diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0566021..9e3de16 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,3 +8,7 @@
 
 * 1.0.2 -- 2023-03-24
   - create new submodules: ptr
+
+* 1.0.3 -- 2023-04-06
+  - add zone variable, calculate if missing from everything after first dot.  Need to use
+    zone if the zone is called {domain} but the name registered is {name}.{name}.{domain}
diff --git a/a/README.md b/a/README.md
index 36ed402..30e22d8 100644
--- a/a/README.md
+++ b/a/README.md
@@ -85,6 +85,7 @@ The record looks like:
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
 | <a name="input_ttl"></a> [ttl](#input\_ttl) | DNS RR Time To Live (ttl).  Default 900s (15m). | `number` | `900` | no |
 | <a name="input_values"></a> [values](#input\_values) | DNS value to set for the name.  May be a string or list of strings (like multiple IP addresses) | `any` | n/a | yes |
+| <a name="input_zone"></a> [zone](#input\_zone) | DNS Zone into which to create the record.  By default, it will extract this from the name after the first dot. | `string` | `null` | no |
 
 ## Outputs
 
diff --git a/a/main.tf b/a/main.tf
index 35f00ea..c3f1f5d 100644
--- a/a/main.tf
+++ b/a/main.tf
@@ -79,6 +79,36 @@ EXAMPLE> 900 IN TXT   "heritage=terraform,terraform/account_id=818199694861,terr
 * }
 * ```
 *
+* ## Using a Zone defined in another account
+* This requires the role `r-inf-terraform-route53` be created from the Terraform module `aws-vpc-setup/route53-association/terraform-role`
+* (generally in `common/apps/route53`.  It then uses an STS AssumeRole from Terraform.  You must have the approriate permissions
+* on the source account to assume this role.
+*
+* file: provider.route53.east_ma13_gov.tf
+* ```hcl
+* provider "aws" {
+*   alias  = "east_ma13_gov"
+*   region = var.region_map["east"]
+*   assume_role {
+*     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, "187944776148")
+*     session_name = var.os_username
+*   }
+* }
+* ```
+* 
+* file: dns.tf
+* ```hcl
+* module "db_cname" {
+*   providers = {
+*     aws = aws.east_ma13_gov
+*   }
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-dns//cname"
+* 
+*   zone   = var.vpc_domain_name
+*   name   = local.app_db_dns_name
+*   values = [module.db.db_instance_address]
+* }
+* ```
 */
 
 locals {
diff --git a/aaaa/README.md b/aaaa/README.md
index f09a051..800cc74 100644
--- a/aaaa/README.md
+++ b/aaaa/README.md
@@ -77,6 +77,7 @@ No modules.
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
 | <a name="input_ttl"></a> [ttl](#input\_ttl) | DNS RR Time To Live (ttl).  Default 900s (15m). | `number` | `900` | no |
 | <a name="input_values"></a> [values](#input\_values) | DNS value to set for the name.  May be a string or list of strings (like multiple IP addresses) | `any` | n/a | yes |
+| <a name="input_zone"></a> [zone](#input\_zone) | DNS Zone into which to create the record.  By default, it will extract this from the name after the first dot. | `string` | `null` | no |
 
 ## Outputs
 
diff --git a/aaaa/main.tf b/aaaa/main.tf
index baaca33..3037ea1 100644
--- a/aaaa/main.tf
+++ b/aaaa/main.tf
@@ -78,6 +78,37 @@ EXAMPLE> 900 IN TXT   "heritage=terraform,terraform/account_id=818199694861,terr
 *   values  = aws_dms_replication_instance.dev.replication_instance_private_ips
 * }
 * ```
+*
+* ## Using a Zone defined in another account
+* This requires the role `r-inf-terraform-route53` be created from the Terraform module `aws-vpc-setup/route53-association/terraform-role`
+* (generally in `common/apps/route53`.  It then uses an STS AssumeRole from Terraform.  You must have the approriate permissions
+* on the source account to assume this role.
+*
+* file: provider.route53.east_ma13_gov.tf
+* ```hcl
+* provider "aws" {
+*   alias  = "east_ma13_gov"
+*   region = var.region_map["east"]
+*   assume_role {
+*     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, "187944776148")
+*     session_name = var.os_username
+*   }
+* }
+* ```
+* 
+* file: dns.tf
+* ```hcl
+* module "db_cname" {
+*   providers = {
+*     aws = aws.east_ma13_gov
+*   }
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-dns//cname"
+* 
+*   zone   = var.vpc_domain_name
+*   name   = local.app_db_dns_name
+*   values = [module.db.db_instance_address]
+* }
+* ```
 */
 
