diff --git a/etc/unbound/unbound.conf.d/.gitignore b/etc/unbound/unbound.conf.d/.gitignore
index 71f81f42..1f659d9c 100644
--- a/etc/unbound/unbound.conf.d/.gitignore
+++ b/etc/unbound/unbound.conf.d/.gitignore
@@ -1 +1,2 @@
 dot-trex.conf
+cache.conf
diff --git a/etc/unbound/unbound.conf.d/cache-size.conf b/etc/unbound/unbound.conf.d/cache-size.conf
new file mode 100644
index 00000000..a282f9c1
--- /dev/null
+++ b/etc/unbound/unbound.conf.d/cache-size.conf
@@ -0,0 +1,13 @@
+# This has potential to increase memory usage to 110m under heavy usage, but
+# I find that unlikely as almost everything is using so short TTLs
+# See also MEMORY CONTROL EXAMPLE in man unbound.conf
+
+server:
+	# bytes in message cache, defaults to 4m
+	msg-cache-size: 50m
+	# bytes in rrset cache, defaults to 4m
+	rrset-cache-size: 50m
+	# nxdomain cache, default 1m
+	neg-cache-size: 10m
+
+# vim: filetype=unbound.conf
diff --git a/etc/unbound/unbound.conf.d/cache.conf.SAMPLE b/etc/unbound/unbound.conf.d/cache.conf.SAMPLE
deleted file mode 100644
index d4ed51c1..00000000
--- a/etc/unbound/unbound.conf.d/cache.conf.SAMPLE
+++ /dev/null
@@ -1,50 +0,0 @@
-# Increasing caching
-
-# NOTE AT LEAST CACHE-MIN-TTL IF NOTHING ELSE!
-
-# This has potential to increase memory usage to 110m under heavy usage, but
-# I find that unlikely as almost everything is using so short TTLs
-# See also MEMORY CONTROL EXAMPLE in man unbound.conf
-
-server:
-	# bytes in message cache, defaults to 4m
-	msg-cache-size: 50m
-	# bytes in rrset cache, defaults to 4m
-	rrset-cache-size: 50m
-	# nxdomain cache, default 1m
-	neg-cache-size: 10m
-	# Increases TTL of all queries to 900 seconds (5 minutes) if upstream has
-	# a lower one. I have been using this since August 2019 without issues.
-	# TODO FIXME
-	#cache-min-ttl: 900
-	# https://blog.apnic.net/2019/11/12/stop-using-ridiculously-low-dns-ttls/
-	# dares setting the minimum cache to something between 40 minute and 60,
-	# so how about 50 minutes? However it predates RFC 8767.
-	# TODO FIXME
-	#cache-min-ttl: 3000
-	# Why not just make it hour directly, while that is considered as a
-	# maximum reasonableish value?
-	# TODO FIXME
-	cache-min-ttl: 3600
-	# Update cache for popular items before they expire. ~10 % traffic
-	# increase according to `man unbound.conf`
-	prefetch: yes
-	# Fetch keys when DS is encountered, lower latency for a bit higher CPU use
-	prefetch-key: yes
-	# Allow expired results to be served if they are in cache. The cache will
-	# get updated the next time.
-	serve-expired: yes
-	# Serve expired data up to one day (RFC 8767)
-	serve-expired-ttl: 86400
-	# If serving expired data to client, explicitly give it TTL 30 seconds
-	serve-expired-reply-ttl: 30
-	# Serve expired data to client if there is no answer in 1.8 seconds as per
-	# common timeout 2 seconds according to the RFC 8767
-	#serve-expired-client-timeout: 1800
-	# However my /etc/resolv.conf timeout is 1 second since all my nameservers
-	# are localhost, so let's wait 0.8 seconds instead.
-	serve-expired-client-timeout: 800
-	# DNSSEC errors for expired records
-	ede-serve-expired: yes
-
-# vim: filetype=unbound.conf
diff --git a/etc/unbound/unbound.conf.d/expired-stale-serving-rfc8767.conf b/etc/unbound/unbound.conf.d/expired-stale-serving-rfc8767.conf
new file mode 100644
index 00000000..48df792f
--- /dev/null
+++ b/etc/unbound/unbound.conf.d/expired-stale-serving-rfc8767.conf
@@ -0,0 +1,23 @@
+server:
+	# Update cache for popular items before they expire. ~10 % traffic
+	# increase according to `man unbound.conf`
+	prefetch: yes
+	# Fetch keys when DS is encountered, lower latency for a bit higher CPU use
+	prefetch-key: yes
+	# Allow expired results to be served if they are in cache. The cache will
+	# get updated the next time.
+	serve-expired: yes
+	# Serve expired data up to one day (RFC 8767)
+	serve-expired-ttl: 86400
+	# If serving expired data to client, explicitly give it TTL 30 seconds
+	serve-expired-reply-ttl: 30
+	# Serve expired data to client if there is no answer in 1.8 seconds as per
+	# common timeout 2 seconds according to the RFC 8767
+	#serve-expired-client-timeout: 1800
+	# However my /etc/resolv.conf timeout is 1 second since all my nameservers
+	# are localhost, so let's wait 0.8 seconds instead.
+	serve-expired-client-timeout: 800
+	# Human readable DNSSEC errors for expired records
+	ede-serve-expired: yes
+
+# vim: filetype=unbound.conf
diff --git a/etc/unbound/unbound.conf.d/min-ttl-hour.conf b/etc/unbound/unbound.conf.d/min-ttl-hour.conf
new file mode 100644
index 00000000..559db07d
--- /dev/null
+++ b/etc/unbound/unbound.conf.d/min-ttl-hour.conf
@@ -0,0 +1,9 @@
+server:
+	# Increases TTL of all queries to 3600 seconds (1 hour) if upstream has
+	# a lower one. I have been using this since August 2019 without issues.
+	# https://blog.apnic.net/2019/11/12/stop-using-ridiculously-low-dns-ttls/
+	# dares setting the minimum cache to something between 40 minute and 60,
+	# however it predates RFC 8767.
+	cache-min-ttl: 3600
+
+# vim: filetype=unbound.conf
diff --git a/etc/unbound/unbound.conf.d/min-ttl.conf.sample b/etc/unbound/unbound.conf.d/min-ttl.conf.sample
new file mode 100644
index 00000000..d36e5e50
--- /dev/null
+++ b/etc/unbound/unbound.conf.d/min-ttl.conf.sample
@@ -0,0 +1,13 @@
+server:
+	# Increases TTL of all queries to 900 seconds (5 minutes) if upstream has
+	# a lower one. I have been using this since August 2019 without issues.
+	#cache-min-ttl: 900
+	# https://blog.apnic.net/2019/11/12/stop-using-ridiculously-low-dns-ttls/
+	# dares setting the minimum cache to something between 40 minute and 60,
+	# so how about 50 minutes? However it predates RFC 8767.
+	#cache-min-ttl: 3000
+	# Why not just make it hour directly, while that is considered as a
+	# maximum reasonableish value?
+	#cache-min-ttl: 3600
+
+# vim: filetype=unbound.conf