diff --git a/README.md b/README.md
index c9690e62e..2650deccf 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@
 This repository contains the Knative Ingress and Certificate CRDs, as well as
 their conformance tests. These are our extension points to plugin different
 Ingress plugins (Ambassador, Contour, Gloo, Istio, Kong and Kourier), as well as
-different AutoTLS plugins (CertManager and Knative's own HTTP01 challenge
+different ExternalDomainTLS plugins (CertManager and Knative's own HTTP01 challenge
 solver).
 
 # Knative Ingress aka KIngress
diff --git a/pkg/apis/networking/metadata_validation.go b/pkg/apis/networking/metadata_validation.go
index 85f69717f..961dcce76 100644
--- a/pkg/apis/networking/metadata_validation.go
+++ b/pkg/apis/networking/metadata_validation.go
@@ -29,6 +29,7 @@ var (
 		IngressClassAnnotationKey,
 		CertificateClassAnnotationKey,
 		DisableAutoTLSAnnotationKey,
+		DisableExternalDomainTLSKey,
 		HTTPOptionAnnotationKey,
 
 		IngressClassAnnotationAltKey,
diff --git a/pkg/apis/networking/metadata_validation_test.go b/pkg/apis/networking/metadata_validation_test.go
index 07688f631..9954c3504 100644
--- a/pkg/apis/networking/metadata_validation_test.go
+++ b/pkg/apis/networking/metadata_validation_test.go
@@ -44,6 +44,11 @@ func TestValidateObjectMetadata(t *testing.T) {
 			DisableAutoTLSAnnotationKey:    "true",
 			DisableAutoTLSAnnotationAltKey: "true",
 		},
+	}, {
+		name: "valid disable external-domain-tls annotation key",
+		annotations: map[string]string{
+			DisableExternalDomainTLSKey: "true",
+		},
 	}, {
 		name: "valid certificate class annotation key",
 		annotations: map[string]string{
diff --git a/pkg/apis/networking/register.go b/pkg/apis/networking/register.go
index f7bdd81d7..26143a05d 100644
--- a/pkg/apis/networking/register.go
+++ b/pkg/apis/networking/register.go
@@ -70,11 +70,17 @@ const (
 
 	// DisableAutoTLSAnnotationKey is the annotation key attached to a Knative Service/DomainMapping
 	// to indicate that AutoTLS should not be enabled for it.
+	// Deprecated: use DisableExternalDomainTLSKey instead.
 	DisableAutoTLSAnnotationKey = PublicGroupName + "/disableAutoTLS"
 
 	// DisableAutoTLSAnnotationAltKey is an alternative casing to DisableAutoTLSAnnotationKey
+	// Deprecated: use DisableExternalDomainTLSKey instead.
 	DisableAutoTLSAnnotationAltKey = PublicGroupName + "/disable-auto-tls"
 
+	// DisableExternalDomainTLSKey is the annotation key attached to a Knative Service/DomainMapping
+	// to indicate that external-domain-tls should not be enabled for it.
+	DisableExternalDomainTLSKey = PublicGroupName + "/disable-external-domain-tls"
+
 	// HTTPOptionAnnotationKey is the annotation key attached to a Knative Service/DomainMapping
 	// to indicate the HTTP option of it.
 	HTTPOptionAnnotationKey = PublicGroupName + "/httpOption"
@@ -130,9 +136,21 @@ var (
 		CertificateClassAnnotationAltKey,
 	}
 
+	// Deprecated: use DisableExternalDomainTLSAnnotation instead.
 	DisableAutoTLSAnnotation = kmap.KeyPriority{
 		DisableAutoTLSAnnotationKey,
 		DisableAutoTLSAnnotationAltKey,
+
+		// backward compatibility
+		DisableExternalDomainTLSKey,
+	}
+
+	DisableExternalDomainTLSAnnotation = kmap.KeyPriority{
+		// backward compatibility
+		DisableAutoTLSAnnotationKey,
+		DisableAutoTLSAnnotationAltKey,
+
+		DisableExternalDomainTLSKey,
 	}
 
 	HTTPProtocolAnnotation = kmap.KeyPriority{
@@ -153,6 +171,11 @@ func GetHTTPProtocol(annotations map[string]string) (val string) {
 	return HTTPProtocolAnnotation.Value(annotations)
 }
 
+// Deprecated: use GetDisableExternalDomainTLS instead.
 func GetDisableAutoTLS(annotations map[string]string) (val string) {
 	return DisableAutoTLSAnnotation.Value(annotations)
 }
+
+func GetDisableExternalDomainTLS(annotations map[string]string) (val string) {
+	return DisableExternalDomainTLSAnnotation.Value(annotations)
+}