diff --git a/modules/caddytls/acmemanager.go b/modules/caddytls/acmemanager.go
index 8e601832..df735459 100644
--- a/modules/caddytls/acmemanager.go
+++ b/modules/caddytls/acmemanager.go
@@ -111,7 +111,11 @@ func (m *ACMEManagerMaker) Provision(ctx caddy.Context) error {
 		if err != nil {
 			return fmt.Errorf("loading DNS provider module: %v", err)
 		}
-		m.Challenges.DNS = val.(challenge.Provider)
+		prov, err := val.(DNSProviderMaker).NewDNSProvider()
+		if err != nil {
+			return fmt.Errorf("making DNS provider: %v", err)
+		}
+		m.Challenges.DNS = prov
 	}
 
 	// policy-specific storage implementation
@@ -238,5 +242,11 @@ func onDemandAskRequest(ask string, name string) error {
 	return nil
 }
 
+// DNSProviderMaker is a type that can create a new DNS provider.
+// Modules in the tls.dns namespace should implement this interface.
+type DNSProviderMaker interface {
+	NewDNSProvider() (challenge.Provider, error)
+}
+
 // Interface guard
 var _ ManagerMaker = (*ACMEManagerMaker)(nil)