diff --git a/doc/Changelog b/doc/Changelog
index 97ed5e698..a52568c26 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,6 +1,9 @@
 5 February 2018: Wouter
 	- Fix #3451: dnstap not building when you have a separate build dir.
 	  And removed protoc warning, set dnstap.proto syntax to proto2.
+	- auth-zone provides a way to configure RFC7706 from unbound.conf,
+	  eg. with auth-zone: name: "." for-downstream: no for-upstream: yes
+	  fallback-enabled: yes and masters or a zonefile with data.
 
 2 February 2018: Wouter
 	- Fix unfreed locks in log and arc4random at exit of unbound.
diff --git a/doc/example.conf.in b/doc/example.conf.in
index 4f7a9f95a..6cfb76601 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -814,11 +814,12 @@ remote-control:
 # upstream (which saves a lookup to the upstream).  The first example
 # has a copy of the root for local usage.  The second serves example.org
 # authoritatively.  zonefile: reads from file (and writes to it if you also
-# download it), master: fetches with AXFR, url: fetches zonefile over http.
+# download it), master: fetches with AXFR and IXFR
 # auth-zone:
 #	name: "."
 #	for-downstream: no
 #	for-upstream: yes
+#	fallback-enabled: yes
 #	master: b.root-servers.net
 #	master: c.root-servers.net
 #	master: e.root-servers.net
@@ -830,7 +831,6 @@ remote-control:
 #	for-downstream: yes
 #	for-upstream: yes
 #	zonefile: "example.org.zone"
-#	url: "http://www.example.com/example.org.zone"
 
 # Views
 # Create named views. Name must be unique. Map views to requests using
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 2fd48f96d..228be3c6a 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1439,6 +1439,56 @@ Default is no.
 .TP
 .B forward\-ssl\-upstream: \fI<yes or no>
 Alternate syntax for \fBforward\-tls\-upstream\fR.
+.SS "Authority Zone Options"
+.LP
+Authority zones are configured with \fBauth\-zone:\fR, and each one must
+have a \fBname:\fR.  There can be multiple ones, by listing multiple auth\-zone clauses, each with a different name, pertaining to that part of the namespace.
+The authority zone with the name closest to the name looked up is used.
+Authority zones are processed after \fBlocal\-zones\fR and before
+cache (\fBfor\-downstream:\fR \fIyes\fR), and when used in this manner
+make unbound respond like an authority server.  Authority zones are also
+processed after cache, just before going to the network to fetch
+information for recursion (\fBfor\-upstream:\fR \fIyes\fR), and when used
+in this manner provide a local copy of an authority server that speeds up
+lookups of that data.
+.LP
+Authority zones can be read from zonefile.  And can be kept updated via
+AXFR and IXFR.  After update the zonefile is rewritten.  The update mechanism
+uses the SOA timer values and performs SOA UDP queries to detect zone changes.
+.TP
+.B name: \fI<zone name>
+Name of the authority zone.
+.TP
+.B master: \fI<IP address or host name>
+Where to download a copy of the zone from, with AXFR and IXFR.  Multiple
+masters can be specified.  They are all tried if one fails.
+.TP
+.B fallback\-enabled: \fI<yes or no>
+Default no.  If enabled, unbound falls back to querying the internet as
+a resolver for this zone when lookups fail.  For example for DNSSEC
+validation failures.
+.TP
+.B for\-downstream: \fI<yes or no>
+Default yes.  If enabled, unbound serves authority responses to
+downstream clients for this zone.  This option makes unbound behave, for
+the queries with names in this zone, like one of the authority servers for
+that zone.  Turn it off if you want unbound to provide recursion for the
+zone but have a local copy of zone data.  If for\-downstream is no and
+for\-upstream is yes, then unbound will DNSSEC validate the contents of the
+zone before serving the zone contents to clients and store validation
+results in the cache.
+.TP
+.B for\-upstream: \fI<yes or no>
+Default yes.  If enabled, unbound fetches data from this data collection
+for answering recursion queries.  Instead of sending queries over the internet
+to the authority servers for this zone, it'll fetch the data directly from
+the zone data.  Turn it on when you want unbound to provide recursion for
+downstream clients, and use the zone data as a local copy to speed up lookups.
+.TP
+.B zonefile: \fI<filename>
+The filename where the zone is stored.  If not given then no zonefile is used.
+If the file does not exist or is empty, unbound will attempt to fetch zone
+data (eg. from the master servers).
 .SS "View Options"
 .LP
 There may be multiple