diff --git a/CHANGES b/CHANGES
index 5873831054..aac6b48b55 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+5563.	[cleanup]	Clean up the number of clause flags [GL #1086].
+
 5562.	[placeholder]
 
 5561.	[bug]		KASP incorrectly set signature validity to the value
diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst
index bf4ba2d059..9fbe08b0ba 100644
--- a/bin/named/named.conf.rst
+++ b/bin/named/named.conf.rst
@@ -165,7 +165,7 @@ OPTIONS
   	    * ) ] [ dscp integer ];
   	answer-cookie boolean;
   	attach-cache string;
-  	auth-nxdomain boolean; // default changed
+  	auth-nxdomain boolean;
   	auto-dnssec ( allow | maintain | off );
   	automatic-interface-scan boolean;
   	avoid-v4-udp-ports { portrange; ... };
@@ -519,7 +519,10 @@ TLS
 
   tls string {
   	cert-file quoted_string;
+  	ciphers string; // experimental
+  	dh-param quoted_string; // experimental
   	key-file quoted_string;
+  	protocols sslprotos; // experimental
   };
 
 TRUST-ANCHORS
@@ -568,7 +571,7 @@ VIEW
   	alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer |
   	    * ) ] [ dscp integer ];
   	attach-cache string;
-  	auth-nxdomain boolean; // default changed
+  	auth-nxdomain boolean;
   	auto-dnssec ( allow | maintain | off );
   	cache-file quoted_string;
   	catalog-zones { zone string [ default-masters [ port integer ]
diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in
index 6927fc9b62..9798295f4a 100644
--- a/doc/man/named.conf.5in
+++ b/doc/man/named.conf.5in
@@ -228,7 +228,7 @@ options {
           * ) ] [ dscp integer ];
       answer\-cookie boolean;
       attach\-cache string;
-      auth\-nxdomain boolean; // default changed
+      auth\-nxdomain boolean;
       auto\-dnssec ( allow | maintain | off );
       automatic\-interface\-scan boolean;
       avoid\-v4\-udp\-ports { portrange; ... };
@@ -602,7 +602,10 @@ statistics\-channels {
 .ft C
 tls string {
       cert\-file quoted_string;
+      ciphers string; // experimental
+      dh\-param quoted_string; // experimental
       key\-file quoted_string;
+      protocols sslprotos; // experimental
 };
 .ft P
 .fi
@@ -663,7 +666,7 @@ view string [ class ] {
       alt\-transfer\-source\-v6 ( ipv6_address | * ) [ port ( integer |
           * ) ] [ dscp integer ];
       attach\-cache string;
-      auth\-nxdomain boolean; // default changed
+      auth\-nxdomain boolean;
       auto\-dnssec ( allow | maintain | off );
       cache\-file quoted_string;
       catalog\-zones { zone string [ default\-masters [ port integer ]
diff --git a/doc/misc/options b/doc/misc/options
index eac0be785a..6d7bcc798f 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -63,8 +63,6 @@ logging {
         }; // may occur multiple times
 };
 
-lwres { <unspecified-text> }; // obsolete, may occur multiple times
-
 managed-keys { <string> ( static-key
     | initial-key | static-ds |
     initial-ds ) <integer> <integer>
@@ -76,10 +74,6 @@ masters <string> [ port <integer> ] [ dscp
     <integer> ] ) [ key <string> ]; ... }; // may occur multiple times
 
 options {
-        acache-cleaning-interval <integer>; // obsolete
-        acache-enable <boolean>; // obsolete
-        additional-from-auth <boolean>; // obsolete
-        additional-from-cache <boolean>; // obsolete
         allow-new-zones <boolean>;
         allow-notify { <address_match_element>; ... };
         allow-query { <address_match_element>; ... };
@@ -91,7 +85,6 @@ options {
         allow-transfer { <address_match_element>; ... };
         allow-update { <address_match_element>; ... };
         allow-update-forwarding { <address_match_element>; ... };
-        allow-v6-synthesis { <address_match_element>; ... }; // obsolete
         also-notify [ port <integer> ] [ dscp <integer> ] { ( <primaries> |
             <ipv4_address> [ port <integer> ] | <ipv6_address> [ port
             <integer> ] ) [ key <string> ]; ... };
@@ -101,7 +94,7 @@ options {
             * ) ] [ dscp <integer> ];
         answer-cookie <boolean>;
         attach-cache <string>;
