diff --git a/CHANGES b/CHANGES
index cf610e3a33..71ac50a978 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5076.	[bug]		"require-server-cookie" was not effective if
+			"rate-limit" was configured. [GL #617]
+
 5075.	[bug]		Refresh nameservers from cache when sending final
 			query in qname minimization. [GL #16]
 
diff --git a/bin/tests/system/cookie/ns8/example.db b/bin/tests/system/cookie/ns8/example.db
new file mode 100644
index 0000000000..0693de0629
--- /dev/null
+++ b/bin/tests/system/cookie/ns8/example.db
@@ -0,0 +1,11 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	3600	SOA	. . 0 0 0 0 0
+@	3600	NS	.
diff --git a/bin/tests/system/cookie/ns8/named.conf.in b/bin/tests/system/cookie/ns8/named.conf.in
new file mode 100644
index 0000000000..36bc29d2f3
--- /dev/null
+++ b/bin/tests/system/cookie/ns8/named.conf.in
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.8;
+	notify-source 10.53.0.8;
+	transfer-source 10.53.0.8;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.8; };
+	listen-on-v6 { none; };
+	dnssec-validation yes;
+	rate-limit {};
+	require-server-cookie yes;
+};
+
+zone "example" {
+	type master;
+	file "example.db";
+};
diff --git a/bin/tests/system/cookie/setup.sh b/bin/tests/system/cookie/setup.sh
index fa6de38c00..7929f09545 100644
--- a/bin/tests/system/cookie/setup.sh
+++ b/bin/tests/system/cookie/setup.sh
@@ -20,3 +20,4 @@ copy_setports ns4/named.conf.in ns4/named.conf
 copy_setports ns5/named.conf.in ns5/named.conf
 copy_setports ns6/named.conf.in ns6/named.conf
 copy_setports ns7/named.conf.in ns7/named.conf
+copy_setports ns8/named.conf.in ns8/named.conf
diff --git a/bin/tests/system/cookie/tests.sh b/bin/tests/system/cookie/tests.sh
index 816f6a312b..7708a59ce8 100755
--- a/bin/tests/system/cookie/tests.sh
+++ b/bin/tests/system/cookie/tests.sh
@@ -169,6 +169,17 @@ if [ $linecount != 2 ]; then ret=1; fi
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo_i "checking require-server-cookie yes with rate-limit ($n)"
+ret=0
+$DIG $DIGOPTS +qr +cookie +nobadcookie soa example @10.53.0.8 > dig.out.test$n
+grep "flags: qr[^;]* ad[ ;]" dig.out.test$n > /dev/null && ret=1
+grep BADCOOKIE dig.out.test$n > /dev/null || ret=1
+linecount=`getcookie dig.out.test$n | wc -l`
+if [ $linecount != 2 ]; then ret=1; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 #
 # Test shared cookie-secret support.
 #
diff --git a/lib/ns/query.c b/lib/ns/query.c
index a61936afd8..937da5d68e 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -5237,6 +5237,19 @@ ns__query_start(query_ctx_t *qctx) {
 	qctx->need_wildcardproof = false;
 	qctx->rpz = false;
 
+	/*
+	 * If we require a server cookie then send back BADCOOKIE
+	 * before we have done too much work.
+	 */
+	if (!TCP(qctx->client) && qctx->client->view->requireservercookie &&
+	    WANTCOOKIE(qctx->client) && !HAVECOOKIE(qctx->client))
+	{
+		qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AA;
+		qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AD;
+		qctx->client->message->rcode = dns_rcode_badcookie;
+		return (query_done(qctx));
+	}
+
 	if (qctx->client->view->checknames &&
 	    !dns_rdata_checkowner(qctx->client->query.qname,
 				  qctx->client->message->rdclass,
@@ -6276,14 +6289,6 @@ query_checkrrl(query_ctx_t *qctx, isc_result_t result) {
 				return (DNS_R_DROP);
 			}
 		}
-	} else if (!TCP(qctx->client) &&
-		   qctx->client->view->requireservercookie &&
-		   WANTCOOKIE(qctx->client) && !HAVECOOKIE(qctx->client))
-	{
-		qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AA;
-		qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AD;
-		qctx->client->message->rcode = dns_rcode_badcookie;
-		return (DNS_R_DROP);
 	}
 
 	return (ISC_R_SUCCESS);
diff --git a/util/copyrights b/util/copyrights
index 6f4b833408..ee92136688 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -824,6 +824,8 @@
 ./bin/tests/system/cookie/ns6/root.hint		ZONE	2017,2018
 ./bin/tests/system/cookie/ns7/named.conf.in	CONF-C	2018
 ./bin/tests/system/cookie/ns7/root.db		ZONE	2018
+./bin/tests/system/cookie/ns8/example.db	ZONE	2018
+./bin/tests/system/cookie/ns8/named.conf.in	CONF-C	2018
 ./bin/tests/system/cookie/setup.sh		SH	2018
 ./bin/tests/system/cookie/tests.sh		SH	2014,2015,2016,2017,2018
 ./bin/tests/system/coverage/01-ksk-inactive/README	X	2013,2018