diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5
index 88cfb1aea7..bb45140d53 100644
--- a/bin/named/named.conf.5
+++ b/bin/named/named.conf.5
@@ -451,6 +451,7 @@ options {
 	stacksize ( default | unlimited | \fIsizeval\fR );
 	startup\-notify\-rate \fIinteger\fR;
 	statistics\-file \fIquoted_string\fR;
+	synth\-from\-dnssec \fIboolean\fR;
 	tcp\-advertised\-timeout \fIinteger\fR;
 	tcp\-clients \fIinteger\fR;
 	tcp\-idle\-timeout \fIinteger\fR;
@@ -801,6 +802,7 @@ view \fIstring\fR [ \fIclass\fR ] {
 	sig\-signing\-type \fIinteger\fR;
 	sig\-validity\-interval \fIinteger\fR [ \fIinteger\fR ];
 	sortlist { \fIaddress_match_element\fR; \&.\&.\&. };
+	synth\-from\-dnssec \fIboolean\fR;
 	transfer\-format ( many\-answers | one\-answer );
 	transfer\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ] [
 	    dscp \fIinteger\fR ];
diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html
index 7e4c44b5e8..2a20bfe78d 100644
--- a/bin/named/named.conf.html
+++ b/bin/named/named.conf.html
@@ -428,6 +428,7 @@ options
 	stacksize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
 	startup-notify-rate <em class="replaceable"><code>integer</code></em>;<br>
 	statistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	synth-from-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
 	tcp-advertised-timeout <em class="replaceable"><code>integer</code></em>;<br>
 	tcp-clients <em class="replaceable"><code>integer</code></em>;<br>
 	tcp-idle-timeout <em class="replaceable"><code>integer</code></em>;<br>
@@ -766,6 +767,7 @@ view
 	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
 	sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
 	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	synth-from-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
 	transfer-format ( many-answers | one-answer );<br>
 	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
 	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index c9fd498861..b3eb8278c3 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -229,7 +229,7 @@
         <p>
           Changes that result from incoming incremental zone transfers are
           also
-          journalled in a similar way.
+          journaled in a similar way.
         </p>
 
         <p>
@@ -987,7 +987,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 
         <p>
           Any <code class="filename">keyset</code> files corresponding to
-          secure subzones should be present.  The zone signer will
+          secure sub-zones should be present.  The zone signer will
           generate <code class="literal">NSEC</code>, <code class="literal">NSEC3</code>
           and <code class="literal">RRSIG</code> records for the zone, as
           well as <code class="literal">DS</code> for the child zones if
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 5045452ead..fb21d8b070 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -5032,6 +5032,37 @@ options {
                   next time <span class="command"><strong>named</strong></span> is started.
                 </p>
               </dd>
+<dt><span class="term"><span class="command"><strong>synth-from-dnssec</strong></span></span></dt>
+<dd>
+                <p>
+                  Synthesize answers from cached NSEC, NSEC3 and
+                  other RRsets that have been proved to be correct
+                  using DNSSEC.  The default is <span class="command"><strong>yes</strong></span>.
+                </p>
+                <p>
+                  Note:
+                  </p>
+<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+                      <p>
+                        DNSSEC validation must be enabled for this
+                        option to be effective.
+                      </p>
+                    </li>
+<li class="listitem">
+                      <p>
+                        This initial implementation only covers
+                        NXDOMAIN synthesis from NSEC records.
+                        Synthesis of NODATA and wildcard responses
+                        is also planned, as is synthesis from NSEC3
+                        records.  All of these will be controlled
+                        by <span class="command"><strong>synth-from-dnssec</strong></span>.
+                      </p>
+                    </li>
+</ul></div>
+<p>
+                </p>
+              </dd>
 </dl></div>
 
         </div>
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 511404d9bd..7fd456230a 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -442,6 +442,21 @@
 	  "[ECS <em class="replaceable"><code>address/source/scope</code></em>]".
 	</p>
       </li>
+<li class="listitem">
+	<p>
+	  <span class="command"><strong>named</strong></span> will now synthesize responses
+	  from cached DNSSEC-verified records.  This will reduce
+	  query loads on authoritative servers for signed domains:
+	  if existing cached records can be used to determine
+	  the answer then no query needs to be sent.
+	</p>
+	<p>
+	  This behavior is controlled by the new
+	  <code class="filename">named.conf</code> option
+	  <span class="command"><strong>synth-from-dnssec</strong></span>.  It is enabled by
+	  default.
+	</p>
+      </li>
 </ul></div>
   </div>
 
diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html
index 05fb06d8ec..6ba590326c 100644
--- a/doc/arm/man.named.conf.html
+++ b/doc/arm/man.named.conf.html
@@ -446,6 +446,7 @@ options
 	stacksize ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
 	startup-notify-rate <em class="replaceable"><code>integer</code></em>;<br>
 	statistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
+	synth-from-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
 	tcp-advertised-timeout <em class="replaceable"><code>integer</code></em>;<br>
 	tcp-clients <em class="replaceable"><code>integer</code></em>;<br>
 	tcp-idle-timeout <em class="replaceable"><code>integer</code></em>;<br>
@@ -784,6 +785,7 @@ view
 	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
 	sig-validity-interval <em class="replaceable"><code>integer</code></em> [<span class="optional"> <em class="replaceable"><code>integer</code></em> </span>];<br>
 	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	synth-from-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
 	transfer-format ( many-answers | one-answer );<br>
 	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>] [<span class="optional"><br>
 	    dscp <em class="replaceable"><code>integer</code></em> </span>];<br>
diff --git a/doc/arm/notes.html b/doc/arm/notes.html
index a0d76bab54..586336edbd 100644
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@@ -403,6 +403,21 @@
 	  "[ECS <em class="replaceable"><code>address/source/scope</code></em>]".
 	</p>
       </li>
+<li class="listitem">
+	<p>
+	  <span class="command"><strong>named</strong></span> will now synthesize responses
+	  from cached DNSSEC-verified records.  This will reduce
+	  query loads on authoritative servers for signed domains:
+	  if existing cached records can be used to determine
+	  the answer then no query needs to be sent.
+	</p>
+	<p>
+	  This behavior is controlled by the new
+	  <code class="filename">named.conf</code> option
+	  <span class="command"><strong>synth-from-dnssec</strong></span>.  It is enabled by
+	  default.
+	</p>
+      </li>
 </ul></div>
   </div>
 
diff --git a/doc/misc/options b/doc/misc/options
index dfd5386680..7c29d94cb3 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -174,9 +174,9 @@ options {
         fetches-per-server <integer> [ ( drop | fail ) ];
         fetches-per-zone <integer> [ ( drop | fail ) ];
         files ( default | unlimited | <sizeval> );
-        filter-aaaa { <address_match_element>; ... };
-        filter-aaaa-on-v4 ( break-dnssec | <boolean> );
-        filter-aaaa-on-v6 ( break-dnssec | <boolean> );
+        filter-aaaa { <address_match_element>; ... }; // not configured
+        filter-aaaa-on-v4 ( break-dnssec | <boolean> ); // not configured
+        filter-aaaa-on-v6 ( break-dnssec | <boolean> ); // not configured
         flush-zones-on-shutdown <boolean>;
         forward ( first | only );
         forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
@@ -188,8 +188,8 @@ options {
         fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
         fstrm-set-output-queue-size <integer>; // not configured
         fstrm-set-reopen-interval <integer>; // not configured
-        geoip-directory ( <quoted_string> | none );
-        geoip-use-ecs <boolean>;
+        geoip-directory ( <quoted_string> | none ); // not configured
+        geoip-use-ecs <boolean>; // not configured
         glue-cache <boolean>;
         has-old-clients <boolean>; // obsolete
         heartbeat-interval <integer>;
@@ -208,7 +208,7 @@ options {
         listen-on-v6 [ port <integer> ] [ dscp
             <integer> ] {
             <address_match_element>; ... }; // may occur multiple times
-        lmdb-mapsize <sizeval>;
+        lmdb-mapsize <sizeval>; // non-operational
         lock-file ( <quoted_string> | none );
         maintain-ixfr-base <boolean>; // obsolete
         managed-keys-directory <quoted_string>;
@@ -516,9 +516,9 @@ view <string> [ <class> ] {
         fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
         fetches-per-server <integer> [ ( drop | fail ) ];
         fetches-per-zone <integer> [ ( drop | fail ) ];
-        filter-aaaa { <address_match_element>; ... };
-        filter-aaaa-on-v4 ( break-dnssec | <boolean> );
-        filter-aaaa-on-v6 ( break-dnssec | <boolean> );
+        filter-aaaa { <address_match_element>; ... }; // not configured
+        filter-aaaa-on-v4 ( break-dnssec | <boolean> ); // not configured
+        filter-aaaa-on-v6 ( break-dnssec | <boolean> ); // not configured
         forward ( first | only );
         forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
             | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
@@ -531,7 +531,7 @@ view <string> [ <class> ] {
         }; // may occur multiple times
         key-directory <quoted_string>;
         lame-ttl <ttlval>;
-        lmdb-mapsize <sizeval>;
+        lmdb-mapsize <sizeval>; // non-operational
         maintain-ixfr-base <boolean>; // obsolete
         managed-keys { <string> <string>
             <integer> <integer> <integer>