diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
index 672bc78b4e..f8f223eb3c 100644
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -13,7 +13,7 @@
 
 <refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
   <info>
-    <date>2019-05-10</date>
+    <date>2019-06-28</date>
   </info>
   <refentryinfo>
     <corpname>ISC</corpname>
@@ -158,9 +158,10 @@ logging {
   <refsection><info><title>MANAGED-KEYS</title></info>
   <para>Deprecated - see DNSSEC-KEYS.</para>
     <literallayout class="normal">
-managed-keys { <replaceable>string</replaceable> ( static-key |
-    initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
-    <replaceable>quoted_string</replaceable>; ... };
+managed-keys { <replaceable>string</replaceable> ( static-key
+    | initial-key ) <replaceable>integer</replaceable>
+    <replaceable>integer</replaceable> <replaceable>integer</replaceable>
+    <replaceable>quoted_string</replaceable>; ... }; deprecated
 </literallayout>
   </refsection>
 
@@ -220,7 +221,6 @@ options {
 	check-spf ( warn | ignore );
 	check-srv-cname ( fail | warn | ignore );
 	check-wildcard <replaceable>boolean</replaceable>;
-	cleaning-interval <replaceable>integer</replaceable>;
 	clients-per-query <replaceable>integer</replaceable>;
 	cookie-algorithm ( aes | sha1 | sha256 );
 	cookie-secret <replaceable>string</replaceable>;
@@ -253,8 +253,9 @@ options {
 	dnssec-accept-expired <replaceable>boolean</replaceable>;
 	dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
 	dnssec-loadkeys-interval <replaceable>integer</replaceable>;
-	dnssec-lookaside ( <replaceable>string</replaceable> trust-anchor
-	    <replaceable>string</replaceable> | auto | no );
+	dnssec-lookaside ( <replaceable>string</replaceable>
+	    trust-anchor <replaceable>string</replaceable> |
+	    auto | no ); deprecated
 	dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
 	dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
 	dnssec-update-mode ( maintain | no-resign );
@@ -534,7 +535,7 @@ statistics-channels {
     <literallayout class="normal">
 trusted-keys { <replaceable>string</replaceable> <replaceable>integer</replaceable>
     <replaceable>integer</replaceable> <replaceable>integer</replaceable>
-    <replaceable>quoted_string</replaceable>; ... };, deprecated
+    <replaceable>quoted_string</replaceable>; ... }; deprecated
 </literallayout>
   </refsection>
 
@@ -579,7 +580,6 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 	check-spf ( warn | ignore );
 	check-srv-cname ( fail | warn | ignore );
 	check-wildcard <replaceable>boolean</replaceable>;
-	cleaning-interval <replaceable>integer</replaceable>;
 	clients-per-query <replaceable>integer</replaceable>;
 	deny-answer-addresses { <replaceable>address_match_element</replaceable>; ... } [
 	    except-from { <replaceable>string</replaceable>; ... } ];
@@ -614,8 +614,9 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 	    initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable>
 	    <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };
 	dnssec-loadkeys-interval <replaceable>integer</replaceable>;
-	dnssec-lookaside ( <replaceable>string</replaceable> trust-anchor
-	    <replaceable>string</replaceable> | auto | no );
+	dnssec-lookaside ( <replaceable>string</replaceable>
+	    trust-anchor <replaceable>string</replaceable> |
+	    auto | no ); deprecated
 	dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
 	dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
 	dnssec-update-mode ( maintain | no-resign );
@@ -650,9 +651,11 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 	key-directory <replaceable>quoted_string</replaceable>;
 	lame-ttl <replaceable>ttlval</replaceable>;
 	lmdb-mapsize <replaceable>sizeval</replaceable>;
-	managed-keys { <replaceable>string</replaceable> ( static-key |
-	    initial-key ) <replaceable>integer</replaceable> <replaceable>integer</replaceable>
-	    <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };, deprecated
+	managed-keys { <replaceable>string</replaceable> (
+	    static-key | initial-key
+	    ) <replaceable>integer</replaceable> <replaceable>integer</replaceable>
+	    <replaceable>integer</replaceable>
+	    <replaceable>quoted_string</replaceable>; ... }; deprecated
 	masterfile-format ( map | raw | text );
 	masterfile-style ( full | relative );
 	match-clients { <replaceable>address_match_element</replaceable>; ... };
@@ -805,7 +808,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 	trusted-keys { <replaceable>string</replaceable>
 	    <replaceable>integer</replaceable> <replaceable>integer</replaceable>
 	    <replaceable>integer</replaceable>
-	    <replaceable>quoted_string</replaceable>; ... };, deprecated
+	    <replaceable>quoted_string</replaceable>; ... }; deprecated
 	try-tcp-refresh <replaceable>boolean</replaceable>;
 	update-check-ksk <replaceable>boolean</replaceable>;
 	use-alt-transfer-source <replaceable>boolean</replaceable>;
diff --git a/bin/tests/system/checkconf/deprecated.conf b/bin/tests/system/checkconf/deprecated.conf
index d4f30a0b0c..f080af4087 100644
--- a/bin/tests/system/checkconf/deprecated.conf
+++ b/bin/tests/system/checkconf/deprecated.conf
@@ -11,6 +11,7 @@
 
