unsign finished

Author: greg-lindsay

articles/dns/dnssec-unsign.md

@@ -32,22 +32,60 @@ To unsign a zone using the Azure portal:
 2. Select your DNS zone, and then from the zone's **Overview** page, select **DNSSEC**. You can select **DNSSEC** from the menu at the top, or under **DNS Management**.
 3. If you have successfully removed the DS record at your registrar for this zone, you see that the DNSSEC status is **Signed but not delegated**. Do not proceed until you see this status.
 
+    ![Screenshot of confirming to disable DNSSEC.](./media/dnssec-how-to/ds-removed.png)
+
+4. Clear the **Enable DNSSEC** checkbox and select **OK** in the popup dialog box confirming that you wish to disable DNSSEC.
+
+    ![Screenshot of DNSSEC status.](./media/dnssec-how-to/disable-dnssec.png)
+
+5. In the **Disable DNSSEC** pane, type the name of your domain and then select **Disable**. 
+
+    ![Screenshot of the disable DNSSEC pane.](./media/dnssec-how-to/disable-pane.png)
+
+6. The domain is now successfully unsigned.
+
 ## [Azure CLI](#tab/sign-cli)
 
-Sign a zone using the Azure CLI:
+Unsign a DNSSEC-signed zone using the Azure CLI:
+
+1. To unsign a signed zone, issue the following commands. Replace the values for resource group and zone name with your resource group and zone name.
 
 ```azurepowershell-interactive
-commands here
+# Ensure you are logged in to your Azure account
+az login
+
+# Select the appropriate subscription
+az account set --subscription "your-subscription-id"
+
+# Disable DNSSEC for the DNS zone
+az network dns dnssec-config delete --resource-group "your-resource-group" --zone-name "adatum.com"
+
+# Verify the DNSSEC configuration has been removed
+az network dns dnssec-config show --resource-group "your-resource-group" --zone-name "adatum.com"
 ```
 
+2. Confirm that **(NotFound) DNSSEC is not enabled for DNS zone 'adatum.com'** is displayed after the last command. The zone is now unsigned.
+
 ## [PowerShell](#tab/sign-powershell)
 
-Sign a zone using PowerShell:
+1. Unsign and a zone and view the zone status using PowerShell:
 
 ```PowerShell
-commands here
+# Connect to your Azure account (if not already connected)
+Connect-AzAccount
+
+# Select the appropriate subscription
+Select-AzSubscription -SubscriptionId "your-subscription-id"
+
+# Disable DNSSEC for the DNS zone
+Remove-AzDnsDnssecConfig -ResourceGroupName "your-resource-group" -ZoneName "adatum.com"
+
+# View the DNSSEC configuration
+Get-AzDnsDnssecConfig -ResourceGroupName "your-resource-group" -ZoneName "adatum.com"
 ```
 
+2. Confirm that DNSSEC is not enabled for DNS zone 'adatum.com' is displayed after the last command. The zone is now unsigned.
+
 ## Next steps
 
 - Learn how to [sign a DNS zone with DNSSEC](dnssec-how-to.md).

articles/dns/dnssec.md

@@ -11,7 +11,7 @@ ms.author: greglin
 
 # DNSSEC overview (Preview)
 
-This article provides a overview of Domain Name System Security Extensions (DNSSEC) and includes an introduction to [DNSSEC terminology](#dnssec-terminology). Benefits of DNSSEC zone signing are described and examples are provided for viewing DNSSEC related resource records. When you are ready to sign your Azure public DNS zone, see the following how-to guides:
+This article provides an overview of Domain Name System Security Extensions (DNSSEC) and includes an introduction to [DNSSEC terminology](#dnssec-terminology). Benefits of DNSSEC zone signing are described and examples are provided for viewing DNSSEC related resource records. When you are ready to sign your Azure public DNS zone, see the following how-to guides:
 
 - [How to sign your Azure Public DNS zone with DNSSEC (Preview)](dnssec-how-to.md).
 - [How to unsign your Azure Public DNS zone (Preview)](dnssec-unsign.md)
@@ -99,7 +99,7 @@ The DNSSEC validation process works with trust anchors as follows:
 
 ### Authoritative servers  
 
-Authoritative DNS servers maintain a chain of trust through the use of delegation signer (DS) records. DS records are used to verify the authenticity of child zones zone in the DNS hierarchy. 
+Authoritative DNS servers maintain a chain of trust through the use of delegation signer (DS) records. DS records are used to verify the authenticity of child zones in the DNS hierarchy. 
  - In order for DNSSEC validation to occur on a signed zone, the parent of the signed zone must also be signed. The parent zone also must have a DS record for the child zone.
  - During the validation process, a zone's parent is queried for the DS record. If the DS record is not present, or the DS record data in the parent does not match the DNSKEY data in the child zone, the chain of trust is broken and validation fails.