The DNS zone must be hosted by Azure Public DNS. For more information, see Manage DNS zones.
You must have permission to delete a DS record from the parent DNS zone. Most top level domains (.com, .net, .org) allow you to do this using your registrar.
Unsign a zone
Important
Removing DNSSEC from your DNS zone requires that you first remove the delegation signer (DS) record from the parent zone, and wait for the time-to-live (TTL) of the DS record to expire. After the DS record TTL has expired, you can safely unsign the zone.
On the Azure portal Home page, search for and select DNS zones.
Select your DNS zone, and then from the zone's Overview page, select DNSSEC. You can select DNSSEC from the menu at the top, or under DNS Management.
If you have successfully removed the DS record at your registrar for this zone, you see that the DNSSEC status is Signed but not delegated. Do not proceed until you see this status.
Clear the Enable DNSSEC checkbox and select OK in the popup dialog box confirming that you wish to disable DNSSEC.
In the Disable DNSSEC pane, type the name of your domain and then select Disable.
The zone is now unsigned.
Unsign a DNSSEC-signed zone using the Azure CLI:
To unsign a signed zone, issue the following commands. Replace the values for subscription ID, resource group, and zone name with your values.
Azure PowerShell
# Ensure you are logged in to your Azure account
az login
# Select the appropriate subscription
az account set --subscription"your-subscription-id"# Disable DNSSEC for the DNS zone
az network dns dnssec-config delete --resource-group"your-resource-group" --zone-name"adatum.com"# Verify the DNSSEC configuration has been removed
az network dns dnssec-config show --resource-group"your-resource-group" --zone-name"adatum.com"
Confirm that (NotFound) DNSSEC is not enabled for DNS zone 'adatum.com' is displayed after the last command. The zone is now unsigned.
Use the following commands to remove DNSSEC signing from your zone and view the zone status using PowerShell. Replace the values for subscription ID, resource group, and zone name with your values.
PowerShell
# Connect to your Azure account (if not already connected)Connect-AzAccount# Select the appropriate subscriptionSelect-AzSubscription -SubscriptionId"your-subscription-id"# Disable DNSSEC for the DNS zoneRemove-AzDnsDnssecConfig -ResourceGroupName"your-resource-group" -ZoneName"adatum.com"# View the DNSSEC configurationGet-AzDnsDnssecConfig -ResourceGroupName"your-resource-group" -ZoneName"adatum.com"
Confirm that DNSSEC is not enabled for DNS zone 'adatum.com' is displayed after the last command. The zone is now unsigned.
Demonstrate the skills needed to implement security controls, maintain an organization’s security posture, and identify and remediate security vulnerabilities.