clarify slip doc

3643.	[doc]		Clarify RRL "slip" documentation.

CHANGES

@@ -1,3 +1,5 @@
+3643.	[doc]		Clarify RRL "slip" documentation.
+
 3642.	[func]		Allow externally generated DNSKEY to be imported
 			into the DNSKEY management framework.  A new tool
 			dnssec-importkey is used to do this. [RT #34698]

doc/arm/Bv9ARM-book.xml

@@ -9818,13 +9818,30 @@ example.com                 CNAME   rpz-tcp-only.
 	    amplification, of "slipped" responses make them unattractive
 	    for reflection DoS attacks.
 	    <command>slip</command> must be between 0 and 10.
-	    A value of 0 does not "slip";
+	    A value of 0 does not "slip":
-	    no truncated responses are sent due to rate limiting.
+	    no truncated responses are sent due to rate limiting,
+	    all responses are dropped.
+	    A value of 1 causes every response to slip;
+	    values between 2 and 10 cause every n'th response to slip.
 	    Some error responses including REFUSED and SERVFAIL
 	    cannot be replaced with truncated responses and are instead
 	    leaked at the <command>slip</command> rate.
 	  </para>
 
+	  <para>
+	    (NOTE: Dropped responses from an authoritative server may
+	    reduce the difficulty of a third party successfully forging
+	    a response to a recursive resolver. The best security
+	    against forged responses is for authoritative operators
+	    to sign their zones using DNSSEC and for resolver operators
+	    to validate the responses. When this is not an option,
+	    operators who are more concerned with response integrity
+	    than with flood mitigation may consider setting
+	    <command>slip</command> to 1, causing all rate-limited
+	    responses to be truncated rather than dropped.  This reduces
+	    the effectiveness of rate-limiting against reflection attacks.)
+	  </para>
+
 	  <para>
 	    When the approximate query per second rate exceeds
 	    the <command>qps-scale</command> value,