diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index be601da..6a0b66b 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -49,3 +49,5 @@ dns_host_suffix_backup: 153
 backup_dns_servers:
   - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr)
 
+
+mtu: 1400
diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2
index f0a35fe..dc642ae 100644
--- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2
+++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2
@@ -5,8 +5,7 @@ max-lease-time 86400;
 
 # Option definitions common to all supported networks.
 
-# The MTU theoretically could go as high as 1496 (4-byte VLAN tag).
-option interface-mtu 1400;
+option interface-mtu {{ mtu }};
 option root-path "/";
 
 # The ddns-updates-style parameter controls whether or not the server will
diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2
index 0ba6f5b..62c93be 100644
--- a/roles/unbound/templates/recursive.conf.j2
+++ b/roles/unbound/templates/recursive.conf.j2
@@ -30,26 +30,19 @@ server:
 
     private-address: 10.0.0.0/8
 
-    # XXX
-    # We've been having issues with bogus DNSSEC responses, and unintended
-    # blacklisting of nameservers because of that.
-    # The following is intended as a stopgap solution.
-    #
-    # unbound had issues with auro.re's DS records, apparently;
-    # it kept receiving an error, which subsequently caused a blacklisting
-    # of relevant servers and an inability to resolve auro.re and its
-    # subdomains.
-    #
-    # auro.re does not have DNSSEC anyway, so we can treat it as insecure.
-    domain-insecure: "auro.re"
-
-
     # The host cache TTL affects blacklisting of supposedly bogus hosts.
     # The default was 900 (15 minutes).
     infra-host-ttl: 60
 
-    harden-dnssec-stripped: no
-    disable-dnssec-lame-check: yes
 
+    # The following is vital, we were having issues
+    # with DNSSEC that turned out to be due to UDP responses that were too
+    # large.
 
+    # EDNS reassembly buffer to advertise to UDP peers (the actual buffer
+    # is set with msg-buffer-size). 1472 can solve fragmentation (timeouts)
+    edns-buffer-size: {{ mtu }}
 
+    # Maximum UDP response size (not applied to TCP response).
+    # Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
+    max-udp-size: {{ mtu }}