diff --git a/nix-system-configs/modules/system/traefik.nix b/nix-system-configs/modules/system/traefik.nix
index b86ce8d..40933e0 100644
--- a/nix-system-configs/modules/system/traefik.nix
+++ b/nix-system-configs/modules/system/traefik.nix
@@ -636,6 +636,20 @@ in {
           ${pkgs.util-linux}/bin/logger -s "DDNS Updater: No record_name arg provided; using record_name env: '$record_name'"
         fi
 
+        # If a zone id was passed as second argument, use it (wrapper now passes it)
+        if [ -n "$2" ]; then
+          zone_identifier="$2"
+          ${pkgs.util-linux}/bin/logger -s "DDNS Updater: Using zone_identifier from arg: '$zone_identifier'"
+        else
+          ${pkgs.util-linux}/bin/logger -s "DDNS Updater: No zone_identifier arg provided; using zone_identifier env: '$zone_identifier'"
+        fi
+
+        # Fail fast if we still don't have a zone identifier
+        if [ -z "$zone_identifier" ]; then
+          ${pkgs.util-linux}/bin/logger -s "DDNS Updater: zone_identifier is empty — cannot proceed (invalid zone)."
+          exit 2
+        fi
+
         ###########################################
         ## Check and set the proper auth header
         ###########################################
@@ -753,7 +767,7 @@ in {
             export record_name="$r.${domain}"
           fi
           # Invoke the single-run script explicitly with the system's bash via env to avoid /bin/bash shebang issues
-          ${pkgs.bash}/bin/bash /etc/cloudflare-ddns/update-single.sh "$record_name" || true
+          ${pkgs.bash}/bin/bash /etc/cloudflare-ddns/update-single.sh "$record_name" "$zone_identifier" || true
         done
 
       '';