diff --git a/hosts/common/net/dns.nix b/hosts/common/net/dns.nix
index cbabbc441..6c5d8ab94 100644
--- a/hosts/common/net/dns.nix
+++ b/hosts/common/net/dns.nix
@@ -53,7 +53,7 @@ lib.mkMerge [
   # if you enable this, make sure to persist the stateful data.
   # alternatively, use services.unbound.settings.trust-anchor = ... (or trusted-keys-file)
   services.unbound.enableRootTrustAnchor = false;
-  services.unbound.settings.server.cache-max-negative-ttl = 60;
+  # services.unbound.settings.server.cache-max-negative-ttl = 60;  #< intended to limit damage during networking flakes, but instead this seems to cause unbound to cache error responses it *wouldn't* otherwise cache
   # services.unbound.settings.server.use-caps-for-id = true;  #< TODO: randomizes casing to avoid spoofing
   services.unbound.settings.server.prefetch = true;  # prefetch RRs which are about to expire from the cache, to keep them primed
 })