diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 749a3bb4bc..733496d797 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -9645,6 +9645,14 @@ deny-answer-aliases { "example.net"; };
 	    than that is a configuration error.
 	  </para>
 
+	  <para>
+	    Rules encoded in response policy zones are processed after
+	    <link linkend="access_control">Access Control Lists
+	    (ACLs)</link>.  All queries from clients which are not
+	    permitted access to the resolver will be answered with a
+	    status code of REFUSED, regardless of configured RPZ rules.
+	  </para>
+
 	  <para>
 	    Five policy triggers can be encoded in RPZ records.
 	    <variablelist>