diff --git a/impl/concurrencytest/main.go b/impl/concurrencytest/main.go
index 9f3fbc27..c15751e3 100644
--- a/impl/concurrencytest/main.go
+++ b/impl/concurrencytest/main.go
@@ -114,7 +114,7 @@ func generateDIDPutRequest() (string, []byte, error) {
 		return "", nil, err
 	}
 
-	packet, err := did.DHT(doc.ID).ToDNSPacket(*doc, nil, nil)
+	packet, err := did.DHT(doc.ID).ToDNSPacket(*doc, nil, nil, nil)
 	if err != nil {
 		return "", nil, err
 	}
diff --git a/impl/integrationtest/main.go b/impl/integrationtest/main.go
index 18ed29c7..03b45fca 100644
--- a/impl/integrationtest/main.go
+++ b/impl/integrationtest/main.go
@@ -98,7 +98,7 @@ func generateDIDPutRequest() (string, []byte, error) {
 		return "", nil, err
 	}
 
-	packet, err := did.DHT(doc.ID).ToDNSPacket(*doc, nil, nil)
+	packet, err := did.DHT(doc.ID).ToDNSPacket(*doc, nil, nil, nil)
 	if err != nil {
 		return "", nil, err
 	}
diff --git a/impl/internal/did/client.go b/impl/internal/did/client.go
index d945e21b..d0c0ef34 100644
--- a/impl/internal/did/client.go
+++ b/impl/internal/did/client.go
@@ -8,7 +8,6 @@ import (
 	"net/url"
 	"time"
 
-	"github.com/TBD54566975/ssi-sdk/did"
 	"github.com/anacrolix/dht/v2/bep44"
 	"github.com/miekg/dns"
 	"github.com/pkg/errors"
@@ -34,30 +33,30 @@ func NewGatewayClient(gatewayURL string) (*GatewayClient, error) {
 }
 
 // GetDIDDocument gets a DID document, its types, and authoritative gateways, from a did:dht Gateway
-func (c *GatewayClient) GetDIDDocument(id string) (*did.Document, []TypeIndex, []AuthoritativeGateway, error) {
+func (c *GatewayClient) GetDIDDocument(id string) (*DIDDHTDocument, error) {
 	d := DHT(id)
 	if !d.IsValid() {
-		return nil, nil, nil, errors.New("invalid did")
+		return nil, errors.New("invalid did")
 	}
 	suffix, err := d.Suffix()
 	if err != nil {
-		return nil, nil, nil, errors.Wrap(err, "failed to get suffix")
+		return nil, errors.Wrap(err, "failed to get suffix")
 	}
 	resp, err := http.Get(c.gatewayURL + "/" + suffix)
 	if err != nil {
-		return nil, nil, nil, errors.Wrap(err, "failed to get did document")
+		return nil, errors.Wrap(err, "failed to get did document")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode != http.StatusOK {
-		return nil, nil, nil, errors.Errorf("failed to get did document, status code: %d", resp.StatusCode)
+		return nil, errors.Errorf("failed to get did document, status code: %d", resp.StatusCode)
 	}
 	body, err := io.ReadAll(resp.Body)
 	if err != nil {
-		return nil, nil, nil, errors.Wrap(err, "failed to read response body")
+		return nil, errors.Wrap(err, "failed to read response body")
 	}
 	msg := new(dns.Msg)
 	if err = msg.Unpack(body[72:]); err != nil {
-		return nil, nil, nil, errors.Wrap(err, "failed to unpack records")
+		return nil, errors.Wrap(err, "failed to unpack records")
 	}
 	return d.FromDNSPacket(msg)
 }
diff --git a/impl/internal/did/client_test.go b/impl/internal/did/client_test.go
index cea9c9e7..6c996fca 100644
--- a/impl/internal/did/client_test.go
+++ b/impl/internal/did/client_test.go
@@ -23,7 +23,7 @@ func TestClient(t *testing.T) {
 	require.NoError(t, err)
 	require.NotEmpty(t, doc)
 
-	packet, err := DHT(doc.ID).ToDNSPacket(*doc, nil, nil)
+	packet, err := DHT(doc.ID).ToDNSPacket(*doc, nil, nil, nil)
 	assert.NoError(t, err)
 	assert.NotEmpty(t, packet)
 
@@ -34,9 +34,9 @@ func TestClient(t *testing.T) {
 	err = client.PutDocument(doc.ID, *bep44Put)
 	assert.NoError(t, err)
 