-        auth-nxdomain <boolean>; // default changed
+        auth-nxdomain <boolean>;
         auto-dnssec ( allow | maintain | off );
         automatic-interface-scan <boolean>;
         avoid-v4-udp-ports { <portrange>; ... };
@@ -125,13 +118,11 @@ options {
         check-spf ( warn | ignore );
         check-srv-cname ( fail | warn | ignore );
         check-wildcard <boolean>;
-        cleaning-interval <integer>; // obsolete
         clients-per-query <integer>;
         cookie-algorithm ( aes | siphash24 );
         cookie-secret <string>; // may occur multiple times
         coresize ( default | unlimited | <sizeval> );
         datasize ( default | unlimited | <sizeval> );
-        deallocate-on-exit <boolean>; // ancient
         deny-answer-addresses { <address_match_element>; ... } [
             except-from { <string>; ... } ];
         deny-answer-aliases { <string>; ... } [ except-from { <string>; ...
@@ -158,11 +149,7 @@ options {
         dnsrps-options { <unspecified-text> };
         dnssec-accept-expired <boolean>;
         dnssec-dnskey-kskonly <boolean>;
-        dnssec-enable <boolean>; // obsolete
         dnssec-loadkeys-interval <integer>;
-        dnssec-lookaside ( <string>
-            trust-anchor <string> |
-            auto | no ); // obsolete, may occur multiple times
         dnssec-must-be-secure <string> <boolean>; // may occur multiple times
         dnssec-policy <string>;
         dnssec-secure-to-insecure <boolean>;
@@ -185,8 +172,6 @@ options {
         empty-contact <string>;
         empty-server <string>;
         empty-zones-enable <boolean>;
-        fake-iquery <boolean>; // ancient
-        fetch-glue <boolean>; // ancient
         fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
         fetches-per-server <integer> [ ( drop | fail ) ];
         fetches-per-zone <integer> [ ( drop | fail ) ];
@@ -206,12 +191,8 @@ options {
         fstrm-set-output-queue-size <integer>;
         fstrm-set-reopen-interval <duration>;
         geoip-directory ( <quoted_string> | none );
-        geoip-use-ecs <boolean>; // obsolete
         glue-cache <boolean>; // deprecated
-        has-old-clients <boolean>; // ancient
         heartbeat-interval <integer>;
-        host-statistics <boolean>; // ancient
-        host-statistics-max <integer>; // ancient
         hostname ( <quoted_string> | none );
         inline-signing <boolean>;
         interface-interval <duration>;
@@ -231,16 +212,13 @@ options {
             <address_match_element>; ... }; // may occur multiple times
         lmdb-mapsize <sizeval>;
         lock-file ( <quoted_string> | none );
-        maintain-ixfr-base <boolean>; // ancient
         managed-keys-directory <quoted_string>;
         masterfile-format ( map | raw | text );
         masterfile-style ( full | relative );
         match-mapped-addresses <boolean>;
-        max-acache-size ( unlimited | <sizeval> ); // obsolete
         max-cache-size ( default | unlimited | <sizeval> | <percentage> );
         max-cache-ttl <duration>;
         max-clients-per-query <integer>;
-        max-ixfr-log-size ( default | unlimited | <sizeval> ); // ancient
         max-ixfr-ratio ( unlimited | <percentage> );
         max-journal-size ( default | unlimited | <sizeval> );
         max-ncache-ttl <duration>;
@@ -264,16 +242,12 @@ options {
         min-ncache-ttl <duration>;
         min-refresh-time <integer>;
         min-retry-time <integer>;
-        min-roots <integer>; // ancient
         minimal-any <boolean>;
         minimal-responses ( no-auth | no-auth-recursive | <boolean> );
         multi-master <boolean>;
-        multiple-cnames <boolean>; // ancient
-        named-xfer <quoted_string>; // ancient
         new-zones-directory <quoted_string>;
         no-case-compress { <address_match_element>; ... };
         nocookie-udp-size <integer>;
-        nosit-udp-size <integer>; // obsolete
         notify ( explicit | master-only | primary-only | <boolean> );
         notify-delay <integer>;
