diff --git a/data/data/aws/main.tf b/data/data/aws/main.tf
index 5ce4f01e3f9..14161edd4ba 100644
--- a/data/data/aws/main.tf
+++ b/data/data/aws/main.tf
@@ -1,6 +1,8 @@
 locals {
   private_zone_id = "${aws_route53_zone.int.zone_id}"
 
+  cluster_domain = "${var.cluster_name}.${var.base_domain}"
+
   tags = "${merge(map(
       "openshiftClusterID", "${var.cluster_id}"
     ), var.aws_extra_tags)}"
@@ -92,7 +94,7 @@ resource "aws_route53_record" "etcd_a_nodes" {
   type    = "A"
   ttl     = "60"
   zone_id = "${local.private_zone_id}"
-  name    = "${var.cluster_name}-etcd-${count.index}"
+  name    = "etcd-${count.index}.${local.cluster_domain}"
   records = ["${module.masters.ip_addresses[count.index]}"]
 }
 
@@ -100,12 +102,12 @@ resource "aws_route53_record" "etcd_cluster" {
   type    = "SRV"
   ttl     = "60"
   zone_id = "${local.private_zone_id}"
-  name    = "_etcd-server-ssl._tcp.${var.cluster_name}"
+  name    = "_etcd-server-ssl._tcp"
   records = ["${formatlist("0 10 2380 %s", aws_route53_record.etcd_a_nodes.*.fqdn)}"]
 }
 
 resource "aws_route53_zone" "int" {
-  name          = "${var.base_domain}"
+  name          = "${local.cluster_domain}"
   force_destroy = true
 
   vpc {
diff --git a/data/data/aws/route53/base.tf b/data/data/aws/route53/base.tf
index d9f4d06dc07..b92e435baab 100644
--- a/data/data/aws/route53/base.tf
+++ b/data/data/aws/route53/base.tf
@@ -6,11 +6,13 @@ locals {
   public_zone_id = "${data.aws_route53_zone.base.zone_id}"
 
   zone_id = "${var.private_zone_id}"
+
+  cluster_domain = "${var.cluster_name}.${var.base_domain}"
 }
 
 resource "aws_route53_record" "api_external" {
   zone_id = "${local.public_zone_id}"
-  name    = "${var.cluster_name}-api.${var.base_domain}"
+  name    = "api.${local.cluster_domain}"
   type    = "A"
 
   alias {
@@ -22,7 +24,7 @@ resource "aws_route53_record" "api_external" {
 
 resource "aws_route53_record" "api_internal" {
   zone_id = "${var.private_zone_id}"
-  name    = "${var.cluster_name}-api.${var.base_domain}"
+  name    = "api.${local.cluster_domain}"
   type    = "A"
 
   alias {
diff --git a/data/data/aws/vpc/vpc.tf b/data/data/aws/vpc/vpc.tf
index 4a44b92e75d..01b19e9d1fb 100644
--- a/data/data/aws/vpc/vpc.tf
+++ b/data/data/aws/vpc/vpc.tf
@@ -1,6 +1,8 @@
 locals {
   new_private_cidr_range = "${cidrsubnet(data.aws_vpc.cluster_vpc.cidr_block,1,1)}"
   new_public_cidr_range  = "${cidrsubnet(data.aws_vpc.cluster_vpc.cidr_block,1,0)}"
+
+  cluster_domain = "${var.cluster_name}.${var.base_domain}"
 }
 
 resource "aws_vpc" "new_vpc" {
@@ -9,7 +11,7 @@ resource "aws_vpc" "new_vpc" {
   enable_dns_support   = true
 
   tags = "${merge(map(
-      "Name", "${var.cluster_name}.${var.base_domain}",
+      "Name", "${local.cluster_domain}",
     ), var.tags)}"
 }
 
diff --git a/data/data/libvirt/main.tf b/data/data/libvirt/main.tf
index 06bbac25313..869d151bef7 100644
--- a/data/data/libvirt/main.tf
+++ b/data/data/libvirt/main.tf
@@ -1,3 +1,7 @@
+locals {
+  cluster_domain = "${var.cluster_name}.${var.base_domain}"
+}
+
 provider "libvirt" {
   uri = "${var.libvirt_uri}"
 }
@@ -36,7 +40,7 @@ resource "libvirt_network" "net" {
   mode   = "nat"
   bridge = "${var.libvirt_network_if}"
 
