[9.18] fix: doc: Expand blackhole description

Clarify the behavior of negated addresses within the `blackhole` statement to prevent common configuration misunderstandings. Closes #5733 Backport of MR !11541 Merge branch 'backport-5733-expand-blackhole-description-9.18' into 'bind-9.18' See merge request isc-projects/bind9!11671
2026-06-11 10:29:59 -04:00 · 2026-03-12 13:11:50 +11:00 · 2026-03-12 13:11:50 +11:00 · fc29c6a9d7
commit fc29c6a9d7
parent 994cf44836 78beb3a71a
1 changed files with 11 additions and 0 deletions
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@ -3149,6 +3149,17 @@ for details on how to specify IP address lists.
   from or use to resolve a query. Queries from these addresses are not
   responded to. The default is ``none``.

+   When configuring this list, note that BIND evaluates Access Control Lists
+   sequentially (first match wins). A common misconception is that the directive
+   ``!address;`` blocks everything except that address. In reality, it only
+   explicitly exempts ``address`` from the blackhole; all other IP addresses
+   reach the end of the list without matching, meaning they are also not
+   blackholed.
+
+   To successfully blackhole all traffic *except* specific addresses, you must
+   explicitly catch the remaining traffic with ``any;`` at the end of the list.
+   For example: ``!address; any;``
+
 .. namedconf:statement:: keep-response-order
   :tags: server
   :short: Defines an :any:`address_match_list` of addresses which do not accept reordered answers within a single TCP stream.