diff --git a/metropolis/node/BUILD.bazel b/metropolis/node/BUILD.bazel
index 2a7d296..f0f650f 100644
--- a/metropolis/node/BUILD.bazel
+++ b/metropolis/node/BUILD.bazel
@@ -12,6 +12,7 @@
         "net_ips.go",
         "net_protocols.go",
         "ports.go",
+        "validation.go",
     ],
     importpath = "source.monogon.dev/metropolis/node",
     visibility = [
@@ -144,7 +145,10 @@
 
 go_test(
     name = "node_test",
-    srcs = ["labels_test.go"],
+    srcs = [
+        "labels_test.go",
+        "validation_test.go",
+    ],
     embed = [":node"],
     deps = ["@io_k8s_apimachinery//pkg/util/validation"],
 )
diff --git a/metropolis/node/core/curator/impl_leader_test.go b/metropolis/node/core/curator/impl_leader_test.go
index bbdf936..6550a30 100644
--- a/metropolis/node/core/curator/impl_leader_test.go
+++ b/metropolis/node/core/curator/impl_leader_test.go
@@ -1735,6 +1735,7 @@
 		t.Run(fmt.Sprintf("case %d", i), func(t *testing.T) {
 			cl := fakeLeader(t, &fakeLeaderOption{
 				icc: &cpb.ClusterConfiguration{
+					ClusterDomain:         "cluster.test",
 					TpmMode:               te.mode,
 					StorageSecurityPolicy: cpb.ClusterConfiguration_STORAGE_SECURITY_POLICY_NEEDS_ENCRYPTION_AND_AUTHENTICATION,
 				},
diff --git a/metropolis/node/core/curator/state_cluster.go b/metropolis/node/core/curator/state_cluster.go
index 02e6891..d5b6001 100644
--- a/metropolis/node/core/curator/state_cluster.go
+++ b/metropolis/node/core/curator/state_cluster.go
@@ -9,7 +9,9 @@
 	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/proto"
 
+	common "source.monogon.dev/metropolis/node"
 	"source.monogon.dev/metropolis/node/core/rpc"
+
 	cpb "source.monogon.dev/metropolis/proto/common"
 )
 
@@ -20,6 +22,7 @@
 // Cluster is the cluster's configuration, as (un)marshaled to/from
 // common.ClusterConfiguration.
 type Cluster struct {
+	ClusterDomain                       string
 	TPMMode                             cpb.ClusterConfiguration_TPMMode
 	StorageSecurityPolicy               cpb.ClusterConfiguration_StorageSecurityPolicy
 	NodeLabelsToSynchronizeToKubernetes []*cpb.ClusterConfiguration_KubernetesConfig_NodeLabelsToSynchronize
@@ -30,6 +33,7 @@
 // user.
 func DefaultClusterConfiguration() *Cluster {
 	return &Cluster{
+		ClusterDomain:                       "cluster.internal",
 		TPMMode:                             cpb.ClusterConfiguration_TPM_MODE_REQUIRED,
 		StorageSecurityPolicy:               cpb.ClusterConfiguration_STORAGE_SECURITY_POLICY_NEEDS_ENCRYPTION_AND_AUTHENTICATION,
 		NodeLabelsToSynchronizeToKubernetes: nil,
@@ -139,10 +143,19 @@
 	if err := proto.Unmarshal(data, &msg); err != nil {
 		return nil, fmt.Errorf("could not unmarshal proto: %w", err)
 	}
+	if msg.ClusterDomain == "" {
+		// Backward compatibility for clusters which did not have this field
+		// initially.
+		msg.ClusterDomain = "cluster.internal"
+	}
 	return clusterFromProto(&msg)
 }
 
 func clusterFromProto(cc *cpb.ClusterConfiguration) (*Cluster, error) {
+	if err := common.ValidateClusterDomain(cc.ClusterDomain); err != nil {
+		return nil, fmt.Errorf("invalid ClusterDomain: %w", err)
+	}
+
 	switch cc.TpmMode {
 	case cpb.ClusterConfiguration_TPM_MODE_REQUIRED:
 	case cpb.ClusterConfiguration_TPM_MODE_BEST_EFFORT:
@@ -161,6 +174,7 @@
 	}
 
 	c := &Cluster{
+		ClusterDomain:         cc.ClusterDomain,
 		TPMMode:               cc.TpmMode,
 		StorageSecurityPolicy: cc.StorageSecurityPolicy,
 	}
@@ -190,6 +204,7 @@
 	}
 
