type      *query;
+	query_type*			query;
 
 	/*
 	 * These fields are used to enable the TCP accept handlers
@@ -112,7 +116,7 @@ struct tcp_handler_data
 	 * AXFR, if we're done processing, or if we should discard the
 	 * query and connection.
 	 */
-	query_state_type query_state;
+	query_state_type	query_state;
 
 	/*
 	 * The bytes_transmitted field is used to remember the number
@@ -120,7 +124,7 @@ struct tcp_handler_data
 	 * packet.  The count includes the two additional bytes used
 	 * to specify the packet length on a TCP connection.
 	 */
-	size_t           bytes_transmitted;
+	size_t				bytes_transmitted;
 
 	/*
 	 * The number of queries handled by this specific TCP connection.
@@ -525,6 +529,23 @@ server_init(struct nsd *nsd)
 int
 server_prepare(struct nsd *nsd)
 {
+#ifdef RATELIMIT
+	/* set secret modifier for hashing (udb ptr buckets and rate limits) */
+#ifdef HAVE_ARC4RANDOM
+	srandom(arc4random());
+	hash_set_raninit(arc4random());
+#else
+	uint32_t v = getpid() ^ time(NULL);
+	srandom((unsigned long)v);
+	if(RAND_status() && RAND_bytes((unsigned char*)&v, sizeof(v)) > 0)
+		hash_set_raninit(v);
+	else	hash_set_raninit(random());
+#endif
+	rrl_mmap_init(nsd->child_count, nsd->options->rrl_size,
+		nsd->options->rrl_ratelimit,
+		nsd->options->rrl_whitelist_ratelimit);
+#endif /* RATELIMIT */
+
 	/* Open the database... */
 	if ((nsd->db = namedb_open(nsd->dbfile, nsd->options, nsd->child_count)) == NULL) {
 		log_msg(LOG_ERR, "unable to open the database %s: %s",
@@ -591,7 +612,7 @@ close_all_sockets(struct nsd_socket sockets[], size_t n)
  * Does not return.
  *
  */
-static void
+void
 server_shutdown(struct nsd *nsd)
 {
 	size_t i;
@@ -751,7 +772,7 @@ server_reload(struct nsd *nsd, region_type* server_region, netio_type* netio,
 			log_msg(LOG_ERR, "unable to reload the database: %s", strerror(errno));
 			exit(1);
 		}
-#ifndef FULL_PREHASH
+#if defined(NSEC3) && !defined(FULL_PREHASH)
 		prehash(nsd->db, 0);
 #endif
 	}
@@ -968,6 +989,10 @@ server_main(struct nsd *nsd)
 	pid_t xfrd_pid = -1;
 	sig_atomic_t mode;
 
+#ifdef RATELIMIT
+	rrl_init((nsd->this_child - nsd->children)/sizeof(nsd->children[0]));
+#endif
+
 	/* Ensure we are the main process */
 	assert(nsd->server_kind == NSD_SERVER_MAIN);
 
@@ -1372,6 +1397,20 @@ server_child(struct nsd *nsd)
 	server_shutdown(nsd);
 }
 
+static query_state_type
+server_process_query_udp(struct nsd *nsd, struct query *query)
+{
+#ifdef RATELIMIT
+	if(query_process(query, nsd) != QUERY_DISCARDED) {
+		if(rrl_process_query(query))
+			return rrl_slip(query);
+		else	return QUERY_PROCESSED;
+	}
+	return QUERY_DISCARDED;
+#else
+	return query_process(query, nsd);
+#endif
+}
 
 static void
 handle_udp(netio_type *ATTR_UNUSED(netio),
@@ -1416,7 +1455,7 @@ handle_udp(netio_type *ATTR_UNUSED(netio),
 		buffer_flip(q->packet);
 
 		/* Process and answer the query... */
-		if (server_process_query(data->nsd, q) != QUERY_DISCARDED) {
+		if (server_process_query_udp(data->nsd, q) != QUERY_DISCARDED) {
 #ifdef BIND8_STATS
 			if (RCODE(q->packet) == RCODE_OK && !AA(q->packet)) {
 				STATUP(data->nsd, nona);
diff --git a/usr.sbin/nsd/util.c b/usr.sbin/nsd/util.c
index e15bd4c899b..73c8fe6233e 100644
--- a/usr.sbin/nsd/util.c
+++ b/usr.sbin/nsd/util.c
@@ -26,6 +26,7 @@
 #include "dname.h"
 #include "namedb.h"
 #include "rdata.h"
+#include "zonec.h"
 
 #ifdef USE_MMAP_ALLOC
 #include <sys/mman.h>
@@ -43,6 +44,8 @@ unsigned nsd_debug_facilities = 0xffff;
 int nsd_debug_level = 0;
 #endif
 
