diff --git a/machines/ns1/configuration.nix b/machines/ns1/configuration.nix
index a304ceb..82b2a5d 100644
--- a/machines/ns1/configuration.nix
+++ b/machines/ns1/configuration.nix
@@ -65,15 +65,17 @@ in
 
   # ns1 = primary (master): loads each zone from its file and serves it to ns2.
   # zonefile-load = difference-no-serial lets us edit records without touching the
-  # SOA serial; Knot diffs the file, assigns a date-based serial, signs the zone,
-  # then notifies ns2 and lets it pull the signed zone via AXFR/IXFR.
+  # SOA serial; Knot diffs the file, assigns a unixtime serial, signs the zone,
+  # then notifies ns2 and lets it pull the signed zone via AXFR/IXFR. unixtime is
+  # strictly monotonic per reload, so two zone versions can never share a serial
+  # (the failure mode dateserial's 2-digit daily counter allowed after a journal reset).
   services.knot.settings.zone = map (d: {
     domain = d;
     file = ../../modules/dns/zones + "/${d}.zone";
     "zonefile-load" = "difference-no-serial";
     "zonefile-sync" = "-1";
     "journal-content" = "all"; # required by difference-no-serial; holds the live signed zone
-    "serial-policy" = "dateserial";
+    "serial-policy" = "unixtime";
     "dnssec-signing" = true;
     "dnssec-policy" = "cnx";
     notify = [ "ns2" ];