diff --git a/lib/dns/sec/dst/dst_api.c b/lib/dns/sec/dst/dst_api.c
index 9b90b57efd..395cd5b41a 100644
--- a/lib/dns/sec/dst/dst_api.c
+++ b/lib/dns/sec/dst/dst_api.c
@@ -17,7 +17,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.26 2000/04/10 19:48:03 bwelling Exp $
+ * $Id: dst_api.c,v 1.27 2000/04/12 15:52:11 bwelling Exp $
  */
 
 #include <config.h>
@@ -723,6 +723,9 @@ dst_key_iszonekey(const dst_key_t *key) {
 		return (ISC_FALSE);
 	if ((key->key_flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
 		return (ISC_FALSE);
+	if (key->key_proto != DNS_KEYPROTO_DNSSEC &&
+	    key->key_proto != DNS_KEYPROTO_ANY)
+		return (ISC_FALSE);
 	return (ISC_TRUE);
 }
 
diff --git a/lib/dns/sec/dst/include/dst/dst.h b/lib/dns/sec/dst/include/dst/dst.h
index ba8ebb3321..c94ea1342c 100644
--- a/lib/dns/sec/dst/include/dst/dst.h
+++ b/lib/dns/sec/dst/include/dst/dst.h
@@ -48,12 +48,6 @@ typedef void *		dst_context_t;
 				 DST_SIGMODE_UPDATE | \
 				 DST_SIGMODE_FINAL)
 
-/* Key protocol octet values. */
-#define DST_KEYPROTO_TLS	1
-#define DST_KEYPROTO_EMAIL	2
-#define DST_KEYPROTO_DNSSEC	3
-#define DST_KEYPROTO_IPSEC	4
-
 /* A buffer of this size is large enough to hold any key */
 #define DST_KEY_MAXSIZE		1024
 
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index c1f8e3c969..7d90fd377b 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -260,8 +260,8 @@ get_dst_key(dns_validator_t *val, dns_siginfo_t *siginfo,
 		    (dns_secalg_t)dst_key_alg(val->key) &&
 		    siginfo->tag ==
 		    (dns_keytag_t)dst_key_id(val->key) &&
-		    dst_key_iszonekey(val->key) &&
-		    dst_key_proto(val->key) == DST_KEYPROTO_DNSSEC) {
+		    dst_key_iszonekey(val->key))
+		{
 			/*
 			 * This is the key we're looking for.
 			 */