arm: Add an explanation on the effect of 'require-server-cookie yes;'

author Brian Conry <bconry@isc.org>

Wed, 30 Oct 2019 19:16:04 +0000 (14:16 -0500)

committer Ondřej Surý <ondrej@sury.org>

Thu, 31 Oct 2019 14:09:05 +0000 (09:09 -0500)
author Brian Conry <bconry@isc.org>
Wed, 30 Oct 2019 19:16:04 +0000 (14:16 -0500)
committer Ondřej Surý <ondrej@sury.org>
Thu, 31 Oct 2019 14:09:05 +0000 (09:09 -0500)
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml

index 7b5e0ddf1595996e5e323c8af87acf79f3c3fcda..13c26355c3ea4cee61c22ba1da5aa4747daefabc 100644 (file)
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -6046,7 +6046,11 @@ options {
                   Set this to <userinput>yes</userinput> to test that DNS
                   COOKIE clients correctly handle BADCOOKIE or if you are
                   getting a lot of forged DNS requests with DNS COOKIES
-                 present.
+                 present. Setting this to <userinput>yes</userinput> will
+                 result in reduced amplification effect in a reflection
+                 attack, as the BADCOOKIE response will be smaller than
+                 a full response, while also requiring a legitimate client
+                 to follow up with a second query with the new, valid, cookie.
                 </para>
               </listitem>
             </varlistentry>
author	Brian Conry <bconry@isc.org>
	Wed, 30 Oct 2019 19:16:04 +0000 (14:16 -0500)
committer	Ondřej Surý <ondrej@sury.org>
	Thu, 31 Oct 2019 14:09:05 +0000 (09:09 -0500)