-  domain = "${var.base_domain}"
+  domain = "${local.cluster_domain}"
 
   addresses = [
     "${var.machine_cidr}",
@@ -92,27 +96,27 @@ resource "libvirt_domain" "master" {
 data "libvirt_network_dns_host_template" "bootstrap" {
   count    = "${var.bootstrap_dns ? 1 : 0}"
   ip       = "${var.libvirt_bootstrap_ip}"
-  hostname = "${var.cluster_name}-api"
+  hostname = "api.${local.cluster_domain}"
 }
 
 data "libvirt_network_dns_host_template" "masters" {
   count    = "${var.master_count}"
   ip       = "${var.libvirt_master_ips[count.index]}"
-  hostname = "${var.cluster_name}-api"
+  hostname = "api.${local.cluster_domain}"
 }
 
 data "libvirt_network_dns_host_template" "etcds" {
   count    = "${var.master_count}"
   ip       = "${var.libvirt_master_ips[count.index]}"
-  hostname = "${var.cluster_name}-etcd-${count.index}"
+  hostname = "etcd-${count.index}.${local.cluster_domain}"
 }
 
 data "libvirt_network_dns_srv_template" "etcd_cluster" {
   count    = "${var.master_count}"
   service  = "etcd-server-ssl"
   protocol = "tcp"
-  domain   = "${var.cluster_name}.${var.base_domain}"
+  domain   = "${local.cluster_domain}"
   port     = 2380
   weight   = 10
-  target   = "${var.cluster_name}-etcd-${count.index}.${var.base_domain}"
+  target   = "etcd-${count.index}.${local.cluster_domain}"
 }
diff --git a/data/data/openstack/main.tf b/data/data/openstack/main.tf
index 55ae38e5e2d..0432e37fe50 100644
--- a/data/data/openstack/main.tf
+++ b/data/data/openstack/main.tf
@@ -1,3 +1,7 @@
+locals {
+  cluster_domain = "${var.cluster_name}.${var.base_domain}"
+}
+
 provider "openstack" {
   auth_url            = "${var.openstack_credentials_auth_url}"
   cert                = "${var.openstack_credentials_cert}"
@@ -81,7 +85,7 @@ module "topology" {
 }
 
 resource "openstack_objectstorage_container_v1" "container" {
-  name = "${lower(var.cluster_name)}.${var.base_domain}"
+  name = "${local.cluster_domain}"
 
   metadata = "${merge(map(
       "Name", "${var.cluster_name}-ignition-master",
diff --git a/data/data/openstack/service/main.tf b/data/data/openstack/service/main.tf
index a7bb8db1880..bdfb650b9c6 100644
--- a/data/data/openstack/service/main.tf
+++ b/data/data/openstack/service/main.tf
@@ -134,19 +134,19 @@ data "ignition_file" "corefile" {
     errors
     reload 10s
 
-${length(var.lb_floating_ip) == 0 ? "" : "    file /etc/coredns/db.${var.cluster_domain} ${var.cluster_name}-api.${var.cluster_domain} {\n    }\n"}
+${length(var.lb_floating_ip) == 0 ? "" : "    file /etc/coredns/db.${var.cluster_domain} api.${var.cluster_domain} {\n    }\n"}
 
 
-    file /etc/coredns/db.${var.cluster_domain} _etcd-server-ssl._tcp.${var.cluster_name}.${var.cluster_domain} {
+    file /etc/coredns/db.${var.cluster_domain} _etcd-server-ssl._tcp.${var.cluster_domain} {
     }
 
-${replace(join("\n", formatlist("    file /etc/coredns/db.${var.cluster_domain} ${var.cluster_name}-etcd-%s.${var.cluster_domain} {\n    upstream /etc/resolv.conf\n    }\n", var.master_port_names)), "master-port-", "")}
+${replace(join("\n", formatlist("    file /etc/coredns/db.${var.cluster_domain} etcd-%s.${var.cluster_domain} {\n    upstream /etc/resolv.conf\n    }\n", var.master_port_names)), "master-port-", "")}
 
     forward . /etc/resolv.conf {
     }
 }
 
-${var.cluster_name}.${var.cluster_domain} {
+${var.cluster_domain} {
     log
     errors
     reload 10s
@@ -168,7 +168,7 @@ data "ignition_file" "coredb" {
   content {
     content = <<EOF
 $ORIGIN ${var.cluster_domain}.
-@    3600 IN SOA host-${var.cluster_name}.${var.cluster_domain}. hostmaster (
+@    3600 IN SOA host.${var.cluster_domain}. hostmaster (
                                 2017042752 ; serial
                                 7200       ; refresh (2 hours)
                                 3600       ; retry (1 hour)
@@ -176,12 +176,12 @@ $ORIGIN ${var.cluster_domain}.
                                 3600       ; minimum (1 hour)
                                 )
 
