diff --git a/hosts/skydick/default.nix b/hosts/skydick/default.nix
index 594a843..9745885 100644
--- a/hosts/skydick/default.nix
+++ b/hosts/skydick/default.nix
@@ -102,16 +102,9 @@
     # resolver that has no analytics-blocking. Fallback handled below.
     nameservers = [ "10.0.0.1" ];
 
-    # Prefer IPv4 for outbound connections — IPv6 goes through wg-outbound
-    # on 10.0.0.1 which masquerades with ULA (not globally routable).
-    # `enableIPv6 = false` alone doesn't stop the kernel from processing
-    # router advertisements on bond40g — the gateway's radvd was leaking
-    # an IPv6 link-DNS (fd99:23eb:1682::1) into systemd-resolved, which
-    # then took precedence for AAAA queries and broke clean NXDOMAIN.
-    # Sysctl accept_ra=0 (in boot.kernel.sysctl) handles kernel-level RA
-    # acceptance; the networkd override below covers networkd's userspace
-    # RA processing.
-    enableIPv6 = false;
+    # IPv6 is enabled for SLAAC on bond40g. Keep DNS pinned to 10.0.0.1:
+    # RA/DHCPv6-provided DNS is disabled in the networkd link config below.
+    enableIPv6 = true;
 
     firewall = {
       enable = true;
@@ -119,10 +112,21 @@
     };
   };
 
-  # systemd-networkd: explicitly refuse RA on bond40g. The kernel-level
-  # sysctl above gates the kernel; this gates networkd's userspace
-  # processing, which is what was caching the link-DNS in resolved.
-  systemd.network.networks."40-bond40g".networkConfig.IPv6AcceptRA = false;
+  # systemd-networkd: accept RA on bond40g for SLAAC, but keep DNS/search
+  # domains and the default route under the explicit IPv4 config above.
+  systemd.network.networks."40-bond40g" = {
+    networkConfig = {
+      IPv6AcceptRA = true;
+      IPv6PrivacyExtensions = false;
+    };
+    ipv6AcceptRAConfig = {
+      Token = "::d1c0";
+      UseDNS = false;
+      UseGateway = false;
+      UseDomains = false;
+      DHCPv6Client = false;
+    };
+  };
 
   # DNS routed through the network's mosdns at 10.0.0.1 so this host inherits
   # CN-aware split routing and analytics blocking. AliDNS is the first
@@ -177,13 +181,6 @@
   };
 
   boot.kernel.sysctl = {
-    # IPv6 RA suppression — see networking.enableIPv6 = false. Without
-    # these, the gateway's radvd kept seeding fd99:23eb:1682::1 as a
-    # link-DNS on bond40g, breaking clean NXDOMAIN for AAAA queries.
-    "net.ipv6.conf.all.accept_ra" = 0;
-    "net.ipv6.conf.default.accept_ra" = 0;
-    "net.ipv6.conf.bond40g.accept_ra" = 0;
-
     # Network buffers for high-throughput storage
     "net.core.rmem_max" = 134217728;
     "net.core.wmem_max" = 134217728;