diff --git a/app/controllers/domains_controller.rb b/app/controllers/domains_controller.rb
index 3918570..d8ef556 100644
--- a/app/controllers/domains_controller.rb
+++ b/app/controllers/domains_controller.rb
@@ -1,90 +1,101 @@
 class DomainsController < ApplicationController
   before_action :authenticate_user!
 
-  before_action :domain, only: [:show, :edit, :edit_dnssec, :update, :destroy]
-  before_action :group,  only: [:show, :edit, :edit_dnssec, :update, :destroy]
+  before_action :domain, only: [:show, :edit, :edit_dnssec, :update, :destroy, :full_destroy]
+  before_action :group,  only: [:show, :edit, :edit_dnssec, :update, :destroy, :full_destroy]
 
   helper_method :edit_group_scope
 
   # GET /domains
   def index
     @domains = show_domain_scope.includes(:group, :soa).all
   end
 
   # GET /domains/1
   def show
     @record = Record.new(domain_id: @domain.id)
   end
 
   # GET /domains/new
   def new
     @domain = Domain.new(new_domain_params)
   end
 
   # GET /domains/1/edit
   def edit
   end
 
   # GET /domains/1/edit_dnssec
   def edit_dnssec
   end
 
   # POST /domains
   def create
     @domain = Domain.new(domain_params)
 
     if @domain.save
       notify_domain(@domain, :create)
       redirect_to @domain, notice: "#{@domain.name} was successfully created."
     else
       render :new
     end
   end
 
   # PATCH/PUT /domains/1
   def update
     if @domain.update(domain_params)
       notify_domain(@domain, :update)
       redirect_to @domain, notice: "#{@domain.name} was successfully updated."
     else
       if domain_params[:dnssec] # DNSSEC form
         render :edit_dnssec
       else
         render :edit
       end
     end
   end
 
   # DELETE /domains/1
   def destroy
     if @domain.remove
       notify_domain(@domain, :destroy)
       redirect_to domains_url, notice: "#{@domain.name} is scheduled for removal."
     else
       redirect_to domains_url, alert: "#{@domain.name} cannot be deleted! (state '#{@domain.state}')"
     end
   end
 
+  # DELETE /domains/1/full_destroy
+  def full_destroy
+    if @domain.full_remove
+      notify_domain(@domain, :destroy)
+      redirect_to domains_url,
+                  notice: "#{@domain.name} is scheduled for full removal. DS records will be dropped from the parent zone before proceeding"
+    else
+      redirect_to domains_url, alert: "#{@domain.name} cannot be deleted! (state '#{@domain.state}')"
+    end
+  end
+
   private
 
   def group
     domain.group
   end
 
   def new_domain_params
     params.permit(:group_id)
   end
 
   def domain_params
     params.require(:domain).tap { |d|
       # Make sure group id is permitted (belongs to edit_group_scope)
       d[:group_id] = edit_group_scope.find_by_id(d[:group_id]).try(:id)
     }.permit(:name, :type, :master, :group_id,
              :dnssec, :dnssec_parent, :dnssec_parent_authority, :dnssec_policy_id)
   end
 
   def notify_domain(*args)
     notification.notify_domain(current_user, *args) if WebDNS.settings[:notifications]
   end
 
 end
diff --git a/app/helpers/domains_helper.rb b/app/helpers/domains_helper.rb
index 0bcde66..1beaeaa 100644
--- a/app/helpers/domains_helper.rb
+++ b/app/helpers/domains_helper.rb
@@ -1,39 +1,43 @@
 module DomainsHelper
 
   # Human names for domain states
   def human_state(state)
     human = case state.to_sym
             when :initial then 'Initial'
             when :pending_install then 'Becoming public'
             when :pending_signing then 'Signing zone'
             when :wait_for_ready then 'Waiting for KSK to become ready'
             when :pending_ds then 'Publishing DS records'
             when :pending_ds_rollover then 'Performing KSK rollover'
             when :pending_ds_removal then 'Removing DS records'
             when :pending_plain then 'Removing dnssec'
             when :pending_remove then 'Preparing removal'
             when :operational then 'Operational'
             when :destroy then 'Ready to be destroyed'
             else
               state
             end
 
     prog = Domain.dnssec_progress(state)
     return human if prog.nil?
 
