diff --git a/config/dnscrypt-proxy.toml b/config/dnscrypt-proxy.toml
index 68e492c..533d6db 100644
--- a/config/dnscrypt-proxy.toml
+++ b/config/dnscrypt-proxy.toml
@@ -223,6 +223,14 @@ dnscrypt_ephemeral_keys = true
 # tls_cipher_suite = [52392, 49199]
 
 
+## Log TLS key material to a file, for debugging purposes only.
+## This file will contain the TLS master key, which can be used to decrypt
+## all TLS traffic to/from DoH servers.
+## Never ever enable except for debugging purposes with a tool such as mitmproxy.
+
+# tls_key_log_file = '/tmp/keylog.txt'
+
+
 ## Bootstrap resolvers
 ##
 ## These are normal, non-encrypted DNS resolvers, that will be only used