docs: add note about --dns.resolvers (#2364)

Co-authored-by: Fernandez Ludovic <ldez@users.noreply.github.com>
2026-03-14 14:35:48 +01:00 · 2024-11-29 09:06:30 -05:00 · 2024-11-29 09:06:30 -05:00 · c2f179f144
commit c2f179f144
parent 8e5448ccd7
2 changed files with 16 additions and 0 deletions
--- a/docs/content/usage/cli/Obtain-a-Certificate.md
+++ b/docs/content/usage/cli/Obtain-a-Certificate.md
@ -58,6 +58,21 @@ GANDI_API_KEY=xxx \
 lego --email "you@example.com" --dns gandi --domains "example.org" --domains "*.example.org" run
 ```

+{{% notice title="For a zone that has multiple SOAs" icon="info-circle" %}}
+
+This can often be found where your DNS provider has a zone entry for an internal network (i.e. a corporate network, or home LAN) as well as the public internet.
+In this case, point lego at an external authoritative server for the zone using the additional parameter `--dns.resolvers`.
+
+```bash
+GANDI_API_KEY=xxx \
+lego --email "you@example.com" --dns gandi --dns.resolvers 9.9.9.9:53 --domains "example.org" --domains "*.example.org" run
+
+```
+
+[More information about resolvers.]({{% ref "options#dns-resolvers-and-challenge-verification" %}})
+
+{{% /notice %}}
+

 ## Using a custom certificate signing request (CSR)

--- a/docs/data/zz_cli_help.toml
+++ b/docs/data/zz_cli_help.toml
@ -99,6 +99,7 @@ OPTIONS:
   --always-deactivate-authorizations value  Force the authorizations to be relinquished even if the certificate request was successful.
   --renew-hook value                        Define a hook. The hook is executed only when the certificates are effectively renewed.
   --no-random-sleep                         Do not add a random sleep before the renewal. We do not recommend using this flag if you are doing your renewals in an automated way. (default: false)
+   --force-cert-domains                      Check and ensure that the cert's domain list matches those passed in the domains argument. (default: false)
   --help, -h                                show help
 """