Change-Id: I77615a328dce98e39964c567b55cf7c4dca331e2

refs #2136

refs #2136

Doesn't guarantee waking up of the Idle threads
and blocks when used in dt_start().
Caller should either activate existing threads or
use dt_start() instead.

refs #1441

Replaced with _SC_PAGESIZE, fixes OpenBSD build.

fixes #1441

This reverts commit c185f2f4.

Jenkins fails on all platforms with it.

refs #2136

refs #2136

refs #2136

refs #2136

New classes:
* ANY (for ANY qtype)
* DNSSEC (for qtype = DNSSEC-related record)

Now logging when netblock enters/leaves rate limiting.
Calculated by the previous window when dt>0 and number of
available tokens is zero.

Buckets under a slow-start phase cannot reset on subsequent collisions,
this is to avoid potential collision attack when two precalculated
packets hit the same bucket regularly.
This could happen in a legitimate traffic as well (less probably),
if it does, the clients won't get completely denied, but will share
the remaining rate until the slow-start phases out (1 time window).

refs #2136

fixes #2361 @30m

fixes #2363 @15m

Now works when enabled in configuration.
No smoothing to precision better than 1s yet.
SLIP also implemented.

refs #2136

refs #2136

As response packet is temporary at the moment,
copy flags/markers from the response to the query
when parsing.

refs #2136

refs #2136

refs #2136

RRL could be updated from any answering thread
and due to the natural collisions, even one bucket.
As every query also updates the bucket, it would be inefficient
to sync all threads using RCU. For this reason N muteces
are allocated and appropriate mutex is calculated from the
id of the bucket (currently last digit).

refs #2136

Basic classes (evaluated in following order):
* NORMAL - positive answer
* ERROR - rcode is not NXDOMAIN nor NOERROR
* NXDOMAIN - rcode is NXDOMAIN
* EMPTY - response doesn't contain any answers
* LARGE - packet size exceeded threshold (currently 1k)
* WILDCARD - answering from a wildcard

Reason behind not selectively classifying popular types like
DNSKEY, RRSIG or ANY is that any type could be exploited,
depending on the contents of the zone.

refs #2136

When a collision occurs (bucket is same, but addresses differ),
bucket enters a slow-start mode.
This means it is given less tokens for two seconds in a row,
then leaves the slow-start mode.
Reason for this is penalize collisions, but still allow
legitimate clients to connect.
In usual mode of operations collisions on the same bucket shouldn't
happen in a regular fashion, therefore not triggering slow-start
mode often.

Based on memo and implementation notes from
Vixie and Schryver.
http://ss.vix.su/~vixie/isc-tn-2012-1.txt

Basically a token bucket algorithm, no interpolation
yet. Classification of responses based on:
<address prefix, resp.class, name, seed>

address prefix = /24 for IPv4, /56 for IPv6
resp.class = based on rcode,question and ancount
name = either qname or answer
seed = secret to harden collision prediction

No SLIP yet.