-${length(var.lb_floating_ip) == 0 ? "" : "${var.cluster_name}-api  IN  A  ${var.lb_floating_ip}"}
-${length(var.lb_floating_ip) == 0 ? "" : "*.apps.${var.cluster_name}  IN  A  ${var.lb_floating_ip}"}
+${length(var.lb_floating_ip) == 0 ? "" : "api  IN  A  ${var.lb_floating_ip}"}
+${length(var.lb_floating_ip) == 0 ? "" : "*.apps  IN  A  ${var.lb_floating_ip}"}
 
-${replace(join("\n", formatlist("${var.cluster_name}-etcd-%s  IN  CNAME  ${var.cluster_name}-master-%s", var.master_port_names, var.master_port_names)), "master-port-", "")}
+${replace(join("\n", formatlist("etcd-%s  IN  CNAME  master-%s", var.master_port_names, var.master_port_names)), "master-port-", "")}
 
-${replace(join("\n", formatlist("_etcd-server-ssl._tcp.${var.cluster_name}  8640  IN  SRV  0  10  2380   ${var.cluster_name}-etcd-%s.${var.cluster_domain}.", var.master_port_names)), "master-port-", "")}
+${replace(join("\n", formatlist("_etcd-server-ssl._tcp.${var.cluster_domain}  8640  IN  SRV  0  10  2380   etcd-%s.${var.cluster_domain}.", var.master_port_names)), "master-port-", "")}
 EOF
   }
 }
diff --git a/data/data/openstack/service/variables.tf b/data/data/openstack/service/variables.tf
index 78821286bc5..6352bbad842 100644
--- a/data/data/openstack/service/variables.tf
+++ b/data/data/openstack/service/variables.tf
@@ -19,7 +19,7 @@ variable "cluster_id" {
 
 variable "cluster_domain" {
   type        = "string"
-  description = "The domain name of the cluster."
+  description = "The domain name of the cluster. All DNS records must be under this domain."
 }
 
 variable "ignition" {
diff --git a/pkg/asset/ignition/bootstrap/bootstrap.go b/pkg/asset/ignition/bootstrap/bootstrap.go
index 29d6af434ac..fcc1ff25001 100644
--- a/pkg/asset/ignition/bootstrap/bootstrap.go
+++ b/pkg/asset/ignition/bootstrap/bootstrap.go
@@ -142,7 +142,7 @@ func (a *Bootstrap) Files() []*asset.File {
 func (a *Bootstrap) getTemplateData(installConfig *types.InstallConfig) (*bootstrapTemplateData, error) {
 	etcdEndpoints := make([]string, *installConfig.ControlPlane.Replicas)
 	for i := range etcdEndpoints {
-		etcdEndpoints[i] = fmt.Sprintf("https://%s-etcd-%d.%s:2379", installConfig.ObjectMeta.Name, i, installConfig.BaseDomain)
+		etcdEndpoints[i] = fmt.Sprintf("https://etcd-%d.%s:2379", i, installConfig.ClusterDomain())
 	}
 