-	gotDID, _, _, err := client.GetDIDDocument(doc.ID)
+	gotDID, err := client.GetDIDDocument(doc.ID)
 	assert.NoError(t, err)
-	assert.EqualValues(t, doc, gotDID)
+	assert.EqualValues(t, *doc, gotDID.Doc)
 
 	since := time.Since(start)
 	t.Logf("time to put and get: %s", since)
@@ -53,33 +53,25 @@ func TestInvalidDIDDocument(t *testing.T) {
 	require.NoError(t, err)
 	require.NotEmpty(t, client)
 
-	did, types, gateways, err := client.GetDIDDocument("this is not a valid did")
+	gotDID, err := client.GetDIDDocument("this is not a valid did")
 	assert.Error(t, err)
-	assert.Empty(t, did)
-	assert.Empty(t, types)
-	assert.Empty(t, gateways)
+	assert.Empty(t, gotDID)
 
-	did, types, gateways, err = client.GetDIDDocument("did:dht:example")
+	gotDID, err = client.GetDIDDocument("did:dht:example")
 	assert.EqualError(t, err, "invalid did")
-	assert.Empty(t, did)
-	assert.Empty(t, types)
-	assert.Empty(t, gateways)
+	assert.Empty(t, gotDID)
 
-	did, types, gateways, err = client.GetDIDDocument("did:dht:i9xkp8ddcbcg8jwq54ox699wuzxyifsqx4jru45zodqu453ksz6y")
+	gotDID, err = client.GetDIDDocument("did:dht:i9xkp8ddcbcg8jwq54ox699wuzxyifsqx4jru45zodqu453ksz6y")
 	assert.Error(t, err) // this should error because the gateway URL is invalid
-	assert.Empty(t, did)
-	assert.Empty(t, types)
-	assert.Empty(t, gateways)
+	assert.Empty(t, gotDID)
 
 	client, err = NewGatewayClient("https://tbd.website")
 	require.NoError(t, err)
 	require.NotEmpty(t, client)
 
-	did, types, gateways, err = client.GetDIDDocument("did:dht:i9xkp8ddcbcg8jwq54ox699wuzxyifsqx4jru45zodqu453ksz6y")
+	gotDID, err = client.GetDIDDocument("did:dht:i9xkp8ddcbcg8jwq54ox699wuzxyifsqx4jru45zodqu453ksz6y")
 	assert.Error(t, err) // this should error because the gateway URL will return a non-200
-	assert.Empty(t, did)
-	assert.Empty(t, types)
-	assert.Empty(t, gateways)
+	assert.Empty(t, gotDID)
 
 	err = client.PutDocument("did:dht:example", bep44.Put{})
 	assert.Error(t, err)
diff --git a/impl/internal/did/did.go b/impl/internal/did/did.go
index 5750cd2b..d8f617ec 100644
--- a/impl/internal/did/did.go
+++ b/impl/internal/did/did.go
@@ -23,6 +23,11 @@ type (
 	AuthoritativeGateway string
 )
 
+type PreviousDID struct {
+	PreviousDID DHT    `json:"did"`
+	Signature   string `json:"signature"`
+}
+
 const (
 	// Prefix did:dht prefix
 	Prefix               = "did:dht"
@@ -62,13 +67,26 @@ func (d DHT) Suffix() (string, error) {
 	return "", fmt.Errorf("invalid did:dht prefix: %s", d)
 }
 
+// IdentityKey returns the ed25519 public key for the DHT identifier https://did-dht.com/#identity-key
+func (d DHT) IdentityKey() (ed25519.PublicKey, error) {
+	suffix, err := d.Suffix()
+	if err != nil {
+		return nil, err
+	}
+	pk, err := zbase32.DecodeString(suffix)
+	if err != nil {
+		return nil, err
+	}
+	return pk, nil
+}
+
 func (DHT) Method() did.Method {
 	return DHTMethod
 }
 
+// CreateDIDDHTOpts is a set of options for creating a did:dht identifier
+// Note: this does not include additional properties only present in the DNS representation (e.g. gateways, types)
 type CreateDIDDHTOpts struct {
-	// AuthoritativeGateways is a list of authoritative gateways for the DID Document
-	AuthoritativeGateways []string
 	// Controller is the DID Controller, can be a list of DIDs
 	Controller []string
 	// AlsoKnownAs is a list of alternative identifiers for the DID Document
@@ -239,7 +257,7 @@ func GetDIDDHTIdentifier(pubKey []byte) string {
 }
 
