diff --git a/changelog.d/5-internal/smallstep-accomp-target-resolving b/changelog.d/5-internal/smallstep-accomp-target-resolving
new file mode 100644
index 00000000000..3d8f4fa8b4e
--- /dev/null
+++ b/changelog.d/5-internal/smallstep-accomp-target-resolving
@@ -0,0 +1,4 @@
+Ensure that targets of the smallstep nginx proxy are resolved at runtime via the
+configured DNS server. This has two benefits: The target gets adjusted when it's
+changed at the DNS server. And, nginx doesn't fail to start when the target
+doesn't exist yet.
diff --git a/charts/smallstep-accomp/templates/server-block-configmap.yaml b/charts/smallstep-accomp/templates/server-block-configmap.yaml
index 366dad7e92e..a6765595d31 100644
--- a/charts/smallstep-accomp/templates/server-block-configmap.yaml
+++ b/charts/smallstep-accomp/templates/server-block-configmap.yaml
@@ -17,12 +17,16 @@ data:
       {{- range .Values.upstreams.proxiedHosts }}
 
       location /proxyCrl/{{ . }} {
+        # This indirection is required to make the resolver check the domain.
+        # Otherwise, broken upstreams lead to broken deployments.
+        set $backend "{{ . }}";
+
         proxy_redirect off;
         proxy_set_header X-Forwarded-Host $http_host;
-        proxy_set_header Host {{ . }};
+        proxy_set_header Host $backend;
         proxy_hide_header Content-Type;
         add_header Content-Type application/pkix-crl;
-        proxy_pass "https://{{ . }}/crl";
+        proxy_pass "https://$backend/crl";
       }
 
       {{- end }}