New classes:
* ANY (for ANY qtype)
* DNSSEC (for qtype = DNSSEC-related record)

Now logging when netblock enters/leaves rate limiting.
Calculated by the previous window when dt>0 and number of
available tokens is zero.

Buckets under a slow-start phase cannot reset on subsequent collisions,
this is to avoid potential collision attack when two precalculated
packets hit the same bucket regularly.
This could happen in a legitimate traffic as well (less probably),
if it does, the clients won't get completely denied, but will share
the remaining rate until the slow-start phases out (1 time window).

refs #2136