diff --git a/cluster/config-defaults.yaml b/cluster/config-defaults.yaml
index f732b54732..1c35e6a75f 100644
--- a/cluster/config-defaults.yaml
+++ b/cluster/config-defaults.yaml
@@ -648,6 +648,11 @@ external_dns_excluded_domains: cluster.local
 # synchronization policy between Kubernetes and AWS Route53 (default: sync, options: sync, upsert-only, create-only)
 external_dns_policy: sync
 
+# eternal-dns version for controlling roll-out, can be "current" or "legacy"
+# current => v0.12.2-master-29
+# legacy => v0.9.0-master-26
+external_dns_version: "current"
+
 # select which cache to use for Cluster DNS: unbound or dnsmasq.
 dns_cache: "dnsmasq"
 
diff --git a/cluster/manifests/external-dns/01-rbac.yaml b/cluster/manifests/external-dns/01-rbac.yaml
index 10d562556a..f613891577 100644
--- a/cluster/manifests/external-dns/01-rbac.yaml
+++ b/cluster/manifests/external-dns/01-rbac.yaml
@@ -22,7 +22,11 @@ rules:
 - apiGroups: [""]
   resources: ["services", "endpoints", "pods", "nodes"]
   verbs: ["list"]
+{{- if eq .Cluster.ConfigItems.external_dns_version "current" }}
 - apiGroups: ["networking.k8s.io"]
+{{- else }}
+- apiGroups: ["extensions"]
+{{- end }}
   resources: ["ingresses"]
   verbs: ["list"]
 - apiGroups: ["zalando.org"]
diff --git a/cluster/manifests/external-dns/deployment.yaml b/cluster/manifests/external-dns/deployment.yaml
index 96981e68eb..8a564f8580 100644
--- a/cluster/manifests/external-dns/deployment.yaml
+++ b/cluster/manifests/external-dns/deployment.yaml
@@ -34,7 +34,11 @@ spec:
       serviceAccountName: external-dns
       containers:
       - name: external-dns
+        {{- if eq .Cluster.ConfigItems.external_dns_version "current" }}
         image: container-registry.zalando.net/teapot/external-dns:v0.12.2-master-29
+        {{- else }}
+        image: container-registry.zalando.net/teapot/external-dns:v0.9.0-master-26
+        {{- end }}
         args:
         - --source=service
         - --source=ingress