diff --git a/config/dns-issuers.yaml b/config/dns-issuers.yaml
new file mode 100644
--- /dev/null
+++ b/config/dns-issuers.yaml
@@ -0,0 +1,35 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-dns-staging
+  namespace: pomerium
+spec:
+  acme:
+    email: drewp@bigasterisk.com
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-dns-staging
+    solvers:
+    - dns01:
+        digitalocean:
+          tokenSecretRef:
+            name: digitalocean-dns
+            key: access-token
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-dns-prod
+  namespace: pomerium
+spec:
+  acme:
+    email: drewp@bigasterisk.com
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-dns-prod
+    solvers:
+    - dns01:
+        digitalocean:
+          tokenSecretRef:
+            name: digitalocean-dns
+            key: access-token
\ No newline at end of file
diff --git a/upstream/kustomization.yaml b/upstream/kustomization.yaml
--- a/upstream/kustomization.yaml
+++ b/upstream/kustomization.yaml
@@ -13,3 +13,16 @@ patchesStrategicMerge:
 #       - op: add
 #         path: /spec/template/spec/containers/0/args/-
 #         value: "--debug"
+
+  # fix for a digitalocean/dns issue https://github.com/cert-manager/cert-manager/issues/2485#issuecomment-1167314615
+  - target:
+      kind: Deployment
+      name: cert-manager
+      namespace: cert-manager
+    patch: |-
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: "--dns01-recursive-nameservers-only"
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53"
\ No newline at end of file