 locals {
diff --git a/cname/README.md b/cname/README.md
index d90daf1..5039348 100644
--- a/cname/README.md
+++ b/cname/README.md
@@ -112,6 +112,7 @@ No modules.
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
 | <a name="input_ttl"></a> [ttl](#input\_ttl) | DNS RR Time To Live (ttl).  Default 900s (15m). | `number` | `900` | no |
 | <a name="input_values"></a> [values](#input\_values) | DNS value to set for the name.  May be a string or list of strings (like multiple IP addresses) | `any` | n/a | yes |
+| <a name="input_zone"></a> [zone](#input\_zone) | DNS Zone into which to create the record.  By default, it will extract this from the name after the first dot. | `string` | `null` | no |
 
 ## Outputs
 
@@ -122,3 +123,4 @@ No modules.
 | <a name="output_availability_zone_suffixes"></a> [availability\_zone\_suffixes](#output\_availability\_zone\_suffixes) | VPC Availability zone suffix list |
 | <a name="output_heritage_name"></a> [heritage\_name](#output\_heritage\_name) | DNS Name created for the heritage record, if enabled |
 | <a name="output_name"></a> [name](#output\_name) | DNS Name created (same as what was provided) |
+| <a name="output_timestamp"></a> [timestamp](#output\_timestamp) | Record creation Unix timestamp (from heritage records) |
diff --git a/cname/main.tf b/cname/main.tf
index 0b2b56e..4074586 100644
--- a/cname/main.tf
+++ b/cname/main.tf
@@ -80,6 +80,36 @@
 * }
 * ```
 *
+* ## Using a Zone defined in another account
+* This requires the role `r-inf-terraform-route53` be created from the Terraform module `aws-vpc-setup/route53-association/terraform-role`
+* (generally in `common/apps/route53`.  It then uses an STS AssumeRole from Terraform.  You must have the approriate permissions
+* on the source account to assume this role.
+*
+* file: provider.route53.east_ma13_gov.tf
+* ```hcl
+* provider "aws" {
+*   alias  = "east_ma13_gov"
+*   region = var.region_map["east"]
+*   assume_role {
+*     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, "187944776148")
+*     session_name = var.os_username
+*   }
+* }
+* ```
+* 
+* file: dns.tf
+* ```hcl
+* module "db_cname" {
+*   providers = {
+*     aws = aws.east_ma13_gov
+*   }
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-dns//cname"
+* 
+*   zone   = var.vpc_domain_name
+*   name   = local.app_db_dns_name
+*   values = [module.db.db_instance_address]
+* }
+* ```
 */
 
 locals {
diff --git a/common/version.tf b/common/version.tf
index 02c6357..1dfb710 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.0.2"
+  _module_version = "1.0.3"
 }
diff --git a/host/README.md b/host/README.md
index 5bbcaf3..71d627c 100644
--- a/host/README.md
+++ b/host/README.md
@@ -86,6 +86,7 @@ The record looks like:
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
 | <a name="input_ttl"></a> [ttl](#input\_ttl) | DNS RR Time To Live (ttl).  Default 900s (15m). | `number` | `900` | no |
 | <a name="input_values"></a> [values](#input\_values) | DNS value to set for the name.  May be a string or list of strings (like multiple IP addresses) | `any` | n/a | yes |
+| <a name="input_zone"></a> [zone](#input\_zone) | DNS Zone into which to create the record.  By default, it will extract this from the name after the first dot. | `string` | `null` | no |
 
 ## Outputs
 
@@ -96,3 +97,4 @@ The record looks like:
 | <a name="output_availability_zone_suffixes"></a> [availability\_zone\_suffixes](#output\_availability\_zone\_suffixes) | VPC Availability zone suffix list |
 | <a name="output_heritage_name"></a> [heritage\_name](#output\_heritage\_name) | DNS Name created for the heritage record, if enabled |
 | <a name="output_name"></a> [name](#output\_name) | DNS Name created (same as what was provided) |
+| <a name="output_timestamp"></a> [timestamp](#output\_timestamp) | Record creation Unix timestamp (from heritage records) |
diff --git a/host/main.tf b/host/main.tf
index a9bfc3f..116aead 100644
--- a/host/main.tf
+++ b/host/main.tf
@@ -78,6 +78,36 @@ EXAMPLE> 900 IN TXT   "heritage=terraform,terraform/account_id=818199694861,terr
 *   values  = aws_dms_replication_instance.dev.replication_instance_private_ips
 * }
 * ```
+* ## Using a Zone defined in another account
+* This requires the role `r-inf-terraform-route53` be created from the Terraform module `aws-vpc-setup/route53-association/terraform-role`
+* (generally in `common/apps/route53`.  It then uses an STS AssumeRole from Terraform.  You must have the approriate permissions
+* on the source account to assume this role.
+*
+* file: provider.route53.east_ma13_gov.tf
+* ```hcl
+* provider "aws" {
+*   alias  = "east_ma13_gov"
+*   region = var.region_map["east"]
+*   assume_role {
+*     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, "187944776148")
+*     session_name = var.os_username
+*   }
+* }
+* ```
+* 
+* file: dns.tf
+* ```hcl
+* module "db_cname" {
+*   providers = {
+*     aws = aws.east_ma13_gov
+*   }
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-dns//cname"
+* 
+*   zone   = var.vpc_domain_name
+*   name   = local.app_db_dns_name
+*   values = [module.db.db_instance_address]
+* }
+* ```
 */
 
