From: Brian Conry <bconry@isc.org>
Date: Wed, 30 Oct 2019 19:16:04 +0000 (-0500)
Subject: arm: Add an explanation on the effect of 'require-server-cookie yes;'
X-Git-Tag: v9.15.6~41^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c6f91f8bd0edb9be84995cda9392ee475c5cd925;p=thirdparty%2Fbind9.git

arm: Add an explanation on the effect of 'require-server-cookie yes;'
---

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index c6f6ec18356..dc7c11e2db8 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -6015,7 +6015,11 @@ options {
 		  Set this to <userinput>yes</userinput> to test that DNS
 		  COOKIE clients correctly handle BADCOOKIE or if you are
 		  getting a lot of forged DNS requests with DNS COOKIES
-		  present.
+		  present. Setting this to <userinput>yes</userinput> will
+		  result in reduced amplification effect in a reflection
+		  attack, as the BADCOOKIE response will be smaller than
+		  a full response, while also requiring a legitimate client
+		  to follow up with a second query with the new, valid, cookie.
 		</para>
 	      </listitem>
 	    </varlistentry>