diff --git a/examples/full-cluster-tf-upgrade/1.29/dns-zone.tf.dmz b/examples/full-cluster-tf-upgrade/1.29/dns-zone.tf.dmz
new file mode 100644
index 0000000..5686d0c
--- /dev/null
+++ b/examples/full-cluster-tf-upgrade/1.29/dns-zone.tf.dmz
@@ -0,0 +1,179 @@
+locals {
+  vpc_domain_name            = coalesce(var.domain, var.vpc_domain_name)
+  cluster_domain_name        = format("%v.%v", var.cluster_name, local.vpc_domain_name)
+  cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name)
+}
+
+#---
+# dmz network prod
+#---
+provider "aws" {
+  alias   = "route53_main_dmz_east"
+  profile = var.profile
+  region  = var.region_map["east"]
+  assume_role {
+    role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main_dmz"].account_id)
+    session_name = var.os_username
+  }
+}
+
+provider "aws" {
+  alias   = "route53_main_dmz_west"
+  profile = var.profile
+  region  = var.region_map["west"]
+  assume_role {
+    role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main_dmz"].account_id)
+    session_name = var.os_username
+  }
+}
+
+#---
+# dummy vpc, so we can associate the zone to this account
+#---
+data "aws_vpc" "dummy_vpc" {
+  count = ! (var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
+  filter {
+    name   = "tag:Name"
+    values = ["vpc0-dummy"]
+  }
+}
+
+resource "aws_route53_zone" "cluster_domain" {
+  name          = local.cluster_domain_name
+  comment       = local.cluster_domain_description
+  force_destroy = false
+
+  vpc {
+    vpc_id     = ! (var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id
+    vpc_region = local.region
+  }
+
+  lifecycle {
+    ignore_changes = [vpc]
+    precondition {
+      condition     = (var.shared_vpc_label == null || var.shared_vpc_label == "") || (! (var.shared_vpc_label == null || var.shared_vpc_label == "") && ! (var.domain == null || var.domain == ""))
+      error_message = "var.domain must be provided when shared VPCs are in use."
+    }
+  }
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.tags,
+    var.application_tags,
+    { "Name" = local.cluster_domain_name },
+  )
+}
+
+#---
+# need to also associate with network-prod account and this vpc
+#---
+module "route53_cluster_domain_east" {
+  count = local.region == "us-gov-east-1" && ! (var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
+  providers = {
+    aws.self = aws
+    aws.peer = aws.route53_main_dmz_east
+  }
+
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+  region   = "us-gov-east-1"
+  vpc_id   = data.aws_vpc.eks_vpc.id
+  zone_ids = [aws_route53_zone.cluster_domain.zone_id]
+
+  tags = merge(
+    local.common_tags,
+    var.application_tags,
+  )
+}
+
+module "route53_cluster_domain_west" {
+  count = local.region == "us-gov-west-1" && ! (var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
+  providers = {
+    aws.self = aws
+    aws.peer = aws.route53_main_dmz_west
+  }
+
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+  region   = "us-gov-west-1"
+  vpc_id   = data.aws_vpc.eks_vpc.id
+  zone_ids = [aws_route53_zone.cluster_domain.zone_id]
+
+  tags = merge(
+    local.common_tags,
+    var.application_tags,
+  )
+}
+
+
+## # now we need to add the NS records for the new zone to the parent zone
+## data "aws_route53_zone" "parent" {
+##   name         = var.vpc_domain_name
+##   private_zone = true
+## }
+## 
+## resource "aws_route53_record" "cluster_domain" {
+##   allow_overwrite = true
+##   name            = local.cluster_domain_name
+##   type            = "NS"
+##   ttl             = 900
+##   zone_id         = data.aws_route53_zone.parent.zone_id
+## 
+##   records = aws_route53_zone.cluster_domain.name_servers
+## }
+
+output "cluster_domain_name" {
+  description = "DNS Zone Name"
+  value       = local.cluster_domain_name
+}
+
+output "cluster_domain_id" {
+  description = "DNS Zone ID"
+  value       = aws_route53_zone.cluster_domain.zone_id
+}
+
+output "cluster_domain_ns" {
+  description = "DNS Zone Nameservers"
+  value       = aws_route53_zone.cluster_domain.name_servers
+}
+
+#---
+# associate to main do2-govcloud vpc1-services east and west for inbound resolution
+# and to vpc7-endpoints in network prod
+#---
+
+#---
+# dmz network prod
+#---
+module "route53_main_east" {
+  providers = {
+    aws.self = aws
+    aws.peer = aws.route53_main_dmz_east
+  }
+
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+  region   = "us-gov-east-1"
+  vpc_id   = var.route53_endpoints["route53_main_dmz"]["us-gov-east-1"]
+  zone_ids = [aws_route53_zone.cluster_domain.zone_id]
+
+  tags = merge(
+    local.common_tags,
+    var.application_tags,
+  )
+}
+
+module "route53_main_west" {
+  providers = {
+    aws.self = aws
+    aws.peer = aws.route53_main_dmz_west
+  }
+
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+  region   = "us-gov-west-1"
+  vpc_id   = var.route53_endpoints["route53_main_dmz"]["us-gov-west-1"]
+  zone_ids = [aws_route53_zone.cluster_domain.zone_id]
+
+  tags = merge(
+    local.common_tags,
+    var.application_tags,
+  )
+}