diff --git a/CHANGES b/CHANGES
index 12199574b3..731c5efdd4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+3643. [doc] Clarify RRL "slip" documentation.
+
3642. [func] Allow externally generated DNSKEY to be imported
into the DNSKEY management framework. A new tool
dnssec-importkey is used to do this. [RT #34698]
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 5667929122..52f562775b 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -9818,13 +9818,30 @@ example.com CNAME rpz-tcp-only.
amplification, of "slipped" responses make them unattractive
for reflection DoS attacks.
slip must be between 0 and 10.
- A value of 0 does not "slip";
- no truncated responses are sent due to rate limiting.
+ A value of 0 does not "slip":
+ no truncated responses are sent due to rate limiting,
+ all responses are dropped.
+ A value of 1 causes every response to slip;
+ values between 2 and 10 cause every n'th response to slip.
Some error responses including REFUSED and SERVFAIL
cannot be replaced with truncated responses and are instead
leaked at the slip rate.
+
+ (NOTE: Dropped responses from an authoritative server may
+ reduce the difficulty of a third party successfully forging
+ a response to a recursive resolver. The best security
+ against forged responses is for authoritative operators
+ to sign their zones using DNSSEC and for resolver operators
+ to validate the responses. When this is not an option,
+ operators who are more concerned with response integrity
+ than with flood mitigation may consider setting
+ slip to 1, causing all rate-limited
+ responses to be truncated rather than dropped. This reduces
+ the effectiveness of rate-limiting against reflection attacks.)
+
+
When the approximate query per second rate exceeds
the qps-scale value,