diff --git a/terraform/do/dns.tf b/terraform/do/dns.tf
index 07baf39..8289922 100644
--- a/terraform/do/dns.tf
+++ b/terraform/do/dns.tf
@@ -91,11 +91,17 @@ resource "digitalocean_record" "apex" {
 # dns.ct.uvlava.com -> the forge droplet, which runs the dns-updater container
 # behind Caddy (services/dns-updater). Region-mobile nodes POST /nic/update here
 # to repoint their own A record via the DO API.
+#
+# These three records use var.forge_public_ip (a literal string) rather than
+# digitalocean_droplet.forge.ipv4_address — the forge droplet is currently NOT
+# in this state, so a resource reference would drag a duplicate forge create
+# into any targeted apply. The literal matches the live forge IP and lets these
+# records be applied in isolation (-target) without touching the store tier.
 resource "digitalocean_record" "ct_dns" {
   domain = digitalocean_domain.uvlava.name
   type   = "A"
   name   = "dns.ct"
-  value  = digitalocean_droplet.forge.ipv4_address
+  value  = var.forge_public_ip
   ttl    = 300
 }
 
@@ -111,7 +117,7 @@ resource "digitalocean_record" "ct_live" {
   domain = digitalocean_domain.uvlava.name
   type   = "A"
   name   = "live.ct"
-  value  = digitalocean_droplet.forge.ipv4_address
+  value  = var.forge_public_ip
   ttl    = 60
 
   lifecycle {