edit

Author: greg-lindsay

articles/dns/dnssec-how-to.md

@@ -10,9 +10,9 @@ ms.author: greglin
 
 # How to sign your Azure Public DNS zone with DNSSEC (Preview)
 
-This article shows you how to sign your DNS zone with Domain Name System Security Extensions (DNSSEC).
+This article shows you how to sign your DNS zone with [Domain Name System Security Extensions (DNSSEC)](dnssec.md). 
 
-Also see: [DNSSEC overview (Preview)](dnssec.md)
+To remove DNSSEC signing from a zone, see [How to unsign your Azure Public DNS zone](dnssec-unsign.md).
 
 ## Prerequisites
 
@@ -53,6 +53,8 @@ To sign your zone with DNSSEC using the Azure portal:
         **Digest Type**: 2<br>
         **Digest**: 7A1C9811A965C46319D94D1D4BC6321762B632133F196F876C65802EC5089001
 
+        When you provide the DS record to your registrar, the registrar adds the DS record to the parent zone, such as the Top Level Domain (TLD) zone.
+
     2. If you own the parent zone, you can add a DS record directly to the parent yourself. The following example shows how to add a DS record to the DNS zone **adatum.com** for the child zone **secure.adatum.com** when both zones are hosted using Azure Public DNS:
 
         [ ![Screenshot of adding a DS record to the parent zone.](./media/dnssec-how-to/ds-add.png) ](./media/dnssec-how-to/ds-add.png#lightbox) 

articles/dns/dnssec-unsign.md

@@ -10,7 +10,9 @@ ms.author: greglin
 
 # How to unsign your Azure Public DNS zone (Preview)
 
-This article shows you how to remove Domain Name System Security Extensions (DNSSEC) from your Azure Public DNS zone.
+This article shows you how to remove [Domain Name System Security Extensions (DNSSEC)](dnssec.md) from your Azure Public DNS zone.
+
+To sign a zone with DNSSEC, see [How to sign your Azure Public DNS zone with DNSSEC](dnssec-how-to.md).
 
 ## Prerequisites
 
@@ -24,9 +26,11 @@ This article shows you how to remove Domain Name System Security Extensions (DNS
 
 ## [Azure portal](#tab/sign-portal)
 
-To unsign your zone using the Azure portal:
+To unsign a zone using the Azure portal:
 
-1. 
+1. On the Azure portal Home page, search for and select **DNS zones**.
+2. Select your DNS zone, and then from the zone's **Overview** page, select **DNSSEC**. You can select **DNSSEC** from the menu at the top, or under **DNS Management**.
+3. If you have successfully removed the DS record at your registrar for this zone, you see that the DNSSEC status is **Signed but not delegated**. Do not proceed until you see this status.
 
 ## [Azure CLI](#tab/sign-cli)
 

articles/dns/dnssec.md

@@ -5,7 +5,7 @@ author: greg-lindsay
 manager: KumuD
 ms.service: azure-dns
 ms.topic: article
-ms.date: 10/02/2024
+ms.date: 10/09/2024
 ms.author: greglin
 ---
 
@@ -71,18 +71,20 @@ DNSSEC works to prevent DNS hijacking by performing validation on DNS responses.
 
 If a DNS server is DNSSEC-aware, it can set the DNSSEC OK (DO) flag in a DNS query to a value of `1`. This value tells the responding DNS server to include DNSSEC-related resource records with the response. These DNSSEC records are Resource Record Signature (RRSIG) records that are used to validate that the DNS response is genuine. 
 
-A recursive DNS server performs DNSSEC validation on RRSIG records using a trust anchor (DNSKEY). The server uses a DNSKEY to decrypt digital signatures in RRSIG records (and other DNSSEC-related records), and then computes and compares hash values. If hash values are the same, it provides a reply to the DNS client with the DNS data that it requested, such as a host address (A) record. See the following diagram:
+A recursive (non-authoritative) DNS server performs DNSSEC validation on RRSIG records using a trust anchor (DNSKEY). The server uses a DNSKEY to decrypt digital signatures in RRSIG records (and other DNSSEC-related records), and then computes and compares hash values. If hash values are the same, it provides a reply to the DNS client with the DNS data that it requested, such as a host address (A) record. See the following diagram:
 
   ![A diagram showing how DNSSEC validation works.](media/dnssec/dnssec-validation.png)
 
-If hash values aren't the same, the recursive DNS server replies with a SERVFAIL message. In this way, DNSSEC-capable resolving DNS servers with a valid trust anchor installed can protect against DNS hijacking. This protection doesn't require DNS client devices to be DNSSEC-aware.
+If hash values aren't the same, the recursive DNS server replies with a SERVFAIL message. In this way, DNSSEC-capable resolving DNS servers with a valid trust anchor installed can protect against DNS hijacking. This protection doesn't require DNS client devices to be DNSSEC-aware. 
 
-> [!NOTE]
-> DNSSEC validation is not performed by the default Azure-provided resolver.
+Windows 11 client devices are [nonvalidating security-aware stub resolvers](#dnssec-terminology).
 
 ### Trust anchors and DNSSEC validation
 
-A recursive DNS server can have any number of trust anchors, or no trust anchors. Trust anchors can be added for a single DNS zone, or any parent zone. If a recursive DNS server has a root (.) trust anchor, then it can perform DNSSEC validation on any DNS zone. 
+> [!NOTE] 
+> DNSSEC validation is not performed by the default Azure-provided resolver. The information in this section is helpful if you are setting up your own recursive DNS servers for DNSSEC validation or troubleshooting validation issues.
+
+Trust anchors operate based on the DNS namespace hierarchy. A recursive DNS server can have any number of trust anchors, or no trust anchors. Trust anchors can be added for a single child DNS zone, or any parent zone. If a recursive DNS server has a root (.) trust anchor, then it can perform DNSSEC validation on any DNS zone. 
 
 The DNSSEC validation process works with trust anchors as follows:
   - If a recursive DNS server doesn't have a DNSSEC trust anchor for a zone or the zone's parent hierarchical namespace, it will not perform DNSSEC validation on that zone.