I'm reading the documentation in preparing to configure unbound for the first time, and I'm trying to understand a small and non-essential detail in the unbound.conf(5) man-page (https://unbound.nlnetlabs.nl/documentation/unbound.conf.html): The section for access-control has two seemingly conflicting statements: 1. "The most specific netblock match is used, if none match deny is used." 2. "By default only localhost is allowed, the rest is refused." If the most specific netblock matches (first sentence), and there is a catch-all for REFUSE (second sentence), I can't see how the "if none match" can ever apply. I acknowledge the chance that this is an oversight in the documentation, but since my knowledge of domain name servers are minuscule, I'm currently under the assumption that there's something I'm missing here. The question is: What am I missing?