diff --git a/config/config-network.yaml b/config/config-network.yaml
index 3d25ace68..75f79ac24 100644
--- a/config/config-network.yaml
+++ b/config/config-network.yaml
@@ -20,7 +20,7 @@ metadata:
   labels:
     serving.knative.dev/release: devel
   annotations:
-    knative.dev/example-checksum: "eaf5fb3f"
+    knative.dev/example-checksum: "14cd8fa3"
 data:
   _example: |
     ################################
@@ -108,3 +108,14 @@ data:
     # rolloutDuration contains the minimal duration in seconds over which the
     # Configuration traffic targets are rolled out to the newest revision.
     rolloutDuration: "0"
+
+    # autocreateClusterDomainClaims controls whether ClusterDomainClaims should
+    # be automatically created (and deleted) as needed when DomainMappings are
+    # reconciled.
+    #
+    # If this is "false", the cluster administrator is responsible for creating
+    # ClusterDomainClaims and delegating them to namespaces via their
+    # spec.Namespace field. This is useful for multitenant environments
+    # which need to control which namespace can use a particular domain name in
+    # a domain mapping.
+    autocreateClusterDomainClaims: "true"
diff --git a/pkg/network.go b/pkg/network.go
index 86217cc98..e88fae04d 100644
--- a/pkg/network.go
+++ b/pkg/network.go
@@ -116,6 +116,10 @@ const (
 	// constructing the Knative Route's tag names.
 	DefaultTagTemplate = "{{.Tag}}-{{.Name}}"
 
+	// AutocreateClusterDomainClaimsKey is the key for the
+	// AutocreateClusterDomainClaims property.
+	AutocreateClusterDomainClaimsKey = "autocreateClusterDomainClaims"
+
 	// AutoTLSKey is the name of the configuration entry
 	// that specifies enabling auto-TLS or not.
 	AutoTLSKey = "autoTLS"
@@ -235,6 +239,13 @@ type Config struct {
 
 	// RolloutDurationSecs specifies the default duration for the rollout.
 	RolloutDurationSecs int
+
+	// AutocreateClusterDomainClaims specifies whether cluster-wide DomainClaims
+	// should be automatically created (and deleted) as needed when a
+	// DomainMapping is reconciled. If this is false, the
+	// cluster administrator is responsible for pre-creating ClusterDomainClaims
+	// and delegating them to namespaces via their spec.Namespace field.
+	AutocreateClusterDomainClaims bool
 }
 
 // HTTPProtocol indicates a type of HTTP endpoint behavior
@@ -254,12 +265,13 @@ const (
 
 func defaultConfig() *Config {
 	return &Config{
-		DefaultIngressClass:     IstioIngressClassName,
-		DefaultCertificateClass: CertManagerCertificateClassName,
-		DomainTemplate:          DefaultDomainTemplate,
-		TagTemplate:             DefaultTagTemplate,
-		AutoTLS:                 false,
-		HTTPProtocol:            HTTPEnabled,
+		DefaultIngressClass:           IstioIngressClassName,
+		DefaultCertificateClass:       CertManagerCertificateClassName,
+		DomainTemplate:                DefaultDomainTemplate,
+		TagTemplate:                   DefaultTagTemplate,
+		AutoTLS:                       false,
+		HTTPProtocol:                  HTTPEnabled,
+		AutocreateClusterDomainClaims: true,
 	}
 }
 
@@ -280,6 +292,7 @@ func NewConfigFromMap(data map[string]string) (*Config, error) {
 		cm.AsString(DomainTemplateKey, &nc.DomainTemplate),
 		cm.AsString(TagTemplateKey, &nc.TagTemplate),
 		cm.AsInt(RolloutDurationKey, &nc.RolloutDurationSecs),
+		cm.AsBool(AutocreateClusterDomainClaimsKey, &nc.AutocreateClusterDomainClaims),
 	); err != nil {
 		return nil, err
 	}
diff --git a/pkg/network_test.go b/pkg/network_test.go
index bf49b464e..38e2213ce 100644
--- a/pkg/network_test.go
+++ b/pkg/network_test.go
@@ -74,7 +74,7 @@ func TestConfiguration(t *testing.T) {
 			return c
 		}(),
 	}, {
-		name: "network configuration with non-default rolout duration",
+		name: "network configuration with non-default rollout duration",
 		data: map[string]string{
 			RolloutDurationKey: "211",
 		},
@@ -95,6 +95,23 @@ func TestConfiguration(t *testing.T) {
 			RolloutDurationKey: "-444",
 		},
 		wantErr: true,
+	}, {
+		name: "network configuration with non-default autocreateClusterDomainClaim value",
+		data: map[string]string{
+			AutocreateClusterDomainClaimsKey: "false",
+		},
+		wantErr: false,
+		wantConfig: func() *Config {
+			c := defaultConfig()
+			c.AutocreateClusterDomainClaims = false
+			return c
+		}(),
+	}, {
+		name: "network configuration with invalid autocreateClusterDomainClaim value",
+		data: map[string]string{
+			AutocreateClusterDomainClaimsKey: "salad",
+		},
+		wantErr: true,
 	}, {
 		name: "network configuration with non-Cert-Manager Certificate type",
 		data: map[string]string{