From 33bddbb5d18e17e909142c9a01d893da963697a7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
Date: Mon, 12 Aug 2019 09:46:12 +0200
Subject: [PATCH] Clarify relationship between ACLs and RPZ

In the ARM section about RPZ, add text explicitly stating that ACLs take
precedence over RPZ to prevent users from expecting RPZ actions to be
applied to queries coming from clients which are not permitted access to
the resolver by ACLs.
---
 doc/arm/Bv9ARM-book.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 749a3bb4bc..733496d797 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -9645,6 +9645,14 @@ deny-answer-aliases { "example.net"; };
 	    than that is a configuration error.
 	  </para>
 
+	  <para>
+	    Rules encoded in response policy zones are processed after
+	    <link linkend="access_control">Access Control Lists
+	    (ACLs)</link>.  All queries from clients which are not
+	    permitted access to the resolver will be answered with a
+	    status code of REFUSED, regardless of configured RPZ rules.
+	  </para>
+
 	  <para>
 	    Five policy triggers can be encoded in RPZ records.
 	    <variablelist>