         notify-rate <integer>;
@@ -299,8 +273,6 @@ options {
             <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ]
             port ( <integer> | * ) ) ) [ dscp <integer> ];
         querylog <boolean>;
-        queryport-pool-ports <integer>; // obsolete
-        queryport-pool-updateinterval <integer>; // obsolete
         random-device ( <quoted_string> | none );
         rate-limit {
                 all-per-second <integer>;
@@ -325,7 +297,6 @@ options {
         request-expire <boolean>;
         request-ixfr <boolean>;
         request-nsid <boolean>;
-        request-sit <boolean>; // obsolete
         require-server-cookie <boolean>;
         reserved-sockets <integer>;
         resolver-nonbackoff-tries <integer>;
@@ -346,14 +317,12 @@ options {
             [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [
             dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text>
             } ];
-        rfc2308-type1 <boolean>; // ancient
         root-delegation-only [ exclude { <string>; ... } ];
         root-key-sentinel <boolean>;
         rrset-order { [ class <string> ] [ type <string> ] [ name
             <quoted_string> ] <string> <string>; ... };
         secroots-file <quoted_string>;
         send-cookie <boolean>;
-        serial-queries <integer>; // ancient
         serial-query-rate <integer>;
         serial-update-method ( date | increment | unixtime );
         server-id ( <quoted_string> | none | hostname );
@@ -365,7 +334,6 @@ options {
         sig-signing-signatures <integer>;
         sig-signing-type <integer>;
         sig-validity-interval <integer> [ <integer> ];
-        sit-secret <string>; // obsolete
         sortlist { <address_match_element>; ... };
         stacksize ( default | unlimited | <sizeval> );
         stale-answer-enable <boolean>;
@@ -374,8 +342,7 @@ options {
         stale-refresh-time <duration>;
         startup-notify-rate <integer>;
         statistics-file <quoted_string>;
-        statistics-interval <integer>; // ancient
-        suppress-initial-notify <boolean>; // not yet implemented
+        suppress-initial-notify <boolean>; // obsolete
         synth-from-dnssec <boolean>;
         tcp-advertised-timeout <integer>;
         tcp-clients <integer>;
@@ -388,7 +355,6 @@ options {
         tkey-gssapi-credential <quoted_string>;
         tkey-gssapi-keytab <quoted_string>;
         tls-port <integer>;
-        topology { <address_match_element>; ... }; // ancient
         transfer-format ( many-answers | one-answer );
         transfer-message-size <integer>;
         transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
@@ -398,14 +364,10 @@ options {
         transfers-in <integer>;
         transfers-out <integer>;
         transfers-per-ns <integer>;
-        treat-cr-as-space <boolean>; // ancient
         trust-anchor-telemetry <boolean>; // experimental
         try-tcp-refresh <boolean>;
         update-check-ksk <boolean>;
         use-alt-transfer-source <boolean>;
-        use-id-pool <boolean>; // ancient
-        use-ixfr <boolean>; // obsolete
-        use-queryport-pool <boolean>; // obsolete
         use-v4-udp-ports { <portrange>; ... };
         use-v6-udp-ports { <portrange>; ... };
         v6-bias <integer>;
@@ -446,9 +408,7 @@ server <netprefix> {
         request-expire <boolean>;
         request-ixfr <boolean>;
         request-nsid <boolean>;
-        request-sit <boolean>; // obsolete
         send-cookie <boolean>;
-        support-ixfr <boolean>; // obsolete
         tcp-keepalive <boolean>;
         tcp-only <boolean>;
         transfer-format ( many-answers | one-answer );
@@ -468,10 +428,10 @@ statistics-channels {
 
 tls <string> {
         cert-file <quoted_string>;
-        ciphers <string>; // not implemented
-        dh-param <quoted_string>; // not implemented
+        ciphers <string>; // experimental
+        dh-param <quoted_string>; // experimental
         key-file <quoted_string>;
