RRL wildcard special-case strips only a single label

The following received by Security Officer:

I think I've found a bug in the request-rate limiting logic. The issue
is that the RRL logic for wildcard domains strips exactly 1 label from
the domain.

The idea is that a million unique queries with one src addr for
*.example.com should be treated as a million identical queries for
example.com (triggering the RRL).

However, *.example.com will match any.number.of.labels.example.com, so
stripping a single label is insufficient. An attacker who can spoof
their source IP is able to send a million queries of
x.$UNIQUE.example.com, the RRL strips the x, and sees a million unique
queries still.

Is there a flag somewhere that limits wildcards to matching a single
label? If not, this seems like a security issue because it opens any
authoritative name server with a wildcard record to be hijacked for
reflection attacks.

I've verified the bug exists with the latest development version of bind
available on isc.org (9.19.2).

For reproducing, I've included a query.c file that will run 100 queries
against a nameserver. Read the source code or compile it and run it
without arguments for details on using it.

But if you have a local bind server serving a *.example.com record, you
can reproduce the behavior by running:

    # the $ means "make this label always unique"  
    ./query $.example.com  

which will hang after hitting the RRL limit, and then running

    ./query x.$.example.com  

which will finish all 100 queries without issue.query.c