diff --git a/kdc/kdc.8 b/kdc/kdc.8
index 58197fd20..d5633a2f8 100644
--- a/kdc/kdc.8
+++ b/kdc/kdc.8
@@ -11,10 +11,16 @@ Kerberos 5 server
 .Nm
 .Op Fl c Ar file
 .Op Fl -config-file= Ns Ar file
-.Op Fl p
-.Op Fl -no-require-preauth
+.Op Fl p | Fl -no-require-preauth
+.Op Fl -max-request= Ns Ar size
+.Op Fl H | Fl -enable-http
+.Op Fl K | Fl -no-kaserver
 .Op Fl r Ar realm
 .Op Fl -v4-realm= Ns Ar realm
+.Oo Fl P Ar string \*(Ba Xo
+.Fl -ports= Ns Ar string Oc
+.Xc
+.Op Fl -addresses= Ns Ar list of addresses
 
 .Sh DESCRIPTION
 .Nm
@@ -31,13 +37,30 @@ Specifies the location of the config file, the default is
 This is the only value that can't be specified in the config file.
 .It Fl p
 .It Fl -no-require-preauth
-Turn off the requirement for pre-autentication in the initial
-AS-REQ. The use of pre-authentication makes it more difficult to do
-offline password attacks. You might want to turn it off if you have
-clients that doesn't do pre-authentication. Since the version 4
-protocol doesn't support any pre-authentication, so serving version 4
-clients is just about the same as not requiring pre-athentication. The
-default is to require pre-authentication.
+Turn off the requirement for pre-autentication in the initial AS-REQ
+for all principals. The use of pre-authentication makes it more
+difficult to do offline password attacks. You might want to turn it
+off if you have clients that doesn't do pre-authentication. Since the
+version 4 protocol doesn't support any pre-authentication, so serving
+version 4 clients is just about the same as not requiring
+pre-athentication. The default is to require
+pre-authentication. Adding the require-preauth per principal is a more
+flexible way of handling this.
+.It Xo
+.Fl -max-request= Ns Ar size
+.Xc
+Gives an upper limit on the size of the requests that the kdc is
+willing to handle.
+.It Xo
+.Fl H Ns ,
+.Fl -enable-http
+.Xc
+Makes the kdc listen on port 80 and handle requests encapsulated in HTTP.
+.It Xo
+.Fl K Ns ,
+.Fl -no-kaserver
+.Xc
+Disables kaserver emulation (in case it's compiled in).
 .It Fl r Ar realm
 .It Fl -v4-realm= Ns Ar realm
 What realm this server should act as when dealing with version 4
@@ -47,6 +70,18 @@ explicitly specified. The default is whatever is returned by
 .Fn krb_get_lrealm .
 This option is only availabe if the KDC has been compiled with version
 4 support.
+.It Xo
+.Fl P Ar string Ns ,
+.Fl -ports= Ns Ar string
+.Xc
+Specifies the set of ports the KDC should listen on.  It is given as a
+white-space separated list of services or port numbers.
+.It Xo
+.Fl -addresses= Ns Ar list of addresses
+.Xc
+The list of addresses to listen for requests on.  By default, the kdc
+will listen on all the locally configured addresses.  If only a subset
+is desired, or the automatic detection fails, this option might be used.
 .El
 .Pp
 All activities , are logged to one or more destinations, see