-        protocols <sslprotos>; // not implemented
+        protocols <sslprotos>; // experimental
 }; // may occur multiple times
 
 trust-anchors { <string> ( static-key |
@@ -484,10 +444,6 @@ trusted-keys { <string> <integer>
     <quoted_string>; ... }; // may occur multiple times, deprecated
 
 view <string> [ <class> ] {
-        acache-cleaning-interval <integer>; // obsolete
-        acache-enable <boolean>; // obsolete
-        additional-from-auth <boolean>; // obsolete
-        additional-from-cache <boolean>; // obsolete
         allow-new-zones <boolean>;
         allow-notify { <address_match_element>; ... };
         allow-query { <address_match_element>; ... };
@@ -499,7 +455,6 @@ view <string> [ <class> ] {
         allow-transfer { <address_match_element>; ... };
         allow-update { <address_match_element>; ... };
         allow-update-forwarding { <address_match_element>; ... };
-        allow-v6-synthesis { <address_match_element>; ... }; // obsolete
         also-notify [ port <integer> ] [ dscp <integer> ] { ( <primaries> |
             <ipv4_address> [ port <integer> ] | <ipv6_address> [ port
             <integer> ] ) [ key <string> ]; ... };
@@ -508,7 +463,7 @@ view <string> [ <class> ] {
         alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
             * ) ] [ dscp <integer> ];
         attach-cache <string>;
-        auth-nxdomain <boolean>; // default changed
+        auth-nxdomain <boolean>;
         auto-dnssec ( allow | maintain | off );
         cache-file <quoted_string>;
         catalog-zones { zone <string> [ default-masters [ port <integer> ]
@@ -527,7 +482,6 @@ view <string> [ <class> ] {
         check-spf ( warn | ignore );
         check-srv-cname ( fail | warn | ignore );
         check-wildcard <boolean>;
-        cleaning-interval <integer>; // obsolete
         clients-per-query <integer>;
         deny-answer-addresses { <address_match_element>; ... } [
             except-from { <string>; ... } ];
@@ -558,11 +512,7 @@ view <string> [ <class> ] {
         dnsrps-options { <unspecified-text> };
         dnssec-accept-expired <boolean>;
         dnssec-dnskey-kskonly <boolean>;
-        dnssec-enable <boolean>; // obsolete
         dnssec-loadkeys-interval <integer>;
-        dnssec-lookaside ( <string>
-            trust-anchor <string> |
-            auto | no ); // obsolete, may occur multiple times
         dnssec-must-be-secure <string> <boolean>; // may occur multiple times
         dnssec-policy <string>;
         dnssec-secure-to-insecure <boolean>;
@@ -580,7 +530,6 @@ view <string> [ <class> ] {
         empty-contact <string>;
         empty-server <string>;
         empty-zones-enable <boolean>;
-        fetch-glue <boolean>; // ancient
         fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
         fetches-per-server <integer> [ ( drop | fail ) ];
         fetches-per-zone <integer> [ ( drop | fail ) ];
@@ -604,7 +553,6 @@ view <string> [ <class> ] {
         key-directory <quoted_string>;
         lame-ttl <duration>;
         lmdb-mapsize <sizeval>;
-        maintain-ixfr-base <boolean>; // ancient
         managed-keys { <string> (
             static-key | initial-key
             | static-ds | initial-ds
@@ -616,11 +564,9 @@ view <string> [ <class> ] {
         match-clients { <address_match_element>; ... };
         match-destinations { <address_match_element>; ... };
         match-recursive-only <boolean>;
-        max-acache-size ( unlimited | <sizeval> ); // obsolete
         max-cache-size ( default | unlimited | <sizeval> | <percentage> );
         max-cache-ttl <duration>;
         max-clients-per-query <integer>;
-        max-ixfr-log-size ( default | unlimited | <sizeval> ); // ancient
         max-ixfr-ratio ( unlimited | <percentage> );
         max-journal-size ( default | unlimited | <sizeval> );
         max-ncache-ttl <duration>;
@@ -641,14 +587,12 @@ view <string> [ <class> ] {
         min-ncache-ttl <duration>;
         min-refresh-time <integer>;
         min-retry-time <integer>;
