Another clarification: The <secDNS:update> <secDNS:rem> takes a keyTag -- it should be pointed out that multiple DS records might have the same keyTag (perhaps they're for the same DNSKEY, just using a different digest algorithm, or perhaps they're for different DNSKEYs with the same keyTag) and that the <secDNS:rem> elements removes ALL matching DS records.
-- Sam . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
