access-control: Is the default DENY or REFUSE?

Anders Andersson pipatron at
Sat Apr 1 23:21:04 UTC 2017

I'm reading the documentation in preparing to configure unbound for
the first time, and I'm trying to understand a small and non-essential
detail in the unbound.conf(5) man-page

The section for access-control has two seemingly conflicting statements:

1. "The most specific netblock match is used, if none match deny is used."
2. "By default only localhost is allowed, the rest is refused."

If the most specific netblock matches (first sentence), and there is a
catch-all for REFUSE (second sentence), I can't see how the "if none
match" can ever apply.

I acknowledge the chance that this is an oversight in the
documentation, but since my knowledge of domain name servers are
minuscule, I'm currently under the assumption that there's something
I'm missing here. The question is: What am I missing?

More information about the Unbound-users mailing list