 options {
 	dnssec-validation yes;
+	dnssec-lookaside . trust-anchor dlv.example.com;
 };
 
 trusted-keys {
diff --git a/bin/tests/system/checkconf/dnssec.3 b/bin/tests/system/checkconf/dnssec.3
index a48d9c97a1..56c4a52fe6 100644
--- a/bin/tests/system/checkconf/dnssec.3
+++ b/bin/tests/system/checkconf/dnssec.3
@@ -24,7 +24,6 @@ view view3 {
 
 view view4 {
 	match-clients { none; };
-	dnssec-lookaside no;
 };
 
 view view5 {
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
index d627d2a844..b6136d6f3b 100644
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@@ -107,7 +107,6 @@ view "second" {
 			1.2.3.4;
 		};
 	};
-	dnssec-lookaside "." trust-anchor "example.org.";
 	dnssec-validation auto;
 	zone-statistics full;
 };
diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index bd6576e9ad..d41247a903 100644
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -130,6 +130,7 @@ n=`expr $n + 1`
 echo_i "checking named-checkconf deprecate warnings ($n)"
 ret=0
 $CHECKCONF deprecated.conf > checkconf.out$n.1 2>&1
+grep "option 'dnssec-lookaside' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 grep "option 'managed-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 grep "option 'trusted-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -401,10 +402,12 @@ if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
-echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' does not generate a warning ($n)"
+echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' generates only a deprecate warning ($n)"
 ret=0
 $CHECKCONF good-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1
-[ -s checkconf.out$n ] && ret=1
+lines=$(wc -l < checkconf.out$n)
+if [ $lines != 1 ]; then ret=1; fi
+grep "option 'dnssec-lookaside' is deprecated" < checkconf.out$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
 status=`expr $status + $ret`
 
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index cd75915bd0..e0fc511712 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -5103,6 +5103,9 @@ options {
 		<userinput>no</userinput>, then dnssec-lookaside
 		is not used.
 	      </para>
+	      <para>
+		This option is deprecated and its use is discouraged.
+	      </para>
 	      <para>
 		NOTE: The ISC-provided DLV service at
 		<literal>dlv.isc.org</literal>, has been shut down.
diff --git a/doc/arm/managed-keys.grammar.xml b/doc/arm/managed-keys.grammar.xml
index d1aaee3c37..beb0f96725 100644
--- a/doc/arm/managed-keys.grammar.xml
+++ b/doc/arm/managed-keys.grammar.xml
@@ -12,7 +12,8 @@
 <!-- Generated by doc/misc/docbook-options.pl -->
 
