diff --git a/doc/Changelog b/doc/Changelog
index d227a3fe0..8a2e490f1 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,8 @@
+2 January 2008: Wouter
+	- fixup typo in requirements.
+	- document that 'refused' is a better choice than 'drop' for 
+	  the access control list, as refused will stop retries.
+
 7 December 2007: Wouter
 	- unbound-host has a -d option to show what happens. This can help
 	  with debugging (why do I get this answer).
diff --git a/doc/unbound.conf.5 b/doc/unbound.conf.5
index badee38bd..daf0d2391 100644
--- a/doc/unbound.conf.5
+++ b/doc/unbound.conf.5
@@ -168,6 +168,9 @@ Deny stops queries from hosts from that netblock.
 Refuse stops queries too, but sends a DNS rcode REFUSED error message back.
 Allow gives access to clients from that netblock.
 By default only localhost is allowed, the rest is refused.
+The default is refused, because that is protocol-friendly. The DNS protocol
+is not designed to handle dropped packets due to policy, and dropping may 
+result in (possibly excessive) retried queries.
 .It \fBchroot:\fR <directory>
 If given a chroot is done to the given directory. The default is 
 "/etc/unbound". If you give "" no chroot is performed.