Maintained by: NLnet Labs

access-control: Is the default DENY or REFUSE?

Anders Andersson
Sun Apr 2 01:21:04 CEST 2017

I'm reading the documentation in preparing to configure unbound for
the first time, and I'm trying to understand a small and non-essential
detail in the unbound.conf(5) man-page

The section for access-control has two seemingly conflicting statements:

1. "The most specific netblock match is used, if none match deny is used."
2. "By default only localhost is allowed, the rest is refused."

If the most specific netblock matches (first sentence), and there is a
catch-all for REFUSE (second sentence), I can't see how the "if none
match" can ever apply.

I acknowledge the chance that this is an oversight in the
documentation, but since my knowledge of domain name servers are
minuscule, I'm currently under the assumption that there's something
I'm missing here. The question is: What am I missing?