wrong rate limiter queue. [RT #40350]

4180.	[bug]		Error responses in pipelined queries could
			cause a crash in client.c. [RT #40289]

                        [RT #40333]

4152.   [func]          Implement DNS COOKIE option.  This replaces the
                        experimental SIT option of BIND 9.10.  The following
                        named.conf directives are available: send-cookie,
                        cookie-secret, cookie-algorithm, nocookie-udp-size
                        and require-server-cookie.  The following dig options
                        are available: +[no]cookie[=value] and +[no]badcookie.
                        [RT #39928]

4174.	[bug]		"dnssec-coverage -r" didn't handle time unit
			suffixes correctly. [RT #38444]

                        key. [RT #40188]

                        [RT #40265]

4171.	[bug]		Fixed incorrect class checks in TSIG RR
			implementation. [RT #40287]

4170.	[security]	An incorrect boundary check in the OPENPGPKEY
			rdatatype could trigger an assertion failure.
			[RT #40286]

4169.	[test]		Added a 'wire_test -d' option to read input as
			raw binary data, for use as a fuzzing harness.
			[RT #40312]

4168.	[security]	A buffer accounting error could trigger an
			assertion failure when parsing certain malformed
			DNSSEC keys. (CVE-2015-5722) [RT #40212]

Squashed commit of the following:

commit 73f0bba7d8d4763763ff88731c739ac646714ac8
Author: Mukund Sivaraman <muks@isc.org>
Date:   Mon Jul 13 05:40:35 2015 +0530

    Update rndc usage output

    This is based on a patch sent by Tony Finch.

Squashed commit of the following:

commit 77f12b02cf4e81f13e10db3cfac90e9de0b53928
Author: Mukund Sivaraman <muks@isc.org>
Date:   Mon Jul 13 05:28:13 2015 +0530

    Some tweaks

commit 9c521020b03c2fe7293ec4c970225fff479efd40
Author: Tony Finch <dot@dotat.at>
Date:   Thu Jul 9 15:36:15 2015 +0100

    rndc addzone error reporting improvements

    Clearer error messages from rndc addzone and modzone when the view is not
    known or when allow-new-zones is off.

    Also, remove a spurious newline from the delzone response.

                        result in an assertion failure. (CVE-2015-5477)
                        [RT #40046]

                        [RT #40033]

4163.   [bug]           Address compiler warnings. [RT #40024]

4161.	[test]		Add JSON test for traffic size stats; also test
			for consistency between "rndc stats" and the XML
			and JSON statistics channel contents. [RT #38700]

3938.	[func]		Added quotas to be used in recursive resolvers
			that are under high query load for names in zones
			whose authoritative servers are nonresponsive or
			are experiencing a denial of service attack.

			- "fetches-per-server" limits the number of
			  simultaneous queries that can be sent to any
			  single authoritative server.  The configured
			  value is a starting point; it is automatically
			  adjusted downward if the server is partially or
			  completely non-responsive. The algorithm used to
			  adjust the quota can be configured via the
			  "fetch-quota-params" option.
			- "fetches-per-zone" limits the number of
			  simultaneous queries that can be sent for names
			  within a single domain.  (Note: Unlike
			  "fetches-per-server", this value is not
			  self-tuning.)
			- New stats counters have been added to count
			  queries spilled due to these quotas.

			See the ARM for details of these options. [RT #37125]

4156.	[func]		Added statistics counters to track the sizes
			of incoming queries and outgoing responses in
			histogram buckets, as specified in RSSAC002.
			[RT #39049]

                        response when there is a malformed EDNS option.
                        [RT #39647]

4153.   [bug]           Dig should zero non significant +subnet bits.  Check
                        that non significant ECS bits are zero on receipt.
                        [RT #39647]

                        experimental SIT option of BIND 9.10.  The following
                        named.conf directives are avaliable: send-cookie,
                        cookie-secret, cookie-algorithm and nocookie-udp-size.
                        The following dig options are available:
                        +[no]cookie[=value] and +[no]badcookie.  [RT #39928]

                        minimal fix.  [RT #39667]

                        was returning referrals rather than nodata responses
                        when the AAAA records were filtered.  [RT #39843]