Changes

 The format of a serialized DNSSEC chain sent in this protocol consists first of a series of the following: * A DS (and corresponding RRSIG) record for a zone to enter, in wire format.* The DNSKEY (and corresponding RRSIG) records for that zone, in wire format. The DS must correspond to one of the keys. Each zone entered must be directly inner to the previous zone. The root zone may be omitted, because it is assumed that the client already has the DNSSEC keys for the root. The final entry is a TLSA (and corresponding RRSIG) record, again in wire format. It is possible to optimize away some fields of these records, but at the moment this is not being done. For reference, another proposal for the serialization of a DNSSEC chain is [http://tools.ietf.org/html/draft-agl-dane-serializechain-00 here]. Note that this proposal does not follow exactly the wire format of DNS records. Consequently, preexisting code cannot be used to serialize, parse, or validate the chain. Additionally, more flexibility means more opportunities for insecure verifier behavior. This proposal is not currently being used in this project.