 locals {
diff --git a/ptr/README.md b/ptr/README.md
index 60399d9..301fe14 100644
--- a/ptr/README.md
+++ b/ptr/README.md
@@ -78,6 +78,7 @@ The record looks like:
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
 | <a name="input_ttl"></a> [ttl](#input\_ttl) | DNS RR Time To Live (ttl).  Default 900s (15m). | `number` | `900` | no |
 | <a name="input_values"></a> [values](#input\_values) | DNS value to set for the name.  May be a string or list of strings (like multiple IP addresses) | `any` | n/a | yes |
+| <a name="input_zone"></a> [zone](#input\_zone) | DNS Zone into which to create the record.  By default, it will extract this from the name after the first dot. | `string` | `null` | no |
 
 ## Outputs
 
diff --git a/ptr/main.tf b/ptr/main.tf
index 314a580..9bce60e 100644
--- a/ptr/main.tf
+++ b/ptr/main.tf
@@ -74,6 +74,37 @@ EXAMPLE> 900 IN TXT   "heritage=terraform,terraform/account_id=818199694861,terr
 *   values  = aws_dms_replication_instance.dev.replication_instance_private_ips
 * }
 * ```
+*
+* ## Using a Zone defined in another account
+* This requires the role `r-inf-terraform-route53` be created from the Terraform module `aws-vpc-setup/route53-association/terraform-role`
+* (generally in `common/apps/route53`.  It then uses an STS AssumeRole from Terraform.  You must have the approriate permissions
+* on the source account to assume this role.
+*
+* file: provider.route53.east_ma13_gov.tf
+* ```hcl
+* provider "aws" {
+*   alias  = "east_ma13_gov"
+*   region = var.region_map["east"]
+*   assume_role {
+*     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, "187944776148")
+*     session_name = var.os_username
+*   }
+* }
+* ```
+* 
+* file: dns.tf
+* ```hcl
+* module "db_cname" {
+*   providers = {
+*     aws = aws.east_ma13_gov
+*   }
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-dns//cname"
+* 
+*   zone   = var.vpc_domain_name
+*   name   = local.app_db_dns_name
+*   values = [module.db.db_instance_address]
+* }
+* ```
 */
 
 locals {