+#define MSB_32 0x80000000
+
 int verbosity = 0;
 
 static const char *global_ident = NULL;
@@ -477,10 +480,22 @@ strtottl(const char *nptr, const char **endptr)
 			break;
 		default:
 			seconds += i;
+			/**
+			 * According to RFC2308, Section 8, the MSB
+			 * (sign bit) should be set to zero.
+			 * If we encounter a value larger than 2^31 -1,
+			 * we fall back to the default TTL.
+			 */
+			if ((seconds & MSB_32)) {
+				seconds = DEFAULT_TTL;
+			}
 			return seconds;
 		}
 	}
 	seconds += i;
+	if ((seconds & MSB_32)) {
+		seconds = DEFAULT_TTL;
+	}
 	return seconds;
 }
 
diff --git a/usr.sbin/nsd/zonec.8.in b/usr.sbin/nsd/zonec.8.in
index 9aee4d614cd..af7684fe204 100644
--- a/usr.sbin/nsd/zonec.8.in
+++ b/usr.sbin/nsd/zonec.8.in
@@ -1,10 +1,10 @@
-.TH "nsd\-zonec" "8" "Nov  1, 2012" "NLnet Labs" "nsd 3.2.14"
+.TH "nsd\-zonec" "8" "Feb  4, 2013" "NLnet Labs" "nsd 3.2.15"
 .\" Copyright (c) 2001\-2011, NLnet Labs. All rights reserved.
 .\" See LICENSE for the license.
 .SH "NAME"
 .LP
 .B nsd\-zonec
-\- NSD zone compiler version 3.2.14.
+\- NSD zone compiler version 3.2.15.
 .SH "SYNOPSIS"
 .LP
 .B nsd\-zonec
diff --git a/usr.sbin/nsd/zonec.c b/usr.sbin/nsd/zonec.c
index deadcdf2c98..0cf67e3a40b 100644
--- a/usr.sbin/nsd/zonec.c
+++ b/usr.sbin/nsd/zonec.c
@@ -40,6 +40,9 @@
 #include "options.h"
 #include "nsec3.h"
 
+#define ILNP_MAXDIGITS 4
+#define ILNP_NUMGROUPS 4
+
 const dname_type *error_dname;
 domain_type *error_domain;
 
@@ -383,6 +386,76 @@ zparser_conv_aaaa(region_type *region, const char *text)
 }
 
 uint16_t *
+zparser_conv_ilnp64(region_type *region, const char *text)
+{
+	uint16_t *r = NULL;
+	int ngroups, num;
+	unsigned long hex;
+	const char *ch;
+	int c;
+	char digits[ILNP_MAXDIGITS+1];
+	unsigned int ui[ILNP_NUMGROUPS];
+	uint16_t a[ILNP_NUMGROUPS];
+
+	ngroups = 1; /* Always at least one group */
+	num = 0;
+	for (ch = text; *ch != '\0'; ch++) {
+		if (*ch == ':') {
+			if (num <= 0) {
+				zc_error_prev_line("ilnp64: empty group of "
+					"digits is not allowed");
+				return NULL;
+			}
+			digits[num] = '\0';
+			hex = (unsigned long) strtol(digits, NULL, 16);
+			num = 0;
+			ui[ngroups - 1] = hex;
+			if (ngroups >= ILNP_NUMGROUPS) {
+				zc_error_prev_line("ilnp64: more than %d groups "
+					"of digits", ILNP_NUMGROUPS);
+				return NULL;
+			}
+			ngroups++;
+		} else {
+			/* Our grammar is stricter than the one accepted by
+			 * strtol. */
+			c = (int) *ch;
+			if (!isxdigit(c)) {
+				zc_error_prev_line("ilnp64: invalid "
+					"(non-hexadecimal) character %c", c);
+				return NULL;
+			}
+			if (num >= ILNP_MAXDIGITS) {
+				zc_error_prev_line("ilnp64: more than %d digits "
+					"in a group", ILNP_MAXDIGITS);
+				return NULL;
+			}
+			digits[num++] = *ch;
+		}
+	}
+	if (num <= 0) {
+		zc_error_prev_line("ilnp64: empty group of digits is not "
+			"allowed");
+		return NULL;
+	}
+	digits[num] = '\0';
+	hex = (unsigned long) strtol(digits, NULL, 16);
+	ui[ngroups - 1] = hex;
+	if (ngroups < 4) {
+		zc_error_prev_line("ilnp64: less than %d groups of digits",
+			ILNP_NUMGROUPS);
+		return NULL;
+	}
+
+	a[0] = htons(ui[0]);
+	a[1] = htons(ui[1]);
+	a[2] = htons(ui[2]);
+	a[3] = htons(ui[3]);
+	r = alloc_rdata_init(region, a, sizeof(a));
+	return r;
+}
+
+uint16_t *
 zparser_conv_text(region_type *region, const char *text, size_t len)
 {
 	uint16_t *r = NULL;
diff --git a/usr.sbin/nsd/zonec.h b/usr.sbin/nsd/zonec.h
index 697cb417389..0ac0fd62ad5 100644
--- a/usr.sbin/nsd/zonec.h
+++ b/usr.sbin/nsd/zonec.h
@@ -91,6 +91,7 @@ uint16_t *zparser_conv_long(region_type *region, const char *text);
 uint16_t *zparser_conv_byte(region_type *region, const char *text);
 uint16_t *zparser_conv_a(region_type *region, const char *text);
 uint16_t *zparser_conv_aaaa(region_type *region, const char *text);
+uint16_t *zparser_conv_ilnp64(region_type *region, const char *text);
 uint16_t *zparser_conv_text(region_type *region, const char *text, size_t len);
 uint16_t *zparser_conv_dns_name(region_type *region, const uint8_t* name, size_t len);
 uint16_t *zparser_conv_b32(region_type *region, const char *b32);
diff --git a/usr.sbin/nsd/zparser.y b/usr.sbin/nsd/zparser.y
index 21c7f6854ae..5e95a74bb8f 100644
--- a/usr.sbin/nsd/zparser.y
+++ b/usr.sbin/nsd/zparser.y
@@ -67,6 +67,7 @@ nsec3_add_params(const char* hash_algo_str, const char* flag_str,
 %token <type> T_OPT T_APL T_UINFO T_UID T_GID T_UNSPEC T_TKEY T_TSIG T_IXFR
 %token <type> T_AXFR T_MAILB T_MAILA T_DS T_DLV T_SSHFP T_RRSIG T_NSEC T_DNSKEY
 %token <type> T_SPF T_NSEC3 T_IPSECKEY T_DHCID T_NSEC3PARAM T_TLSA
+%token <type> T_NID T_L32 T_L64 T_LP
 
