diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in
index e5b716c61..3ddadfa95 100644
--- a/contrib/unbound.service.in
+++ b/contrib/unbound.service.in
@@ -1,13 +1,15 @@
-[Service]
-Type=notify
-NotifyAccess=main
-ExecStart=/home/vagrant/unbound_systemd/unbound
-ExecReload=/bin/kill -HUP $MAINPID
+[Unit]
+Description=Validating, recursive, and caching DNS resolver
+Documentation=man:unbound(8)
 
 [Install]
 WantedBy=multi-user.target
 
-[Unit]
+[Service]
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStart=/home/vagrant/unbound_systemd/unbound
+NotifyAccess=main
+Type=notify
 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
 MemoryDenyWriteExecute=true
 NoNewPrivileges=true
diff --git a/doc/Changelog b/doc/Changelog
index f495c7b66..fa4899420 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -2,6 +2,7 @@
 	- Fix #1238: segmentation fault when adding through the remote
 	  interface a per-view local zone to a view with no previous
 	  (configured) local zones.
+	- Fix #1229: Systemd service sandboxing, options in wrong sections.
 
 21 March 2017: Ralph
 	- Merge EDNS Client subnet implementation from feature branch into main