diff --git a/hosts/skydick/default.nix b/hosts/skydick/default.nix
index 324c62e..d419557 100644
--- a/hosts/skydick/default.nix
+++ b/hosts/skydick/default.nix
@@ -102,7 +102,9 @@
     # router advertisements on bond0 — the gateway's radvd was leaking
     # an IPv6 link-DNS (fd99:23eb:1682::1) into systemd-resolved, which
     # then took precedence for AAAA queries and broke clean NXDOMAIN.
-    # Explicitly drop RAs on bond0.
+    # Sysctl accept_ra=0 (in boot.kernel.sysctl) handles kernel-level RA
+    # acceptance; the networkd override below covers networkd's userspace
+    # RA processing.
     enableIPv6 = false;
 
     firewall = {
@@ -111,6 +113,11 @@
     };
   };
 
+  # systemd-networkd: explicitly refuse RA on bond0. The kernel-level
+  # sysctl above gates the kernel; this gates networkd's userspace
+  # processing, which is what was caching the link-DNS in resolved.
+  systemd.network.networks."40-bond0".networkConfig.IPv6AcceptRA = false;
+
   # DNS routed through the network's mosdns at 10.0.0.1 so this host inherits
   # CN-aware split routing and analytics blocking. AliDNS is the first
   # fallback (close, clean, no GFW games), Cloudflare second.