diff --git a/dnf/bootstrap-dnf-centos-stream.conf b/dnf/bootstrap-dnf-centos-stream.conf
index 737fc2e..948e731 100644
--- a/dnf/bootstrap-dnf-centos-stream.conf
+++ b/dnf/bootstrap-dnf-centos-stream.conf
@@ -10,6 +10,8 @@ repo_gpgcheck=1
 plugins=1
 installonly_limit=3
 color=never
+deltarpm=False
+zchunk=False
 
 reposdir=/var/empty
 
diff --git a/dnf/bootstrap-dnf-fedora.conf b/dnf/bootstrap-dnf-fedora.conf
index 1f60090..8478827 100644
--- a/dnf/bootstrap-dnf-fedora.conf
+++ b/dnf/bootstrap-dnf-fedora.conf
@@ -9,6 +9,8 @@ gpgcheck=1
 plugins=1
 installonly_limit=3
 color=never
+deltarpm=False
+zchunk=False
 
 reposdir=/var/empty
 
diff --git a/scripts/prepare-chroot-base b/scripts/prepare-chroot-base
index e827e62..51be2a2 100755
--- a/scripts/prepare-chroot-base
+++ b/scripts/prepare-chroot-base
@@ -52,7 +52,9 @@ else
 fi
 
 DNF=dnf
-DNF_OPTS+=(--releasever "$DIST_VER" --installroot="${INSTALL_DIR}" "--downloaddir=$DOWNLOAD_DIR" --downloadonly)
+# Delta RPMs and zchunk are unnecessary attack surface
+DNF_SEC_OPTS=(--setopt=deltarpm=False --setopt=deltarpm_percentage=0 --setopt=zchunk=0)
+DNF_OPTS+=(--releasever "$DIST_VER" --installroot="${INSTALL_DIR}" "--downloaddir=$DOWNLOAD_DIR" --downloadonly "${DNF_SEC_OPTS[@]}")
 
 # Ensure INSTALL_DIR exists
 mkdir -p "$INSTALL_DIR"
@@ -61,8 +63,6 @@ if ! [ -f "${INSTALL_DIR}/tmp/.prepared_base" ]; then
     echo "INFO: Initializing RPM database..."
     # We want signature checks.
     RPM_OPTS=('--define=_pkgverify_level all' '--define=_pkgverify_flags 0x0')
-    # Delta RPMs and zchunk are unnecessary attack surface
-    DNF_OPTS+=(--setopt=deltarpm=False --setopt=deltarpm_percentage=0 --setopt=zchunk=0)
     if [ "$(getenforce || :)" = Enforcing ]; then
         dbpath=$(rpm --eval '%{_dbpath}')
         mkdir -p "${INSTALL_DIR}${dbpath}"
diff --git a/scripts/prepare-chroot-builder b/scripts/prepare-chroot-builder
index edac266..31dc532 100755
--- a/scripts/prepare-chroot-builder
+++ b/scripts/prepare-chroot-builder
@@ -117,6 +117,8 @@ fi
 cp "${PLUGIN_DIR}/repos/builder-local.repo" "$INSTALL_DIR/etc/yum.repos.d/"
 sed -i -e "s#ROOT#$PWD#" "$INSTALL_DIR"/etc/yum.repos.d/*-local.repo
 
+chroot "$INSTALL_DIR" dnf config-manager --setopt=deltarpm=False --setopt=zchunk=False --setopt=deltarpm_percentage=0 --save
+
 if [ -n "$USE_QUBES_REPO_VERSION" ]; then
     cp "${PLUGIN_DIR}/repos/qubes-repo-${PACKAGE_SET}-${DIST_NAME}.repo" "$INSTALL_DIR/etc/yum.repos.d/"