diff --git a/README.markdown b/README.markdown
index 65aed139..91fc35c8 100644
--- a/README.markdown
+++ b/README.markdown
@@ -62,6 +62,7 @@ All of them:
 * 3110 - RSASHA1 DNS keys
 * 3225 - DO bit (DNSSEC OK)
 * 340{1,2,3} - NAPTR
+* 3445 - Limiting the scope of (DNS)KEY
 * 3597 - Unkown RRs
 * 403{3,4,5} - DNSSEC + validation functions
 * 4255 - SSHFP
diff --git a/dnssec.go b/dnssec.go
index aac4496f..2fa7abc7 100644
--- a/dnssec.go
+++ b/dnssec.go
@@ -300,6 +300,9 @@ func (s *RR_RRSIG) Verify(k *RR_DNSKEY, rrset []RR) error {
 	if s.SignerName != k.Hdr.Name {
 		return ErrKey
 	}
+        if k.Protocol != 3 {
+                return ErrKey
+        }
 	for _, r := range rrset {
 		if r.Header().Class != s.Hdr.Class {
 			return ErrRRset