 	releaseImage := defaultReleaseImage
diff --git a/pkg/asset/ignition/machine/node.go b/pkg/asset/ignition/machine/node.go
index 28f104b5359..62c5452fb0b 100644
--- a/pkg/asset/ignition/machine/node.go
+++ b/pkg/asset/ignition/machine/node.go
@@ -21,7 +21,7 @@ func pointerIgnitionConfig(installConfig *types.InstallConfig, rootCA []byte, ro
 					Source: func() *url.URL {
 						return &url.URL{
 							Scheme: "https",
-							Host:   fmt.Sprintf("%s-api.%s:22623", installConfig.ObjectMeta.Name, installConfig.BaseDomain),
+							Host:   fmt.Sprintf("api.%s:22623", installConfig.ClusterDomain()),
 							Path:   fmt.Sprintf("/config/%s", role),
 						}
 					}().String(),
diff --git a/pkg/asset/kubeconfig/kubeconfig.go b/pkg/asset/kubeconfig/kubeconfig.go
index 5ac43530dd3..4df217164a8 100644
--- a/pkg/asset/kubeconfig/kubeconfig.go
+++ b/pkg/asset/kubeconfig/kubeconfig.go
@@ -31,7 +31,7 @@ func (k *kubeconfig) generate(
 			{
 				Name: installConfig.ObjectMeta.Name,
 				Cluster: clientcmd.Cluster{
-					Server: fmt.Sprintf("https://%s-api.%s:6443", installConfig.ObjectMeta.Name, installConfig.BaseDomain),
+					Server: fmt.Sprintf("https://api.%s:6443", installConfig.ClusterDomain()),
 					CertificateAuthorityData: []byte(rootCA.Cert()),
 				},
 			},
diff --git a/pkg/asset/kubeconfig/kubeconfig_test.go b/pkg/asset/kubeconfig/kubeconfig_test.go
index 44352a244c8..0e2116ddd03 100644
--- a/pkg/asset/kubeconfig/kubeconfig_test.go
+++ b/pkg/asset/kubeconfig/kubeconfig_test.go
@@ -62,7 +62,7 @@ func TestKubeconfigGenerate(t *testing.T) {
 			expectedData: []byte(`clusters:
 - cluster:
     certificate-authority-data: VEhJUyBJUyBST09UIENBIENFUlQgREFUQQ==
-    server: https://test-cluster-name-api.test.example.com:6443
+    server: https://api.test-cluster-name.test.example.com:6443
   name: test-cluster-name
 contexts:
 - context:
@@ -86,7 +86,7 @@ users:
 			expectedData: []byte(`clusters:
 - cluster:
     certificate-authority-data: VEhJUyBJUyBST09UIENBIENFUlQgREFUQQ==
-    server: https://test-cluster-name-api.test.example.com:6443
+    server: https://api.test-cluster-name.test.example.com:6443
   name: test-cluster-name
 contexts:
 - context:
diff --git a/pkg/asset/manifests/dns.go b/pkg/asset/manifests/dns.go
index 8574ada15b1..fe6992a64fe 100644
--- a/pkg/asset/manifests/dns.go
+++ b/pkg/asset/manifests/dns.go
@@ -65,7 +65,7 @@ func (d *DNS) Generate(dependencies asset.Parents) error {
 			// not namespaced
 		},
 		Spec: configv1.DNSSpec{
-			BaseDomain: installConfig.Config.BaseDomain,
+			BaseDomain: installConfig.Config.ClusterDomain(),
 		},
 	}
 
diff --git a/pkg/asset/manifests/ingress.go b/pkg/asset/manifests/ingress.go
index 4f8800dff47..a65a1fbbfbe 100644
--- a/pkg/asset/manifests/ingress.go
+++ b/pkg/asset/manifests/ingress.go
@@ -52,7 +52,7 @@ func (ing *Ingress) Generate(dependencies asset.Parents) error {
 			// not namespaced
 		},
 		Spec: configv1.IngressSpec{
-			Domain: fmt.Sprintf("apps.%s.%s", installConfig.Config.ObjectMeta.Name, installConfig.Config.BaseDomain),
+			Domain: fmt.Sprintf("apps.%s", installConfig.Config.ClusterDomain()),
 		},
 	}
 
diff --git a/pkg/asset/manifests/operators.go b/pkg/asset/manifests/operators.go
index 2d3068d96f6..4b14a420f4a 100644
--- a/pkg/asset/manifests/operators.go
+++ b/pkg/asset/manifests/operators.go
@@ -142,7 +142,7 @@ func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*ass
 
 	etcdEndpointHostnames := make([]string, *installConfig.Config.ControlPlane.Replicas)
 	for i := range etcdEndpointHostnames {
-		etcdEndpointHostnames[i] = fmt.Sprintf("%s-etcd-%d", installConfig.Config.ObjectMeta.Name, i)
+		etcdEndpointHostnames[i] = fmt.Sprintf("etcd-%d", i)
 	}
 
 	templateData := &bootkubeTemplateData{
@@ -158,7 +158,7 @@ func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*ass
 		RootCaCert:                      string(rootCA.Cert()),
 		CVOClusterID:                    clusterID.ClusterID,
 		EtcdEndpointHostnames:           etcdEndpointHostnames,
-		EtcdEndpointDNSSuffix:           installConfig.Config.BaseDomain,
+		EtcdEndpointDNSSuffix:           installConfig.Config.ClusterDomain(),
 	}
 
 	kubeCloudConfig := &bootkube.KubeCloudConfig{}
diff --git a/pkg/asset/manifests/utils.go b/pkg/asset/manifests/utils.go
index fa8ab986ec0..603aec23853 100644
--- a/pkg/asset/manifests/utils.go
+++ b/pkg/asset/manifests/utils.go
@@ -34,9 +34,9 @@ func configMap(namespace, name string, data genericData) *configurationObject {
 }
 
