diff --git a/doc/guide/ddns.xml b/doc/guide/ddns.xml
index 5ebaf365f9..7c5994e834 100644
--- a/doc/guide/ddns.xml
+++ b/doc/guide/ddns.xml
@@ -168,14 +168,15 @@
 	</para>
 	<warning>
 	  <simpara>
-	    When the DHCP-DDNS server is configured to listen at an address
-	    other than the loopback address (127.0.0.1 or ::1), it is possible
-	    for a malicious attacker to send bogus NameChangeRequests to it
-	    and change entries in the DNS. For this reason, addresses other
-	    than the IPv4 or IPv6 loopback addresses should only be used
-	    for testing purposes. A future version of Kea will implement
+	    It is possible for a malicious attacker to send bogus
+	    NameChangeRequests to the DHCP-DDNS server.  Addresses
+	    other than the IPv4 or IPv6 loopback addresses (127.0.0.1
+	    or ::1) should only be used for testing purposes, but
+	    note that local users may still communicate with the
+	    DHCP-DDNS server.  A future version of Kea will implement
 	    authentication to guard against such attacks.
 	  </simpara>
+<!-- see ticket #3514 -->
 	</warning>
 <note>
 <simpara>