From 31f70ca14abb26bb9ba7de916b7b76692992d0ab Mon Sep 17 00:00:00 2001
From: Monviech <gitacc@pischem.com>
Date: Sat, 4 Oct 2025 20:03:16 +0000
Subject: [PATCH] Skip setting BindHost for DNS Challenge

---
 caddyconfig/httpcaddyfile/tlsapp.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go
index dc1d30213..464794cd3 100644
--- a/caddyconfig/httpcaddyfile/tlsapp.go
+++ b/caddyconfig/httpcaddyfile/tlsapp.go
@@ -612,7 +612,7 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
 	// This avoids binding the automation policy to the wildcard socket, which is unexpected behavior when a more selective socket is specified via default_bind
 	// In BSD it is valid to bind to the wildcard socket even though a more selective socket is already open (still unexpected behavior by the caller though)
 	// In Linux the same call will error with EADDRINUSE whenever the listener for the automation policy is opened
-	if (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.BindHost == "") {
+	if (acmeIssuer.Challenges == nil || (acmeIssuer.Challenges.DNS == nil && acmeIssuer.Challenges.BindHost == "")) {
 		if defBinds, ok := globalDefaultBind.([]ConfigValue); ok && len(defBinds) > 0 {
 			if abp, ok := defBinds[0].Value.(addressesWithProtocols); ok && len(abp.addresses) > 0 {
 				if acmeIssuer.Challenges == nil {