diff --git a/doc/Changelog b/doc/Changelog
index a640c50f0..602ae39c3 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,6 +1,8 @@
 7 January 2018: Wouter
 	- On FreeBSD warn if systcl settings do not allow server TCP FASTOPEN,
 	  and server tcp fastopen is enabled at compile time.
+	- Document interaction between the tls-upstream option in the server
+	  section and forward-tls-upstream option in the forward-zone sections.
 
 12 December 2018: Wouter
 	- Fix for crash in dns64 module if response is null.
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 0acce72ac..c18616273 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -440,6 +440,8 @@ TCP wireformat.  The other server must support this (see
 \fBtls\-service\-key\fR).
 If you enable this, also configure a tls\-cert\-bundle or use tls\-win\-cert to
 load CA certs, otherwise the connections cannot be authenticated.
+This option enables TLS for all of them, but if you do not set this you can
+configure TLS specifically for some forward zones with forward\-tls\-upstream.  And also with stub\-tls\-upstream.
 .TP
 .B ssl\-upstream: \fI<yes or no>
 Alternate syntax for \fBtls\-upstream\fR.  If both are present in the config