diff --git a/doc/example.conf.in b/doc/example.conf.in
index be83bda..7317b23 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -15,6 +15,76 @@ server:
 	# verbosity number, 0 is least verbose. 1 is default.
 	verbosity: 1

+	############################################################################
+	# MEMORY CONTROL EXAMPLE
+	# In the example config settings below memory usage is reduced. Some ser-
+	# vice levels are lower, notable very large data and a high TCP load are
+	# no longer supported ... are exceptional for the DNS.
+	# (http://unbound.net/documentation/unbound.conf.html)
+	############################################################################
+
+	# Self jail Unbound with user "unbound" to /var/lib/unbound
+	# The script /etc/init.d/unbound will setup the location
+	username: "unbound"
+	directory: "/var/lib/unbound"
+	chroot: "/var/lib/unbound"
+
+	# The pid file is created before privleges drop so no concern
+	pidfile: "/var/run/unbound.pid"
+
+	# no threads and no memory slabs for threads
+	num-threads: 1
+	msg-cache-slabs: 1
+	rrset-cache-slabs: 1
+	infra-cache-slabs: 1
+	key-cache-slabs: 1
+
+	# don't be picky about interfaces but consider your firewall
+	interface: 0.0.0.0
+	interface: ::0
+	access-control: 0.0.0.0/0 allow
+	access-control: ::0/0 allow
+
+	# this limits TCP service but uses less buffers
+	outgoing-num-tcp: 1
+	incoming-num-tcp: 1
+
+	# use somewhat higher port numbers versus possible NAT issue
+	outgoing-port-permit: "10240-65335"
+
+	# uses less memory but less performance
+	outgoing-range: 60
+	num-queries-per-thread: 30
+
+	# exclude large responses
+	msg-buffer-size: 8192
+
+	# tiny memory cache
+	infra-cache-numhosts: 200
+	msg-cache-size: 100k
+	rrset-cache-size: 100k
+	key-cache-size: 100k
+	neg-cache-size: 10k
+
+	# gentle on recursion
+	target-fetch-policy: "2 1 0 0 0 0"
+	harden-large-queries: yes
+	harden-short-bufsize: yes
+
+	# DNSSEC enable by removing comments on "module-config:" and "auto-trust-
+	# -anchor-file:" The init script will copy root key to /var/lib/unbound.
+	# See package documentation for crontab entry to copy RFC5011 results back.
+	#module-config: "validator iterator"
+	#auto-trust-anchor-file: "/var/lib/unbound/root.key"
+
+	# DNSSEC needs real time to validate signatures. If your device does not
+	# have power off clock (reboot), then you may need this work around.
+	#domain-insecure: "pool.ntp.org"
+
+	############################################################################
+	# Resume Stock example.conf.in
+	############################################################################
+
 	# print statistics to the log (for every thread) every N seconds.
 	# Set to "" or 0 to disable. Default is disabled.
 	# statistics-interval: 0