 /* other tokens */
 %token	       DOLLAR_TTL DOLLAR_ORIGIN NL SP
@@ -594,6 +595,14 @@ type_and_rdata:
     |	T_DNSKEY sp rdata_unknown { $$ = $1; parse_unknown_rdata($1, $3); }
     |	T_TLSA sp rdata_tlsa
     |	T_TLSA sp rdata_unknown { $$ = $1; parse_unknown_rdata($1, $3); }
+    |	T_NID sp rdata_nid
+    |	T_NID sp rdata_unknown { $$ = $1; parse_unknown_rdata($1, $3); }
+    |	T_L32 sp rdata_l32
+    |	T_L32 sp rdata_unknown { $$ = $1; parse_unknown_rdata($1, $3); }
+    |	T_L64 sp rdata_l64
+    |	T_L64 sp rdata_unknown { $$ = $1; parse_unknown_rdata($1, $3); }
+    |	T_LP sp rdata_lp
+    |	T_LP sp rdata_unknown { $$ = $1; parse_unknown_rdata($1, $3); }
     |	T_UTYPE sp rdata_unknown { $$ = $1; parse_unknown_rdata($1, $3); }
     |	STR error NL
     {
@@ -946,6 +955,35 @@ rdata_ipseckey:	rdata_ipsec_base sp str_sp_seq trail
     | rdata_ipsec_base trail
     ;
 
+/* RFC 6742 */ 
+rdata_nid:	STR sp dotted_str trail
+    {
+	    zadd_rdata_wireformat(zparser_conv_short(parser->region, $1.str));  /* preference */
+	    zadd_rdata_wireformat(zparser_conv_ilnp64(parser->region, $3.str));  /* NodeID */
+    }
+    ;
+
+rdata_l32:	STR sp dotted_str trail
+    {
+	    zadd_rdata_wireformat(zparser_conv_short(parser->region, $1.str));  /* preference */
+	    zadd_rdata_wireformat(zparser_conv_a(parser->region, $3.str));  /* Locator32 */
+    }
+    ;
+
+rdata_l64:	STR sp dotted_str trail
+    {
+	    zadd_rdata_wireformat(zparser_conv_short(parser->region, $1.str));  /* preference */
+	    zadd_rdata_wireformat(zparser_conv_ilnp64(parser->region, $3.str));  /* Locator64 */
+    }
+    ;
+
+rdata_lp:	STR sp dname trail
+    {
+	    zadd_rdata_wireformat(zparser_conv_short(parser->region, $1.str));  /* preference */
+	    zadd_rdata_domain($3);  /* FQDN */
+    }
+    ;
+
 rdata_unknown:	URR sp STR sp str_sp_seq trail
     {
 	    /* $2 is the number of octects, currently ignored */