-        min-roots <integer>; // ancient
         minimal-any <boolean>;
         minimal-responses ( no-auth | no-auth-recursive | <boolean> );
         multi-master <boolean>;
         new-zones-directory <quoted_string>;
         no-case-compress { <address_match_element>; ... };
         nocookie-udp-size <integer>;
-        nosit-udp-size <integer>; // obsolete
         notify ( explicit | master-only | primary-only | <boolean> );
         notify-delay <integer>;
         notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
@@ -672,8 +616,6 @@ view <string> [ <class> ] {
         query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port (
             <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ]
             port ( <integer> | * ) ) ) [ dscp <integer> ];
-        queryport-pool-ports <integer>; // obsolete
-        queryport-pool-updateinterval <integer>; // obsolete
         rate-limit {
                 all-per-second <integer>;
                 errors-per-second <integer>;
@@ -695,7 +637,6 @@ view <string> [ <class> ] {
         request-expire <boolean>;
         request-ixfr <boolean>;
         request-nsid <boolean>;
-        request-sit <boolean>; // obsolete
         require-server-cookie <boolean>;
         resolver-nonbackoff-tries <integer>;
         resolver-query-timeout <integer>;
@@ -715,7 +656,6 @@ view <string> [ <class> ] {
             [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [
             dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text>
             } ];
-        rfc2308-type1 <boolean>; // ancient
         root-delegation-only [ exclude { <string>; ... } ];
         root-key-sentinel <boolean>;
         rrset-order { [ class <string> ] [ type <string> ] [ name
@@ -746,9 +686,7 @@ view <string> [ <class> ] {
                 request-expire <boolean>;
                 request-ixfr <boolean>;
                 request-nsid <boolean>;
-                request-sit <boolean>; // obsolete
                 send-cookie <boolean>;
-                support-ixfr <boolean>; // obsolete
                 tcp-keepalive <boolean>;
                 tcp-only <boolean>;
                 transfer-format ( many-answers | one-answer );
@@ -768,9 +706,8 @@ view <string> [ <class> ] {
         stale-answer-ttl <duration>;
         stale-cache-enable <boolean>;
         stale-refresh-time <duration>;
-        suppress-initial-notify <boolean>; // not yet implemented
+        suppress-initial-notify <boolean>; // obsolete
         synth-from-dnssec <boolean>;
-        topology { <address_match_element>; ... }; // ancient
         transfer-format ( many-answers | one-answer );
         transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
             dscp <integer> ];
@@ -788,7 +725,6 @@ view <string> [ <class> ] {
         try-tcp-refresh <boolean>;
         update-check-ksk <boolean>;
         use-alt-transfer-source <boolean>;
-        use-queryport-pool <boolean>; // obsolete
         v6-bias <integer>;
         validate-except { <string>; ... };
         zero-no-soa-ttl <boolean>;
@@ -836,20 +772,15 @@ view <string> [ <class> ] {
                     dscp <integer> ]; ... };
                 in-view <string>;
                 inline-signing <boolean>;
-                ixfr-base <quoted_string>; // ancient
                 ixfr-from-differences <boolean>;
-                ixfr-tmp-file <quoted_string>; // ancient
                 journal <quoted_string>;
                 key-directory <quoted_string>;
-                maintain-ixfr-base <boolean>; // ancient
                 masterfile-format ( map | raw | text );
                 masterfile-style ( full | relative );
                 masters [ port <integer> ] [ dscp <integer> ] { (
                     <primaries> | <ipv4_address> [ port <integer> ] |
                     <ipv6_address> [ port <integer> ] ) [ key <string> ];
                     ... };
-                max-ixfr-log-size ( default | unlimited |
-                    <sizeval> ); // ancient
