diff --git a/modules/dns/authoritative.nix b/modules/dns/authoritative.nix
index 0eeb93c..b0cbb8b 100644
--- a/modules/dns/authoritative.nix
+++ b/modules/dns/authoritative.nix
@@ -9,7 +9,12 @@ in
   # this module, so primary and secondary authenticate transfers with the same key.
   clan.core.vars.generators.dns-tsig = {
     share = true;
-    files."tsig.conf".secret = true;
+    files."tsig.conf" = {
+      secret = true;
+      # knotd drops to the "knot" user, so the included key must be readable by it.
+      owner = "knot";
+      group = "knot";
+    };
     runtimeInputs = [ pkgs.knot-dns ];
     script = ''
       keymgr -t cnx_xfr hmac-sha256 > "$out"/tsig.conf
@@ -19,6 +24,10 @@ in
   networking.firewall.allowedTCPPorts = [ 53 ];
   networking.firewall.allowedUDPPorts = [ 53 ];
 
+  # knot binds 0.0.0.0@53 and ::@53, so free port 53 by disabling the
+  # systemd-resolved stub listener. Resolution still works via nss-resolve.
+  services.resolved.extraConfig = "DNSStubListener=no";
+
   services.knot = {
     enable = true;
     # Including the key via keyFiles keeps the secret out of the Nix store.