diff --git a/designateclient/shell.py b/designateclient/shell.py
index 85d854f..bd1de9a 100644
--- a/designateclient/shell.py
+++ b/designateclient/shell.py
@@ -165,6 +165,10 @@ class DesignateShell(App):
         parser.add_argument('--all-tenants', action='store_true',
                             help="Allows to list all domains from all tenants")
 
+        parser.add_argument('--edit-managed', action='store_true',
+                            help='Allows to edit records that are marked as '
+                            'managed')
+
         return parser
 
     def configure_logging(self):
@@ -232,6 +236,7 @@ class DesignateShell(App):
             insecure=self.options.insecure,
             cacert=self.options.os_cacert,
             all_tenants=self.options.all_tenants,
+            edit_managed=self.options.edit_managed
         )
 
     def run(self, argv):
diff --git a/designateclient/utils.py b/designateclient/utils.py
index dfba0a8..8703173 100644
--- a/designateclient/utils.py
+++ b/designateclient/utils.py
@@ -101,7 +101,7 @@ def get_columns(data):
 def get_session(auth_url, endpoint, domain_id, domain_name, project_id,
                 project_name, project_domain_name, project_domain_id, username,
                 user_id, password, user_domain_id, user_domain_name, token,
-                insecure, cacert, all_tenants):
+                insecure, cacert, all_tenants, edit_managed):
     session = ks_session.Session()
 
     # Build + Attach Authentication Plugin
@@ -140,6 +140,7 @@ def get_session(auth_url, endpoint, domain_id, domain_name, project_id,
     else:
         session.verify = cacert
     session.all_tenants = all_tenants
+    session.edit_managed = edit_managed
 
     return session
 
diff --git a/designateclient/v1/__init__.py b/designateclient/v1/__init__.py
index 74a0af9..3d389d8 100644
--- a/designateclient/v1/__init__.py
+++ b/designateclient/v1/__init__.py
@@ -32,7 +32,7 @@ class Client(object):
                  project_domain_id=None, auth_url=None, token=None,
                  endpoint_type='publicURL', region_name=None,
                  service_type='dns', insecure=False, session=None,
-                 cacert=None, all_tenants=False):
+                 cacert=None, all_tenants=False, edit_managed=False):
         """
         :param endpoint: Endpoint URL
         :param token: A token instead of username / password
@@ -64,6 +64,7 @@ class Client(object):
                 insecure=insecure,
                 cacert=cacert,
                 all_tenants=all_tenants,
+                edit_managed=edit_managed,
             )
 
         # Since we have to behave nicely like a legacy client/bindings we use
@@ -100,6 +101,8 @@ class Client(object):
         kw['headers'].setdefault('Content-Type', 'application/json')
         if self.session.session.all_tenants:
             kw['headers'].update({'X-Auth-All-Projects': 'true'})
+        if self.session.session.edit_managed:
+            kw['headers'].update({'X-Designate-Edit-Managed-Records': 'true'})
 
         # Trigger the request
         response = func(*args, **kw)