diff --git a/doc/example.conf.in b/doc/example.conf.in
index 5396029..cbb51ec 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -1,9 +1,10 @@
-#
-# Example configuration file.
-#
-# See unbound.conf(5) man page, version 1.7.2.
-#
-# this is a comment.
+##############################################################################
+# MEMORY CONTROL EXAMPLE
+# In the example config settings below memory usage is reduced. Some ser-
+# vice levels are lower, notable very large data and a high TCP load are
+# no longer supported ... are exceptional for the DNS.
+# (http://unbound.net/documentation/unbound.conf.html)
+##############################################################################

 #Use this to include other text into the file.
 #include: "otherfile.conf"
@@ -12,9 +13,71 @@
 server:
 	# whitespace is not necessary, but looks cleaner.

-	# verbosity number, 0 is least verbose. 1 is default.
+	# verbosity 1 is default
 	verbosity: 1

+	# Self jail Unbound with user "unbound" to /var/lib/unbound
+	# The script /etc/init.d/unbound will setup the location
+	username: "unbound"
+	directory: "/var/lib/unbound"
+	chroot: "/var/lib/unbound"
+
+	# The pid file is created before privleges drop so no concern
+	pidfile: "/var/run/unbound.pid"
+
+	# no threads and no memory slabs for threads
+	num-threads: 1
+	msg-cache-slabs: 1
+	rrset-cache-slabs: 1
+	infra-cache-slabs: 1
+	key-cache-slabs: 1
+
+	# don't be picky about interfaces but consider your firewall
+	interface: 0.0.0.0
+	interface: ::0
+	access-control: 0.0.0.0/0 allow
+	access-control: ::0/0 allow
+
+	# this limits TCP service but uses less buffers
+	outgoing-num-tcp: 1
+	incoming-num-tcp: 1
+
+	# use somewhat higher port numbers versus possible NAT issue
+	outgoing-port-permit: "10240-65335"
+
+	# uses less memory but less performance
+	outgoing-range: 60
+	num-queries-per-thread: 30
+
+	# exclude large responses
+	msg-buffer-size: 8192
+
+	# tiny memory cache
+	infra-cache-numhosts: 200
+	msg-cache-size: 100k
+	rrset-cache-size: 100k
+	key-cache-size: 100k
+	neg-cache-size: 10k
+
+	# gentle on recursion
+	target-fetch-policy: "2 1 0 0 0 0"
+	harden-large-queries: yes
+	harden-short-bufsize: yes
+
+	# DNSSEC enable by removing comments on "module-config:" and "auto-trust-
+	# -anchor-file:" The init script will copy root key to /var/lib/unbound.
+	# See package documentation for crontab entry to copy RFC5011 results back.
+	#module-config: "validator iterator"
+	#auto-trust-anchor-file: "/var/lib/unbound/root.key"
+
+	# DNSSEC needs real time to validate signatures. If your device does not
+	# have power off clock (reboot), then you may need this work around.
+	#domain-insecure: "pool.ntp.org"
+
+##############################################################################
+# Resume Stock example.conf.in
+##############################################################################
+
 	# print statistics to the log (for every thread) every N seconds.
 	# Set to "" or 0 to disable. Default is disabled.
 	# statistics-interval: 0