 <programlisting>
-<command>managed-keys</command> { <replaceable>string</replaceable> ( static-key |
-    <command>initial-key</command> ) <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
-    <replaceable>quoted_string</replaceable>; ... };
+<command>managed-keys</command> { <replaceable>string</replaceable> ( static-key
+    | initial-key ) <replaceable>integer</replaceable>
+    <replaceable>integer</replaceable> <replaceable>integer</replaceable>
+    <replaceable>quoted_string</replaceable>; ... }; deprecated
 </programlisting>
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 6f0deec264..a1ce3fcad5 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -195,7 +195,7 @@
     <itemizedlist>
       <listitem>
 	<para>
-	  The <command>dnssec-enable</command> option has been deprecated and
+	  The <command>dnssec-enable</command> option has been obsoleted and
 	  no longer has any effect. DNSSEC responses are always enabled
 	  if signatures and other DNSSEC data are present. [GL #866]
 	</para>
@@ -206,6 +206,12 @@
 	  removed.  [GL !1731]
 	</para>
       </listitem>
+      <listitem>
+	<para>
+	  The <command>dnssec-lookaside</command> option has been deprecated.
+	  The feature still works, but it is discouraged to use it. [GL #7]
+	</para>
+      </listitem>
     </itemizedlist>
   </section>
 
diff --git a/doc/arm/options.grammar.xml b/doc/arm/options.grammar.xml
index 850bde3d5c..ed399c07dd 100644
--- a/doc/arm/options.grammar.xml
+++ b/doc/arm/options.grammar.xml
@@ -57,7 +57,6 @@
 	<command>check-spf</command> ( warn | ignore );
 	<command>check-srv-cname</command> ( fail | warn | ignore );
 	<command>check-wildcard</command> <replaceable>boolean</replaceable>;
-	<command>cleaning-interval</command> <replaceable>integer</replaceable>;
 	<command>clients-per-query</command> <replaceable>integer</replaceable>;
 	<command>cookie-algorithm</command> ( aes | sha1 | sha256 );
 	<command>cookie-secret</command> <replaceable>string</replaceable>;
@@ -90,8 +89,9 @@
 	<command>dnssec-accept-expired</command> <replaceable>boolean</replaceable>;
 	<command>dnssec-dnskey-kskonly</command> <replaceable>boolean</replaceable>;
 	<command>dnssec-loadkeys-interval</command> <replaceable>integer</replaceable>;
-	<command>dnssec-lookaside</command> ( <replaceable>string</replaceable> trust-anchor
-	    <replaceable>string</replaceable> | auto | no );
+	<command>dnssec-lookaside</command> ( <replaceable>string</replaceable>
+	    <command>trust-anchor</command> <replaceable>string</replaceable> |
+	    <command>auto</command> | no ); deprecated
 	<command>dnssec-must-be-secure</command> <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
 	<command>dnssec-secure-to-insecure</command> <replaceable>boolean</replaceable>;
 	<command>dnssec-update-mode</command> ( maintain | no-resign );
diff --git a/doc/arm/trusted-keys.grammar.xml b/doc/arm/trusted-keys.grammar.xml
index 2a0b6e9454..82a502dff0 100644
--- a/doc/arm/trusted-keys.grammar.xml
+++ b/doc/arm/trusted-keys.grammar.xml
@@ -14,5 +14,5 @@
 <programlisting>
 <command>trusted-keys</command> { <replaceable>string</replaceable> <replaceable>integer</replaceable>
     <replaceable>integer</replaceable> <replaceable>integer</replaceable>
-    <replaceable>quoted_string</replaceable>; ... };, deprecated
+    <replaceable>quoted_string</replaceable>; ... }; deprecated
 </programlisting>
diff --git a/doc/misc/docbook-grammars.pl b/doc/misc/docbook-grammars.pl
index 7d36da8fe3..98236beec9 100644
--- a/doc/misc/docbook-grammars.pl
+++ b/doc/misc/docbook-grammars.pl
@@ -67,7 +67,7 @@ while (<FH>) {
 
 	s{ // not configured}{};
 	s{ // non-operational}{};
-	s{ // may occur multiple times}{};
+	s{ // may occur multiple times,*}{};
 	s{<([a-z0-9_-]+)>}{<replaceable>$1</replaceable>}g;
 	s{^(\s*)([a-z0-9_-]+)\b}{$1<command>$2</command>};
 	s{[[]}{[}g;
diff --git a/doc/misc/docbook-options.pl b/doc/misc/docbook-options.pl
index e67213136d..92f3c78bd4 100644
--- a/doc/misc/docbook-options.pl
+++ b/doc/misc/docbook-options.pl
@@ -128,7 +128,7 @@ while (<FH>) {
 
