An update can effect multiple owner names in a zone. It may be that these different names are covered by different dynamic update keys. For every owner name effected, the updater must know a private key valid for that name (and the zone's class) and must prove this by appending request SIG RRs under each such key.
As specified in RFC 2065, a request signature is a SIG RR occurring at the end of a request with a type covered field of zero. For an update, request signatures occur in the Additional information section. Each request SIG signs the entire request, including DNS header, but excluding any other request SIG(s) and with the ARCOUNT in the DNS header set to what it wold be without the request SIGs.