diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2
index 2b4a442..a65bd43 100644
--- a/roles/unbound/templates/recursive.conf.j2
+++ b/roles/unbound/templates/recursive.conf.j2
@@ -30,3 +30,27 @@ server:
     num-threads: {{ ansible_processor_vcpus }}
 
     private-address: 10.0.0.0/8
+
+    # XXX
+    # We've been having issues with bogus DNSSEC responses, and unintended
+    # blacklisting of nameservers because of that.
+    # The following is intended as a stopgap solution.
+    #
+    # unbound had issues with auro.re's DS records, apparently;
+    # it kept receiving an error, which subsequently caused a blacklisting
+    # of relevant servers and an inability to resolve auro.re and its
+    # subdomains.
+    #
+    # auro.re does not have DNSSEC anyway, so we can treat it as insecure.
+    domain-insecure: "auro.re"
+
+
+    # The host cache TTL affects blacklisting of supposedly bogus hosts.
+    # The default was 900 (15 minutes).
+    infra-host-ttl: 60
+
+    harden-dnssec-stripped: no
+    disable-dnssec-lame-check: yes
+
+
+