ratelimit-below-domain logs the wrong FROM address

[anxstj]

Describe the bug

If ratelimit-below-domain: in-addr.arpa 2 is configured then unbound will log the following:

notice: ratelimit exceeded 8.in-addr.arpa. 2 query 4.4.8.8.in-addr.arpa. IN PTR from 192.82.134.30

It seems that the from address is referring to the server that sent the last reply and not to the client that was doing the request.

To reproduce
Steps to reproduce the behavior:

1. Set the ratelimit

server:
  ratelimit-below-domain: in-addr.arpa 2

2. systemctl restart unbound
3. Query unbound:

for x in 8.8.8.8 8.8.4.4 1.1.1.1; do dig @127.0.0.1 -x $x; done

4. Read the unbound log

info: 127.0.0.1 8.8.8.8.in-addr.arpa. PTR IN
info: generate keytag query _ta-4f66. NULL IN
info: 127.0.0.1 4.4.8.8.in-addr.arpa. PTR IN
notice: ratelimit exceeded 8.in-addr.arpa. 2 query 4.4.8.8.in-addr.arpa. IN PTR from 192.82.134.30
info: 127.0.0.1 1.1.1.1.in-addr.arpa. PTR IN

Expected behavior
I would expect that the IP address of the client that is doing the request is logged. In this case:

notice: ratelimit exceeded 8.in-addr.arpa. 2 query 4.4.8.8.in-addr.arpa. IN PTR from 127.0.0.1

System:

• Unbound version: unbound 1.20.0
• OS: Debian sid
• unbound -V output:

Version 1.20.0

Configure line: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --runstatedir=/run --disable-maintainer-mode --disable-dependency-tracking --with-pythonmodule --with-pyunbound --enable-subnet --enable-dnstap --enable-systemd --enable-cachedb --with-libhiredis --with-libnghttp2 --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --disable-rpath --with-pidfile=/run/unbound.pid --with-libevent --enable-tfo-client --with-rootkey-file=/usr/share/dns/root.key --enable-tfo-server
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.2.2 4 Jun 2024
Linked modules: dns64 python cachedb subnetcache respip validator iterator
TCP Fastopen feature available

BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues

[gthess]

Thanks!
It seems the wrong value was printed indeed. Now it will print the first client's address if any.
I say first because maybe more than one are waiting for an answer.