add preview message to howtos

greg-lindsay · greg-lindsay · commit eb7742a0b4ed · 2024-10-09T16:25:36.000-07:00
diff --git a/articles/dns/dnssec-how-to.md b/articles/dns/dnssec-how-to.md
@@ -14,6 +14,10 @@ This article shows you how to sign your DNS zone with [Domain Name System Securi
 
 To remove DNSSEC signing from a zone, see [How to unsign your Azure Public DNS zone](dnssec-unsign.md).
 
+> [!NOTE]
+> DNSSEC zone signing is currently in PREVIEW.<br> 
+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
 ## Prerequisites
 
 * The DNS zone must be hosted by Azure Public DNS. For more information, see [Manage DNS zones](/azure/dns/dns-operations-dnszones-portal).
diff --git a/articles/dns/dnssec-unsign.md b/articles/dns/dnssec-unsign.md
@@ -14,6 +14,10 @@ This article shows you how to remove [Domain Name System Security Extensions (DN
 
 To sign a zone with DNSSEC, see [How to sign your Azure Public DNS zone with DNSSEC](dnssec-how-to.md).
 
+> [!NOTE]
+> DNSSEC zone signing is currently in PREVIEW.<br> 
+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
 ## Prerequisites
 
 * The DNS zone must be hosted by Azure Public DNS. For more information, see [Manage DNS zones](/azure/dns/dns-operations-dnszones-portal).
diff --git a/articles/dns/dnssec.md b/articles/dns/dnssec.md
@@ -92,6 +92,7 @@ The DNSSEC validation process works with trust anchors as follows:
     - If the DS record is found, the recursive DNS server performs DNSSEC validation. 
     - If the recursive DNS server determines that the parent zone doesn't have a DS record for the child zone, it assumes the child zone is insecure and doesn't perform DNSSEC validation.
   - If multiple recursive DNS servers are involved in a DNS response (including forwarders), each server must be able to perform DNSSEC validation on the response so that there is an unbroken chain of trust.
+  - Recursive servers that have DNSSEC validation disabled or aren't DNSSEC-aware don't perform validation.
 
 ## Chain of trust
 
@@ -109,7 +110,6 @@ Recursive DNS servers (also called resolving or caching DNS servers) maintain a
 - The trust anchor is a DNSKEY record, or DS record containing a [hash](/dotnet/standard/security/ensuring-data-integrity-with-hash-codes) of a DNSKEY record. The DNSKEY record is created on an authoritative server when a zone is signed, and removed from the zone if the zone is unsigned. 
 - Trust anchors must be manually installed on recursive DNS servers. 
 - If a trust anchor for a parent zone is present, a recursive server can validate all child zones in the hierarchical namespace. This includes forwarded queries. To support DNSSEC validation of all DNSSEC-signed DNS zones, you can install a trust anchor for the root (.) zone.
-- Recursive servers that have DNSSEC validation disabled or aren't DNSSEC-aware don't perform validation.
 
 ## DNSSEC-related resource records
 