 // ToDNSPacket converts a DID DHT Document to a DNS packet with an optional list of types to include
-func (d DHT) ToDNSPacket(doc did.Document, types []TypeIndex, gateways []AuthoritativeGateway) (*dns.Msg, error) {
+func (d DHT) ToDNSPacket(doc did.Document, types []TypeIndex, gateways []AuthoritativeGateway, previousDID *PreviousDID) (*dns.Msg, error) {
 	var records []dns.RR
 	var rootRecord []string
 	keyLookup := make(map[string]string)
@@ -249,6 +267,24 @@ func (d DHT) ToDNSPacket(doc did.Document, types []TypeIndex, gateways []Authori
 		return nil, errors.Wrap(err, "failed to get suffix while decoding DNS packet")
 	}
 
+	// handle the previous DID if it's present
+	if previousDID != nil {
+		// make sure it's valid
+		if err = ValidatePreviousDIDSignatureValid(d, *previousDID); err != nil {
+			return nil, err
+		}
+		// add it to the record set
+		records = append(records, &dns.TXT{
+			Hdr: dns.RR_Header{
+				Name:   "_prv._did.",
+				Rrtype: dns.TypeTXT,
+				Class:  dns.ClassINET,
+				Ttl:    7200,
+			},
+			Txt: chunkTextRecord(fmt.Sprintf("id=%s;s=%s", previousDID.PreviousDID, previousDID.Signature)),
+		})
+	}
+
 	// first append the version to the root record
 	rootRecord = append(rootRecord, fmt.Sprintf("v=%d", Version))
 
@@ -508,22 +544,32 @@ func parseServiceData(serviceEndpoint any) string {
 	return ""
 }
 
+// DIDDHTDocument is a DID DHT Document along with additional metadata the DID supports
+type DIDDHTDocument struct {
+	Doc         did.Document           `json:"did,omitempty"`
+	Types       []TypeIndex            `json:"types,omitempty"`
+	Gateways    []AuthoritativeGateway `json:"gateways,omitempty"`
+	PreviousDID *PreviousDID           `json:"previousDid,omitempty"`
+}
+
 // FromDNSPacket converts a DNS packet to a DID DHT Document
 // Returns the DID Document, a list of types, a list of authoritative gateways, and an error
-func (d DHT) FromDNSPacket(msg *dns.Msg) (*did.Document, []TypeIndex, []AuthoritativeGateway, error) {
+func (d DHT) FromDNSPacket(msg *dns.Msg) (*DIDDHTDocument, error) {
 	doc := did.Document{
 		ID: d.String(),
 	}
 
 	suffix, err := d.Suffix()
 	if err != nil {
-		return nil, nil, nil, errors.Wrap(err, "failed to get suffix while decoding DNS packet")
+		return nil, errors.Wrap(err, "failed to get suffix while decoding DNS packet")
 	}
 
 	// track the authoritative gateways
 	var gateways []AuthoritativeGateway
 	// track the types
 	var types []TypeIndex
+	// track the previous DID
+	var previousDID *PreviousDID
 	keyLookup := make(map[string]string)
 	for _, rr := range msg.Answer {
 		switch record := rr.(type) {
@@ -558,23 +604,23 @@ func (d DHT) FromDNSPacket(msg *dns.Msg) (*did.Document, []TypeIndex, []Authorit
 				// Convert keyBase64URL back to PublicKeyJWK
 				pubKeyBytes, err := base64.RawURLEncoding.DecodeString(keyBase64URL)
 				if err != nil {
-					return nil, nil, nil, err
+					return nil, err
 				}
 				// as per the spec's guidance DNS representations use compressed keys, so we must unmarshall them as such
 				pubKey, err := crypto.BytesToPubKey(pubKeyBytes, keyType, crypto.ECDSAUnmarshalCompressed)
 				if err != nil {
-					return nil, nil, nil, err
+					return nil, err
 				}
 				pubKeyJWK, err := jwx.PublicKeyToPublicKeyJWK(&vmID, pubKey)
 				if err != nil {
-					return nil, nil, nil, err
+					return nil, err
 				}
 
 				// set the algorithm if it's not the default for the key type
 				if alg == "" {
 					defaultAlg := defaultAlgForJWK(*pubKeyJWK)
 					if defaultAlg == "" {
-						return nil, nil, nil, fmt.Errorf("unable to provide default alg for unsupported key type: %s", keyType)
+						return nil, fmt.Errorf("unable to provide default alg for unsupported key type: %s", keyType)
 					}
 					pubKeyJWK.ALG = defaultAlg
 				} else {
@@ -583,7 +629,7 @@ func (d DHT) FromDNSPacket(msg *dns.Msg) (*did.Document, []TypeIndex, []Authorit
 
