fix: doc: Expand blackhole description

Clarify the behavior of negated addresses within the `blackhole` statement to prevent common configuration misunderstandings. Closes #5733 Merge branch '5733-expand-blackhole-description' into 'main' See merge request isc-projects/bind9!11541
2026-06-11 12:20:00 -04:00 · 2026-03-12 12:08:34 +11:00 · 2026-03-12 12:08:34 +11:00 · 98267f4a7a
commit 98267f4a7a
parent 7c82cb0f14 2b23c7011e
1 changed files with 12 additions and 0 deletions
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@ -3069,6 +3069,18 @@ for details on how to specify IP address lists.
   from or or cannot use to resolve a query. Queries from these addresses are not
   responded to. The default is ``none``.

+   When configuring this list, note that BIND evaluates Access Control Lists
+   sequentially (first match wins). A common misconception is that the directive
+   ``!address;`` blocks everything except that address. In reality, it only
+   explicitly exempts ``address`` from the blackhole; all other IP addresses
+   reach the end of the list without matching, meaning they are also not
+   blackholed.
+
+   To successfully blackhole all traffic *except* specific addresses, you must
+   explicitly catch the remaining traffic with ``any;`` at the end of the list.
+   For example: ``!address; any;``
+
+
 .. namedconf:statement:: no-case-compress
   :tags: server
   :short: Specifies a list of addresses that require case-insensitive compression in responses.