diff --git a/machines/ns1/configuration.nix b/machines/ns1/configuration.nix
index 07441c8..37cec57 100644
--- a/machines/ns1/configuration.nix
+++ b/machines/ns1/configuration.nix
@@ -10,13 +10,29 @@ in
   time.timeZone = "Etc/GMT-1"; # UTC+1 (fixed offset, no DST)
   services.timesyncd.enable = true;
 
-  # ns1 = primary (master): holds each master zone file, notifies ns2 and
-  # allows it to pull the zone via AXFR/IXFR.
+  # Automatic DNSSEC signing policy (primary only). ECDSA P-256/SHA-256 with
+  # Knot's default key management: the ZSK auto-rolls and the KSK is kept stable,
+  # so the DS at the registrar only changes on a manual KSK rollover.
+  services.knot.settings.policy = [
+    {
+      id = "cnx";
+      algorithm = "ecdsap256sha256";
+    }
+  ];
+
+  # ns1 = primary (master): loads each zone from its file and serves it to ns2.
+  # zonefile-load = difference-no-serial lets us edit records without touching the
+  # SOA serial; Knot diffs the file, assigns a date-based serial, signs the zone,
+  # then notifies ns2 and lets it pull the signed zone via AXFR/IXFR.
   services.knot.settings.zone = map (d: {
     domain = d;
     file = ../../modules/dns/zones + "/${d}.zone";
-    "zonefile-load" = "whole";
+    "zonefile-load" = "difference-no-serial";
     "zonefile-sync" = "-1";
+    "journal-content" = "all"; # required by difference-no-serial; holds the live signed zone
+    "serial-policy" = "dateserial";
+    "dnssec-signing" = true;
+    "dnssec-policy" = "cnx";
     notify = [ "ns2" ];
     acl = [ "acl_ns2" ];
   }) domains;
diff --git a/modules/dns/zones/buildfor.life.zone b/modules/dns/zones/buildfor.life.zone
index 1434919..efefc55 100644
--- a/modules/dns/zones/buildfor.life.zone
+++ b/modules/dns/zones/buildfor.life.zone
@@ -2,7 +2,7 @@ $ORIGIN buildfor.life.
 $TTL 3600
 
 @   IN  SOA ns1.cnx.network. hostmaster.cnx.network. (
-        2026061401  ; serial   (bump on every edit: YYYYMMDDnn)
+        2026061401  ; serial   (ignored: Knot auto-assigns a dateserial on signing)
         3600        ; refresh
         900         ; retry
         604800      ; expire
diff --git a/modules/dns/zones/cnx.email.zone b/modules/dns/zones/cnx.email.zone
index 8dcc236..01dfe9f 100644
--- a/modules/dns/zones/cnx.email.zone
+++ b/modules/dns/zones/cnx.email.zone
@@ -2,7 +2,7 @@ $ORIGIN cnx.email.
 $TTL 3600
 
 @   IN  SOA ns1.cnx.network. hostmaster.cnx.network. (
-        2026061401  ; serial   (bump on every edit: YYYYMMDDnn)
+        2026061401  ; serial   (ignored: Knot auto-assigns a dateserial on signing)
         3600        ; refresh
         900         ; retry
         604800      ; expire
diff --git a/modules/dns/zones/cnx.network.zone b/modules/dns/zones/cnx.network.zone
index cd4754a..5912b6a 100644
--- a/modules/dns/zones/cnx.network.zone
+++ b/modules/dns/zones/cnx.network.zone
@@ -2,7 +2,7 @@ $ORIGIN cnx.network.
 $TTL 3600
 
 @   IN  SOA ns1.cnx.network. hostmaster.cnx.network. (
-        2026061402  ; serial   (bump on every edit: YYYYMMDDnn)
+        2026061402  ; serial   (ignored: Knot auto-assigns a dateserial on signing)
         3600        ; refresh
         900         ; retry
         604800      ; expire
@@ -14,9 +14,9 @@ $TTL 3600
 
 ; ---- Glue for the nameservers ----
 ns1     IN  A       46.224.170.206
-ns1     IN  AAAA    fd06:1bad:ece2:92ad:ba99:939d:766d:8974
+ns1     IN  AAAA    2a01:4f8:c014:b5c5::1
 ns2     IN  A       157.180.70.82
-ns2     IN  AAAA    fd06:1bad:ece2:92ad:ba99:9323:61be:a09e
+ns2     IN  AAAA    2a01:4f9:c014:6d87::1
 
 ; ---- control (ZeroTier controller) ----
 control IN  AAAA    fd06:1bad:ece2:92ad:ba99:9306:1bad:ece2