Caddy ACME DNS-01 fails with split-horizon DNS

If you run a local DNS resolver with custom entries (split-horizon DNS), Caddy’s DNS-01 ACME challenges can fail silently. Caddy queries your local resolver to verify the _acme-challenge TXT record, but your local resolver returns a different answer than public DNS — so the challenge never validates.

Fix it with tls_resolvers in the global options block to force Caddy to use public DNS for challenge verification:

{
  acme_dns cloudflare {env.CF_API_TOKEN}
  tls_resolvers 1.1.1.1 9.9.9.9
}

This only affects DNS propagation checks for ACME, not normal Caddy operation.