diff --git a/cluster/gce/config-common.sh b/cluster/gce/config-common.sh
index 094ea618830..fba173efca0 100644
--- a/cluster/gce/config-common.sh
+++ b/cluster/gce/config-common.sh
@@ -35,3 +35,9 @@ function get-master-size {
   fi
   echo "${suggested_master_size}"
 }
+
+if [[ "${FEDERATION:-}" == true ]]; then
+    NODE_SCOPES="${NODE_SCOPES:-compute-rw,monitoring,logging-write,storage-ro,https://www.googleapis.com/auth/ndev.clouddns.readwrite}"
+else
+    NODE_SCOPES="${NODE_SCOPES:-compute-rw,monitoring,logging-write,storage-ro}"
+fi
diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh
index 4f7faa13042..04c0372e479 100755
--- a/cluster/gce/config-test.sh
+++ b/cluster/gce/config-test.sh
@@ -57,7 +57,6 @@ MASTER_TAG="${INSTANCE_PREFIX}-master"
 NODE_TAG="${INSTANCE_PREFIX}-minion"
 CLUSTER_IP_RANGE="${CLUSTER_IP_RANGE:-10.180.0.0/14}"
 MASTER_IP_RANGE="${MASTER_IP_RANGE:-10.246.0.0/24}"
-NODE_SCOPES="${NODE_SCOPES:-compute-rw,monitoring,logging-write,storage-ro}"
 RUNTIME_CONFIG="${KUBE_RUNTIME_CONFIG:-}"
 TERMINATED_POD_GC_THRESHOLD=${TERMINATED_POD_GC_THRESHOLD:-100}
 
diff --git a/cluster/gke/config-common.sh b/cluster/gke/config-common.sh
index 3f6e7860802..9850542611a 100644
--- a/cluster/gke/config-common.sh
+++ b/cluster/gke/config-common.sh
@@ -28,9 +28,13 @@ FIREWALL_SSH="${FIREWALL_SSH:-${NETWORK}-allow-ssh}"
 GCLOUD="${GCLOUD:-gcloud}"
 CMD_GROUP="${CMD_GROUP:-}"
 GCLOUD_CONFIG_DIR="${GCLOUD_CONFIG_DIR:-${HOME}/.config/gcloud/kubernetes}"
-NODE_SCOPES="${NODE_SCOPES:-"compute-rw,storage-ro"}"
 MACHINE_TYPE="${MACHINE_TYPE:-n1-standard-2}"
 IMAGE_TYPE="${IMAGE_TYPE:-}"
+if [[ "${FEDERATION:-}" == true ]]; then
+    NODE_SCOPES="${NODE_SCOPES:-compute-rw,storage-ro,https://www.googleapis.com/auth/ndev.clouddns.readwrite}"
+else
+    NODE_SCOPES="${NODE_SCOPES:-compute-rw,storage-ro}"
+fi
 
 # WARNING: any new vars added here must correspond to options that can be
 # passed to `gcloud {CMD_GROUP} container clusters create`, or they will