 	return &cpb.ClusterConfiguration{
+		ClusterDomain:         c.ClusterDomain,
 		TpmMode:               c.TPMMode,
 		StorageSecurityPolicy: c.StorageSecurityPolicy,
 		KubernetesConfig: &cpb.ClusterConfiguration_KubernetesConfig{
diff --git a/metropolis/node/validation.go b/metropolis/node/validation.go
new file mode 100644
index 0000000..cf6d520
--- /dev/null
+++ b/metropolis/node/validation.go
@@ -0,0 +1,61 @@
+package node
+
+import (
+	"errors"
+	"fmt"
+	"regexp"
+)
+
+const (
+	// domainNameMaxLength is the maximum length of a domain name supported by DNS
+	// when represented without a trailing dot.
+	domainNameMaxLength = 253
+
+	// clusterDomainMaxLength is the maximum length of a cluster domain. Limiting
+	// this to 80 allows for constructing subdomains of the cluster domain, where
+	// the subdomain part can have length up to 172. With the joining dot, this
+	// adds up to 253.
+	clusterDomainMaxLength = 80
+)
+
+var (
+	fmtDomainNameLabel       = `[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?`
+	reDomainName             = regexp.MustCompile(`^` + fmtDomainNameLabel + `(\.` + fmtDomainNameLabel + `)*$`)
+	reDomainNameEndsInNumber = regexp.MustCompile(`(^|\.)([0-9]+|0x[0-9a-f]*)$`)
+
+	errDomainNameTooLong      = fmt.Errorf("too long, must have length at most %d", domainNameMaxLength)
+	errDomainNameInvalid      = errors.New("must consist of labels separated by '.', where each label has between 1 and 63 lowercase letters, digits or '-', and must not start or end with '-'")
+	errDomainNameEndsInNumber = errors.New("must not end in a number")
+
+	errClusterDomainTooLong = fmt.Errorf("too long, must have length at most %d", clusterDomainMaxLength)
+)
+
+// validateDomainName returns an error if the passed string is not a valid
+// domain name, according to these rules: The name must be a valid DNS name
+// without a trailing dot. Labels must only consist of lowercase letters, digits
+// or '-', and must not start or end with '-'. Additionally, the name must not
+// end in a number, so that it won't be parsed as an IPv4 address.
+func validateDomainName(d string) error {
+	if len(d) > domainNameMaxLength {
+		return errDomainNameTooLong
+	}
+	// This implements RFC 1123 domain validation. Additionally, it does not allow
+	// uppercase, so that we don't need to implement case-insensitive matching.
+	if !reDomainName.MatchString(d) {
+		return errDomainNameInvalid
+	}
+	// This implements https://url.spec.whatwg.org/#ends-in-a-number-checker
+	if reDomainNameEndsInNumber.MatchString(d) {
+		return errDomainNameEndsInNumber
+	}
+	return nil
+}
+
+// ValidateClusterDomain returns an error if the passed string is not a valid
+// cluster domain.
+func ValidateClusterDomain(d string) error {
+	if len(d) > clusterDomainMaxLength {
+		return errClusterDomainTooLong
+	}
+	return validateDomainName(d)
+}
diff --git a/metropolis/node/validation_test.go b/metropolis/node/validation_test.go
new file mode 100644
index 0000000..1a9765e
--- /dev/null
+++ b/metropolis/node/validation_test.go
@@ -0,0 +1,49 @@
+package node
+
+import (
+	"errors"
+	"testing"
+
+	"k8s.io/apimachinery/pkg/util/validation"
+)
+
+func TestValidateDomainName(t *testing.T) {
+	for _, te := range []struct {
+		in   string
+		want error
+	}{
+		{"example.com", nil},
+		{"localhost", nil},
+		{"123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.1.example.com", nil},
+		{"123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.12.example.com", errDomainNameTooLong},
+		{"ex_ample.com", errDomainNameInvalid},
+		{"-.com", errDomainNameInvalid},
+		{"example-.com", errDomainNameInvalid},
+		{"-example.com", errDomainNameInvalid},
+		{"1-1.com", nil},
+		{"xn--h-0fa.com", nil},
+		{".", errDomainNameInvalid},
+		{"example..com", errDomainNameInvalid},
+		{"example.com.", errDomainNameInvalid},
+		{".example.com", errDomainNameInvalid},
+		{"0.example.com", nil},
+		{"01.example.com", nil},
+		{"012345678901234567890123456789012345678901234567890123456789012.example.com", nil},
+		{"0123456789012345678901234567890123456789012345678901234567890123.example.com", errDomainNameInvalid},
+		{"1.1.1.1", errDomainNameEndsInNumber},
+		{"example.123", errDomainNameEndsInNumber},
+		{"0123456789", errDomainNameEndsInNumber},
+		{"example.0x", errDomainNameEndsInNumber},
+		{"0x0123456789abcdef", errDomainNameEndsInNumber},
+		{"1.2.3.1a1", nil},
+	} {
+		if got := validateDomainName(te.in); !errors.Is(got, te.want) {
+			t.Errorf("%q: wanted %v, got %v", te.in, te.want, got)
+		}
+		if validateDomainName(te.in) == nil {
+			if errs := validation.IsDNS1123Subdomain(te.in); len(errs) > 0 {
+				t.Errorf("%q: is not a valid Kubernetes domain: %v", te.in, errs)
+			}
+		}
+	}
+}