 	s{ // not configured}{};
 	s{ // non-operational}{};
-	s{ (// )*may occur multiple times}{};
+	s{ (// )*may occur multiple times,*}{};
 	s{<([a-z0-9_-]+)>}{<replaceable>$1</replaceable>}g;
 	s{ // deprecated,*}{// deprecated};
 	s{[[]}{[}g;
diff --git a/doc/misc/docbook-zoneopt.pl b/doc/misc/docbook-zoneopt.pl
index 2adf2b10f9..0a1354bba2 100644
--- a/doc/misc/docbook-zoneopt.pl
+++ b/doc/misc/docbook-zoneopt.pl
@@ -51,7 +51,7 @@ while (<FH>) {
 	}
 
 	s{ // not configured}{};
-	s{ // may occur multiple times}{};
+	s{ // may occur multiple times,*}{};
 	s{<([a-z0-9_-]+)>}{<replaceable>$1</replaceable>}g;
 	s{^(\s*)([a-z0-9_-]+)\b}{$1<command>$2</command>};
 	s{[[]}{[}g;
diff --git a/doc/misc/options b/doc/misc/options
index eef44aa0fb..d697fe543e 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -146,8 +146,9 @@ options {
         dnssec-dnskey-kskonly <boolean>;
         dnssec-enable <boolean>; // obsolete
         dnssec-loadkeys-interval <integer>;
-        dnssec-lookaside ( <string> trust-anchor
-            <string> | auto | no ); // may occur multiple times
+        dnssec-lookaside ( <string>
+            trust-anchor <string> |
+            auto | no ); // may occur multiple times, deprecated
         dnssec-must-be-secure <string> <boolean>; // may occur multiple times
         dnssec-secure-to-insecure <boolean>;
         dnssec-update-mode ( maintain | no-resign );
@@ -192,7 +193,7 @@ options {
         fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
         fstrm-set-output-queue-size <integer>; // not configured
         fstrm-set-reopen-interval <ttlval>; // not configured
-        geoip-directory ( <quoted_string> | none ); // not configured
+        geoip-directory ( <quoted_string> | none );
         geoip-use-ecs <boolean>; // obsolete
         glue-cache <boolean>;
         has-old-clients <boolean>; // ancient
@@ -213,7 +214,7 @@ options {
         listen-on-v6 [ port <integer> ] [ dscp
             <integer> ] {
             <address_match_element>; ... }; // may occur multiple times
-        lmdb-mapsize <sizeval>; // non-operational
+        lmdb-mapsize <sizeval>;
         lock-file ( <quoted_string> | none );
         maintain-ixfr-base <boolean>; // ancient
         managed-keys-directory <quoted_string>;
@@ -524,8 +525,9 @@ view <string> [ <class> ] {
             initial-key ) <integer> <integer>
             <integer> <quoted_string>; ... }; // may occur multiple times
         dnssec-loadkeys-interval <integer>;
-        dnssec-lookaside ( <string> trust-anchor
-            <string> | auto | no ); // may occur multiple times
+        dnssec-lookaside ( <string>
+            trust-anchor <string> |
+            auto | no ); // may occur multiple times, deprecated
         dnssec-must-be-secure <string> <boolean>; // may occur multiple times
         dnssec-secure-to-insecure <boolean>;
         dnssec-update-mode ( maintain | no-resign );
@@ -563,7 +565,7 @@ view <string> [ <class> ] {
         }; // may occur multiple times
         key-directory <quoted_string>;
         lame-ttl <ttlval>;
-        lmdb-mapsize <sizeval>; // non-operational
+        lmdb-mapsize <sizeval>;
         maintain-ixfr-base <boolean>; // ancient
         managed-keys { <string> (
             static-key | initial-key
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 61c8857fe6..f5afd1fecf 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1879,7 +1879,8 @@ view_clauses[] = {
 #endif
 	{ "dnssec-accept-expired", &cfg_type_boolean, 0 },
 	{ "dnssec-enable", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "dnssec-lookaside", &cfg_type_lookaside, CFG_CLAUSEFLAG_MULTI },
+	{ "dnssec-lookaside", &cfg_type_lookaside,
+	  CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_DEPRECATED },
 	{ "dnssec-must-be-secure",  &cfg_type_mustbesecure,
 	  CFG_CLAUSEFLAG_MULTI },
 	{ "dnssec-validation", &cfg_type_boolorauto, 0 },