diff --git a/etc/systemd/resolved.conf.d/00-defaults.conf b/etc/systemd/resolved.conf.d/00-defaults.conf
index 91bc1fb8..a47ec07f 100644
--- a/etc/systemd/resolved.conf.d/00-defaults.conf
+++ b/etc/systemd/resolved.conf.d/00-defaults.conf
@@ -1,5 +1,5 @@
 [Resolve]
-# Breaks everything, https://github.com/systemd/systemd/issues?q=dnssec%3Dallow-downgrade+is%3Aissue+is%3Aopen
+# https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
 #DNSSEC=allow-downgrade
 DNSSEC=no
 DNSOverTLS=opportunistic
diff --git a/etc/systemd/resolved.conf.d/unbound.conf b/etc/systemd/resolved.conf.d/unbound.conf
index 225842eb..ca839719 100644
--- a/etc/systemd/resolved.conf.d/unbound.conf
+++ b/etc/systemd/resolved.conf.d/unbound.conf
@@ -3,7 +3,7 @@
 DNS=127.0.0.1
 DNS=::1
 Domains=~.
-# Done better by Unbound
+# Done better by Unbound, no failed-auxiliary (https://github.com/systemd/systemd/issues/9867)
 DNSSEC=no
 # Not needed on localhost
 DNSOverTLS=no