From d8abf4f5b6e36f2feea608b509371f492aadc678 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 24 Oct 2019 12:41:28 +1100
Subject: [PATCH 1/6] arm: add default values for require-server-cookie and
 send-cookie options

---
 doc/arm/Bv9ARM-book.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 048a415339..32fd0991f1 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -6009,6 +6009,7 @@ options {
 		  response to a UDP request from a cookie aware client.
 		  BADCOOKIE is sent if there is a bad or no existent
 		  server cookie.
+		  The default is <userinput>no</userinput>.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -6057,6 +6058,7 @@ options {
 		  do not send a correct COOKIE option may be limited
 		  to receiving smaller responses via the
 		  <command>nocookie-udp-size</command> option.
+		  The default is <userinput>yes</userinput>.
 		</para>
 	      </listitem>
 	    </varlistentry>

From 1ea6aadf6fe2c5047431546ea424f964e03ea121 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 24 Oct 2019 12:58:19 +1100
Subject: [PATCH 2/6] arm: document resolver-nonbackoff-tries and
 resolver-retry-interval

---
 doc/arm/Bv9ARM-book.xml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 32fd0991f1..3051411d74 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -8802,6 +8802,26 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      </listitem>
 	    </varlistentry>
 
+	    <varlistentry>
+	      <term><command>resolver-nonbackoff-tries</command></term>
+	      <listitem>
+		<para>
+		  Specifies how many retries occur before exponential
+		  backoff kicks in.  The default is <userinput>3</userinput>.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+	      <term><command>resolver-retry-interval</command></term>
+	      <listitem>
+		<para>
+		  The base retry interval in milliseconds.
+		  The default is <userinput>800</userinput>.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
 	    <varlistentry>
 	      <term><command>sig-validity-interval</command></term>
 	      <listitem>

From c5453ea3283d4326116955a24cc0cd18397a5ebb Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 25 Oct 2019 10:06:56 +1100
Subject: [PATCH 3/6] arm: add why when to set 'require-server-cookie yes;'

---
 doc/arm/Bv9ARM-book.xml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 3051411d74..c6f6ec1835 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -6011,6 +6011,12 @@ options {
 		  server cookie.
 		  The default is <userinput>no</userinput>.
 		</para>
+		<para>
+		  Set this to <userinput>yes</userinput> to test that DNS
+		  COOKIE clients correctly handle BADCOOKIE or if you are
+		  getting a lot of forged DNS requests with DNS COOKIES
+		  present.
+		</para>
 	      </listitem>
 	    </varlistentry>
 

From c6f91f8bd0edb9be84995cda9392ee475c5cd925 Mon Sep 17 00:00:00 2001
From: Brian Conry <bconry@isc.org>
Date: Wed, 30 Oct 2019 14:16:04 -0500
Subject: [PATCH 4/6] arm: Add an explanation on the effect of
 'require-server-cookie yes;'

---
 doc/arm/Bv9ARM-book.xml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index c6f6ec1835..dc7c11e2db 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -6015,7 +6015,11 @@ options {
 		  Set this to <userinput>yes</userinput> to test that DNS
 		  COOKIE clients correctly handle BADCOOKIE or if you are
 		  getting a lot of forged DNS requests with DNS COOKIES
-		  present.
+		  present. Setting this to <userinput>yes</userinput> will
+		  result in reduced amplification effect in a reflection
+		  attack, as the BADCOOKIE response will be smaller than
+		  a full response, while also requiring a legitimate client
+		  to follow up with a second query with the new, valid, cookie.
 		</para>
 	      </listitem>
 	    </varlistentry>

From f7eea400a8f1ae8b7112c0a79bf29a681cb1adc8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Wed, 30 Oct 2019 14:22:41 -0500
Subject: [PATCH 5/6] arm: Fix the default for the lock-file command, it's
 'none'

---
 doc/arm/Bv9ARM-book.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index dc7c11e2db..e9d4e280c9 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -4790,7 +4790,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 		the first time; if unsuccessful, the server will
 		will terminate, under the assumption that another
 		server is already running.  If not specified, the default is
-		<filename>/var/run/named/named.lock</filename>.
+		<filename>none</filename>.
 	      </para>
 	      <para>
 		Specifying <command>lock-file none</command> disables the

From e0618174b6b84e8c82b9d50ff1ffa89d3277e3c0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Wed, 30 Oct 2019 14:38:17 -0500
Subject: [PATCH 6/6] arm: add more text describing interaction between
 automatic-interface-scan and interface-interval

---
 doc/arm/Bv9ARM-book.xml | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index e9d4e280c9..6be700c820 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -5441,15 +5441,21 @@ options {
 	      <term><command>automatic-interface-scan</command></term>
 	      <listitem>
 		<para>
-		  If <userinput>yes</userinput> and supported by the OS,
-		  automatically rescan network interfaces when the interface
-		  addresses are added or removed.  The default is
-		  <userinput>yes</userinput>.
+		  If <userinput>yes</userinput> and supported by the operating
+		  system, automatically rescan network interfaces when the
+		  interface addresses are added or removed.  The default is
+		  <userinput>yes</userinput>.  This configuration option does
+		  not affect time based <command>interface-interval</command>
+		  option, and it is recommended to set the time based
+		  <command>interface-interval</command> to 0 when the operator
+		  confirms that automatic interface scanning is supported by the
+		  operating system.
 		</para>
 		<para>
-		  Currently the OS needs to support routing sockets for
-		  <command>automatic-interface-scan</command> to be
-		  supported.
+		  The <command>automatic-interface-scan</command> implementation
+		  uses routing sockets for the network interface discovery,
+		  and therefore the operating system has to support the routing
+		  sockets for this feature to work.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -8443,10 +8449,11 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 		  minutes. The default
 		  is 60 minutes. The maximum value is 28 days (40320 minutes).
 		  If set to 0, interface scanning will only occur when
-		  the configuration file is  loaded. After the scan, the
-		  server will
-		  begin listening for queries on any newly discovered
-		  interfaces (provided they are allowed by the
+		  the configuration file is loaded, or when
+		  <command>automatic-interface-scan</command> is enabled
+		  and supported by the operating system. After the scan, the
+		  server will begin listening for queries on any newly
+		  discovered interfaces (provided they are allowed by the
 		  <command>listen-on</command> configuration), and
 		  will stop listening on interfaces that have gone away.
 		  For convenience, TTL-style time unit suffixes may be