diff --git a/doc/Changelog b/doc/Changelog
index 639220737..d866aa580 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -7,6 +7,8 @@
 	- Fix #705: ub_ctx_set_fwd() return value mishandled on windows.
 	- testbound selftest also works in non-debug mode.
 	- Fix minor error in unbound.conf.5.in
+	- Fix unbound.conf(5) access-control description for precedence
+	  and default.
 
 31 August 2015: Wouter
 	- changed windows setup compression to be more transparent.
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 205b48c22..25c88fdd6 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -373,6 +373,7 @@ a daemon. Default is yes.
 The netblock is given as an IP4 or IP6 address with /size appended for a 
 classless network block. The action can be \fIdeny\fR, \fIrefuse\fR, 
 \fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR.
+The most specific netblock match is used, if none match \fIdeny\fR is used.
 .IP
 The action \fIdeny\fR stops queries from hosts from that netblock.
 .IP