diff --git a/doc/Changelog b/doc/Changelog
index 63afbc727..cbcd18795 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+23 March 2018: Ralph
+	- Fix unbound-control get_option aggressive-nsec
+
 21 March 2018: Ralph
 	- Do not use cached NSEC records to generate negative answers for
 	  domains under DNSSEC Negative Trust Anchors.
diff --git a/util/config_file.c b/util/config_file.c
index b215234c7..c2cbe8121 100644
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -890,7 +890,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_YNO(opt, "val-clean-additional", val_clean_additional)
 	else O_DEC(opt, "val-log-level", val_log_level)
 	else O_YNO(opt, "val-permissive-mode", val_permissive_mode)
-	else O_YNO(opt, "aggressive-nsec:", aggressive_nsec)
+	else O_YNO(opt, "aggressive-nsec", aggressive_nsec)
 	else O_YNO(opt, "ignore-cd-flag", ignore_cd)
 	else O_YNO(opt, "serve-expired", serve_expired)
 	else O_STR(opt, "val-nsec3-keysize-iterations",val_nsec3_key_iterations)