 func getAPIServerURL(ic *types.InstallConfig) string {
-	return fmt.Sprintf("https://%s-api.%s:6443", ic.ObjectMeta.Name, ic.BaseDomain)
+	return fmt.Sprintf("https://api.%s:6443", ic.ClusterDomain())
 }
 
 func getEtcdDiscoveryDomain(ic *types.InstallConfig) string {
-	return fmt.Sprintf("%s.%s", ic.ObjectMeta.Name, ic.BaseDomain)
+	return ic.ClusterDomain()
 }
diff --git a/pkg/asset/tls/helper.go b/pkg/asset/tls/helper.go
index de02b26029c..101bf16ff0a 100644
--- a/pkg/asset/tls/helper.go
+++ b/pkg/asset/tls/helper.go
@@ -19,7 +19,7 @@ func assetFilePath(filename string) string {
 }
 
 func apiAddress(cfg *types.InstallConfig) string {
-	return fmt.Sprintf("%s-api.%s", cfg.ObjectMeta.Name, cfg.BaseDomain)
+	return fmt.Sprintf("api.%s", cfg.ClusterDomain())
 }
 
 func cidrhost(network net.IPNet, hostNum int) (string, error) {
diff --git a/pkg/destroy/aws/aws.go b/pkg/destroy/aws/aws.go
index 9e761cf18a8..b6c5887b87f 100644
--- a/pkg/destroy/aws/aws.go
+++ b/pkg/destroy/aws/aws.go
@@ -348,21 +348,47 @@ func getSharedHostedZone(client *route53.Route53, privateID string, logger logru
 		logger.WithField("hosted zone", privateName).Warn("could not determine whether hosted zone is private")
 	}
 
+	domain := privateName
+	parents := []string{domain}
+	for {
+		idx := strings.Index(domain, ".")
+		if idx == -1 {
+			break
+		}
+		if len(domain[idx+1:]) > 0 {
+			parents = append(parents, domain[idx+1:])
+		}
+		domain = domain[idx+1:]
+	}
+
+	for _, p := range parents {
+		sZone, err := findPublicRoute53(client, p, logger)
+		if err != nil {
+			return "", err
+		}
+		if sZone != "" {
+			return sZone, nil
+		}
+	}
+	return "", nil
+}
+
+// findPublicRoute53 finds a public route53 zone matching the dnsName.
+// It returns "", when no public route53 zone could be found.
+func findPublicRoute53(client *route53.Route53, dnsName string, logger logrus.FieldLogger) (string, error) {
 	request := &route53.ListHostedZonesByNameInput{
-		DNSName: aws.String(privateName),
+		DNSName: aws.String(dnsName),
 	}
 	for i := 0; true; i++ {
-		logger.Debugf("listing AWS hosted zones (page %d)", i)
+		logger.Debugf("listing AWS hosted zones %q (page %d)", dnsName, i)
 		list, err := client.ListHostedZonesByName(request)
 		if err != nil {
 			return "", err
 		}
 
 		for _, zone := range list.HostedZones {
-			if *zone.Id == privateID {
-				continue
-			}
-			if *zone.Name != privateName {
+			if *zone.Name != dnsName {
+				// No name after this can match dnsName
 				return "", nil
 			}
 			if zone.Config == nil || zone.Config.PrivateZone == nil {
@@ -381,7 +407,6 @@ func getSharedHostedZone(client *route53.Route53, privateID string, logger logru
 
 		break
 	}
-
 	return "", nil
 }
 
diff --git a/pkg/types/installconfig.go b/pkg/types/installconfig.go
index 97ac99d0401..86c332f98d3 100644
--- a/pkg/types/installconfig.go
+++ b/pkg/types/installconfig.go
@@ -1,6 +1,8 @@
 package types
 
 import (
+	"fmt"
+
 	"github.com/openshift/installer/pkg/ipnet"
 	"github.com/openshift/installer/pkg/types/aws"
 	"github.com/openshift/installer/pkg/types/libvirt"
@@ -64,6 +66,11 @@ type InstallConfig struct {
 	PullSecret string `json:"pullSecret"`
 }
 
+// ClusterDomain returns the DNS domain that all records for a cluster must belong to.
+func (c *InstallConfig) ClusterDomain() string {
+	return fmt.Sprintf("%s.%s", c.ObjectMeta.Name, c.BaseDomain)
+}
+
 // Platform is the configuration for the specific platform upon which to perform
 // the installation. Only one of the platform configuration should be set.
 type Platform struct {