diff --git a/docs/content/usage/cli/Obtain-a-Certificate.md b/docs/content/usage/cli/Obtain-a-Certificate.md
index c92f4ecf0..c7f25dfc0 100644
--- a/docs/content/usage/cli/Obtain-a-Certificate.md
+++ b/docs/content/usage/cli/Obtain-a-Certificate.md
@@ -58,6 +58,21 @@ GANDI_API_KEY=xxx \
 lego --email "you@example.com" --dns gandi --domains "example.org" --domains "*.example.org" run
 ```
 
+{{% notice title="For a zone that has multiple SOAs" icon="info-circle" %}}
+
+This can often be found where your DNS provider has a zone entry for an internal network (i.e. a corporate network, or home LAN) as well as the public internet.
+In this case, point lego at an external authoritative server for the zone using the additional parameter `--dns.resolvers`.
+
+```bash
+GANDI_API_KEY=xxx \
+lego --email "you@example.com" --dns gandi --dns.resolvers 9.9.9.9:53 --domains "example.org" --domains "*.example.org" run
+
+```
+
+[More information about resolvers.]({{% ref "options#dns-resolvers-and-challenge-verification" %}})
+
+{{% /notice %}}
+
 
 ## Using a custom certificate signing request (CSR)
 
diff --git a/docs/data/zz_cli_help.toml b/docs/data/zz_cli_help.toml
index b6eec239b..638a596ae 100644
--- a/docs/data/zz_cli_help.toml
+++ b/docs/data/zz_cli_help.toml
@@ -99,6 +99,7 @@ OPTIONS:
    --always-deactivate-authorizations value  Force the authorizations to be relinquished even if the certificate request was successful.
    --renew-hook value                        Define a hook. The hook is executed only when the certificates are effectively renewed.
    --no-random-sleep                         Do not add a random sleep before the renewal. We do not recommend using this flag if you are doing your renewals in an automated way. (default: false)
+   --force-cert-domains                      Check and ensure that the cert's domain list matches those passed in the domains argument. (default: false)
    --help, -h                                show help
 """