Ok @Idez
I really had to ask around on this one and I guess my big question at the end of the day is why traefik is trying to query SOA records rather than just query the name servers directly to ask for the NS records and subsequent TXT records.
I'm running pfsense. I need to do a split DNS so traefik.xxxx.com is resolved to a LAN IP address from within the LAN -- and external to the LAN it is resolved to the WAN address.
In doing this split DNS -- I'm using the pfsense Unbound resolver and the Host Override functionality. Unfortunately when using a Host Override, any subsequent query such as a nslookup when peformed from a client within the LAN is always going to resolve to the LAN IP address EVEN IF A SPECIFIC RESOLVER IS SPECIFIED (ie nslookup domain.com 1.1.1.1). With a Host Override the resolver is ignored.
So the work around is don't enter the domain name as a host override but that breaks a lot of LAN functionality.
Certainly there is a recommended work around for this case, since pfSense isn't all that esoteric and neither is running a split DNS. Other acme clients I've used in the past such as acme.sh and certbot don't seem to have this issue running running a Host Override setup, so I suspect they must be querying cloudflare differently. I suppose I could continue to use acme.sh or certbot for certificate management, however this diminishes some of the advantages of using traefik.