                 max-ixfr-ratio ( unlimited | <percentage> );
                 max-journal-size ( default | unlimited | <sizeval> );
                 max-records <integer>;
@@ -875,8 +806,6 @@ view <string> [ <class> ] {
                     <primaries> | <ipv4_address> [ port <integer> ] |
                     <ipv6_address> [ port <integer> ] ) [ key <string> ];
                     ... };
-                pubkey <integer> <integer> <integer>
-                    <quoted_string>; // ancient
                 request-expire <boolean>;
                 request-ixfr <boolean>;
                 serial-update-method ( date | increment | unixtime );
@@ -947,18 +876,14 @@ zone <string> [ <class> ] {
             | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
         in-view <string>;
         inline-signing <boolean>;
-        ixfr-base <quoted_string>; // ancient
         ixfr-from-differences <boolean>;
-        ixfr-tmp-file <quoted_string>; // ancient
         journal <quoted_string>;
         key-directory <quoted_string>;
-        maintain-ixfr-base <boolean>; // ancient
         masterfile-format ( map | raw | text );
         masterfile-style ( full | relative );
         masters [ port <integer> ] [ dscp <integer> ] { ( <primaries> |
             <ipv4_address> [ port <integer> ] | <ipv6_address> [ port
             <integer> ] ) [ key <string> ]; ... };
-        max-ixfr-log-size ( default | unlimited | <sizeval> ); // ancient
         max-ixfr-ratio ( unlimited | <percentage> );
         max-journal-size ( default | unlimited | <sizeval> );
         max-records <integer>;
@@ -983,7 +908,6 @@ zone <string> [ <class> ] {
         primaries [ port <integer> ] [ dscp <integer> ] { ( <primaries> |
             <ipv4_address> [ port <integer> ] | <ipv6_address> [ port
             <integer> ] ) [ key <string> ]; ... };
-        pubkey <integer> <integer> <integer> <quoted_string>; // ancient
         request-expire <boolean>;
         request-ixfr <boolean>;
         serial-update-method ( date | increment | unixtime );
diff --git a/doc/misc/options.active b/doc/misc/options.active
index b418af3c39..6d158267bf 100644
--- a/doc/misc/options.active
+++ b/doc/misc/options.active
@@ -93,7 +93,7 @@ options {
             * ) ] [ dscp <integer> ];
         answer-cookie <boolean>;
         attach-cache <string>;
-        auth-nxdomain <boolean>; // default changed
+        auth-nxdomain <boolean>;
         auto-dnssec ( allow | maintain | off );
         automatic-interface-scan <boolean>;
         avoid-v4-udp-ports { <portrange>; ... };
@@ -422,10 +422,10 @@ statistics-channels {
 
 tls <string> {
         cert-file <quoted_string>;
-        ciphers <string>; // not implemented
-        dh-param <quoted_string>; // not implemented
+        ciphers <string>; // experimental
+        dh-param <quoted_string>; // experimental
         key-file <quoted_string>;
-        protocols <sslprotos>; // not implemented
+        protocols <sslprotos>; // experimental
 }; // may occur multiple times
 
 trust-anchors { <string> ( static-key |
@@ -457,7 +457,7 @@ view <string> [ <class> ] {
         alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
             * ) ] [ dscp <integer> ];
         attach-cache <string>;
-        auth-nxdomain <boolean>; // default changed
+        auth-nxdomain <boolean>;
         auto-dnssec ( allow | maintain | off );
         cache-file <quoted_string>;
         catalog-zones { zone <string> [ default-masters [ port <integer> ]
diff --git a/doc/misc/options.grammar.rst b/doc/misc/options.grammar.rst
index 9dba4f965a..867256d25a 100644
--- a/doc/misc/options.grammar.rst
+++ b/doc/misc/options.grammar.rst
@@ -21,7 +21,7 @@
   	    * ) ] [ dscp <integer> ];
   	answer-cookie <boolean>;
   	attach-cache <string>;
-  	auth-nxdomain <boolean>; // default changed
+  	auth-nxdomain <boolean>;
   	auto-dnssec ( allow | maintain | off );
   	automatic-interface-scan <boolean>;
   	avoid-v4-udp-ports { <portrange>; ... };