     "#{human} (#{prog})"
   end
 
   # Most of the time the parent zone will be easily computed
   def guess_parent_zone(name)
     name.split('.', 2).last || ''
   end
 
   def dnssec_policy_human(policy)
     info = policy.info.map { |name, value|
       [name, seconds_to_human(value)].join(': ')
     }
 
     "#{policy.name}: (#{info.join(' | ')})"
   end
+
+  def link_to_full_destroy(*args, &block)
+    link_to(abbr_glyph(:trash, 'Drop DS records and remove the zone'), *args, &block)
+  end
 end
diff --git a/app/views/domains/index.html.erb b/app/views/domains/index.html.erb
index 793872b..a95799f 100644
--- a/app/views/domains/index.html.erb
+++ b/app/views/domains/index.html.erb
@@ -1,54 +1,56 @@
 <% if current_user.memberships.empty? %>
   <div class="jumbotron">
     <h2>Wellcome to WebDNS!</h2>
     <p>
       In order to manage domains you have to be a member of a group.
     </p>
     <p>
       You can either contact an admin to create a new group for you, or ask another user for an invite to an existing group.
     </p>
   </div>
 <% end %>
 
 <div class="datatable-wrapper">
   <table id="domains" class="table table-striped">
     <thead>
       <tr>
         <th>Domain</th>
         <th>Serial</th>
         <th>Group</th>
         <th>State</th>
         <th>Slave</th>
         <th>DNSSEC</th>
         <th class="no-order-and-search">Controls</th>
       </tr>
     </thead>
 
     <tbody>
       <% @domains.group_by(&:group).each do |group, domains| %>
         <% domains.each do |domain| %>
           <tr class="group-<%= group.id =%>">
             <td><%= link_to domain.name, domain %></td>
             <td><%= domain.serial %></td>
             <td><%= link_to group.name, group_path(group) %></td>
             <td><%= human_state(domain.state) %></td>
             <td><%= domain.slave? ? domain.master : '-' %></td>
             <td><%= domain.dnssec? ? 'secure' : '-' %></td>
             <td>
               <%= link_to_edit edit_domain_path(domain) %>
               <%= link_to_destroy domain, method: :delete, data: { confirm: 'Are you sure?' } if domain.can_remove? %>
+              <%= link_to_full_destroy full_destroy_domain_path(domain),
+              method: :delete, data: { confirm: 'Are you sure?' } if domain.can_remove? && domain.dnssec? %>
             </td>
           </tr>
         <% end %>
       <% end %>
     </tbody>
   </table>
 </div>
 
 <p>
   <% if current_user.memberships.any? %>
     <%= link_to 'Add Domain', new_domain_path, class: 'btn btn-primary' %>
   <% else %>
     <%= link_to 'Add Domain', new_domain_path, class: 'btn btn-primary disabled' %>
   <% end %>
 </p>
diff --git a/config/routes.rb b/config/routes.rb
index faeaa80..14044dc 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -1,62 +1,63 @@
 Rails.application.routes.draw do
   # Override devise user removal
   devise_scope :users do
     delete :users, to: redirect('/')
   end
   devise_for :users
   get '/auth/saml', to: 'auth#saml'
 
   root to: redirect('/domains')
 
   resources :groups, only: [:show] do
     get :search_member,
         to: 'groups#search_member', on: :member
     post :members,
          to: 'groups#create_member', as: :create_member, on: :member
     delete 'member/:user_id',
            to: 'groups#destroy_member', as: :destroy_member, on: :member
   end
 
   resources :domains do
     get :edit_dnssec, to: 'domains#edit_dnssec', on: :member
+    delete :full_destroy, to: 'domains#full_destroy', on: :member
 
     resources :records, except: [:index, :show] do
       # Reuse records#update instead of introducing new controller actions
       #
       # rubocop:disable Style/AlignHash
       put :disable, to: 'records#update', on: :member,
           defaults: { record: { disabled: true } }
       put :enable,  to: 'records#update', on: :member,
           defaults: { record: { disabled: false } }
 
       put :editable, to: 'records#editable', on: :collection
       post :valid, to: 'records#valid', on: :collection
       post :bulk, to: 'records#bulk', on: :collection
       # rubocop:enable Style/AlignHash
     end
   end
 
   get '/records/search', to: 'records#search'
 
   # Admin
   namespace :admin do
     root to: redirect('/admin/groups')
 
     resources :groups, except: [:show]
     resources :jobs, only: [:index, :destroy] do
       put :done, to: 'jobs#update', on: :member,
           defaults: { job: { status: 1 } }
       put :pending,  to: 'jobs#update', on: :member,
           defaults: { job: { status: 0 } }
     end
     resources :users, only: [:destroy] do
       get :orphans, to: 'users#orphans', on: :collection
       put :update_groups, to: 'users#update_groups', on: :collection
     end
   end
 
   # Private
   put 'private/replace_ds', to: 'private#replace_ds'
   put 'private/trigger_event', to: 'private#trigger_event'
 end