arm: Add an explanation on the effect of 'require-server-cookie yes;'

2019-10-30 14:16:04 -05:00
parent c5453ea328
commit c6f91f8bd0
1 changed files with 5 additions and 1 deletions
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -6015,7 +6015,11 @@ options {
 		  Set this to <userinput>yes</userinput> to test that DNS
 		  COOKIE clients correctly handle BADCOOKIE or if you are
 		  getting a lot of forged DNS requests with DNS COOKIES
-		  present.
+		  present. Setting this to <userinput>yes</userinput> will
+		  result in reduced amplification effect in a reflection
+		  attack, as the BADCOOKIE response will be smaller than
+		  a full response, while also requiring a legitimate client
+		  to follow up with a second query with the new, valid, cookie.
 		</para>
 	      </listitem>
 	    </varlistentry>