address_match_list = 1*address_match_element address_match_element = [ "!" ] (ip_address / ip_prefix / acl_name / address_match_list) ";"
Address match lists are lists of elements. The elements can be any of the following:
The ACLs any, none, localhost, and
localnets are defined in the acl statement.
You can negate elements with a leading exclamation point (!).
When a given IP address or prefix is compared to an address match list, the list is traversed in order and the first match (regardless of negation) is used. The interpretation of a match depends on whether the list is being used for access control or as a topology.
When used as an access control list, a nonnegated match allows access and a negated match denies access. If there is no match, access is denied. The clauses allow-query, allow-transfer, and allow-update all use address match lists like this. Similarly, the listen-on clause can use negation to define local addresses that should not be used to accept nameserver connections.
When used with the topology clause, a nonnegated match returns a distance based on its postion on the list (the closer the match is to the start of the list, the shorter the distance is between it and the server). A negated match will be assigned the maximum distance from the server. If there is no match, the address will get a distance that is farther than any nonnegated list element, and closer than any negated element.
Because of the first-match aspect of the algorithm, an element that defines a subset of another element in the list should come before the broader element, regardless of whether either is negated. For example, in 1.2.3/24; ! 1.2.3.13; the 1.2.3.13 element is completely useless because the algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24 element. Using ! 1.2.3.13; 1.2.3/24 fixes that problem by having 1.2.3.13 blocked by the negation but all other 1.2.3.* hosts fall through.