Mode A dynamic secure zones require that the update requester provide SIG RRs that will authenticate the after update state of all RR sets that are changed by the update and are non-empty after the update. These SIG RRs appear in the request as RRs to be added and the request must delete any previous data SIG RRs that are invalidated by the request.
In Mode B dynamic secure zones, all zone data is authenticated by zone key SIG RRs. In this case, data signatures need not be included with the update. A resolver can determine which mode an updatable secure zone is using by examining the signatory field bits of the zone KEY RR (see section 3.2).