 				// make sure the controller of the identity key matches the DID
 				if vmID == "0" && controller != d.String() {
-					return nil, nil, nil, fmt.Errorf("controller of identity key must be the DID itself, instead it is: %s", controller)
+					return nil, fmt.Errorf("controller of identity key must be the DID itself, instead it is: %s", controller)
 				}
 
 				// if the verification method ID is not set, set it to the thumbprint
@@ -592,7 +638,7 @@ func (d DHT) FromDNSPacket(msg *dns.Msg) (*did.Document, []TypeIndex, []Authorit
 				}
 
 				if vmID != "0" && pubKeyJWK.KID != vmID {
-					return nil, nil, nil, fmt.Errorf("verification method JWK KID must be set to its thumbprint")
+					return nil, fmt.Errorf("verification method JWK KID must be set to its thumbprint")
 				}
 
 				vm := did.VerificationMethod{
@@ -634,23 +680,34 @@ func (d DHT) FromDNSPacket(msg *dns.Msg) (*did.Document, []TypeIndex, []Authorit
 
 			} else if record.Hdr.Name == "_typ._did." {
 				if record.Txt[0] == "" {
-					return nil, nil, nil, fmt.Errorf("types record is empty")
+					return nil, fmt.Errorf("types record is empty")
 				}
 				unchunkedTextRecord := unchunkTextRecord(record.Txt)
 				typesStr := strings.Split(strings.TrimPrefix(unchunkedTextRecord, "id="), ",")
 				for _, t := range typesStr {
 					tInt, err := strconv.Atoi(t)
 					if err != nil {
-						return nil, nil, nil, err
+						return nil, err
 					}
 					types = append(types, TypeIndex(tInt))
 				}
 			} else if record.Hdr.Name == fmt.Sprintf("_did.%s.", suffix) && record.Hdr.Rrtype == dns.TypeNS {
 				if record.Txt[0] == "" {
-					return nil, nil, nil, fmt.Errorf("gateway record is empty")
+					return nil, fmt.Errorf("gateway record is empty")
 				}
 				unchunkedTextRecord := unchunkTextRecord(record.Txt)
 				gateways = append(gateways, AuthoritativeGateway(unchunkedTextRecord))
+			} else if record.Hdr.Name == "_prv._did." && record.Hdr.Rrtype == dns.TypeTXT {
+				unchunkedTextRecord := unchunkTextRecord(record.Txt)
+				data := parseTxtData(unchunkedTextRecord)
+				previousDID = &PreviousDID{
+					PreviousDID: DHT(data["id"]),
+					Signature:   data["s"],
+				}
+				// validate previous DID signature
+				if err = ValidatePreviousDIDSignatureValid(d, *previousDID); err != nil {
+					return nil, err
+				}
 			} else if record.Hdr.Name == fmt.Sprintf("_did.%s.", suffix) && record.Hdr.Rrtype == dns.TypeTXT {
 				unchunkedTextRecord := unchunkTextRecord(record.Txt)
 				rootItems := strings.Split(unchunkedTextRecord, ";")
@@ -668,7 +725,7 @@ func (d DHT) FromDNSPacket(msg *dns.Msg) (*did.Document, []TypeIndex, []Authorit
 					switch key {
 					case "v":
 						if len(valueItems) != 1 || valueItems[0] != strconv.Itoa(Version) {
-							return nil, nil, nil, fmt.Errorf("invalid version: %s", values)
+							return nil, fmt.Errorf("invalid version: %s", values)
 						}
 						seenVersion = true
 					case "auth":
@@ -694,13 +751,51 @@ func (d DHT) FromDNSPacket(msg *dns.Msg) (*did.Document, []TypeIndex, []Authorit
 					}
 				}
 				if !seenVersion {
-					return nil, nil, nil, fmt.Errorf("root record missing version identifier")
+					return nil, fmt.Errorf("root record missing version identifier")
 				}
 			}
 		}
 	}
 
-	return &doc, types, gateways, nil
+	return &DIDDHTDocument{
+		Doc:         doc,
+		Types:       types,
+		Gateways:    gateways,
+		PreviousDID: previousDID,
+	}, nil
+}
+
+// CreatePreviousDIDRecord creates a PreviousDID record for the given previous DID and current DID
+func CreatePreviousDIDRecord(previousDIDPrivateKey ed25519.PrivateKey, previousDID, currentDID DHT) (*PreviousDID, error) {
+	currentDIDIdentityKey, err := currentDID.IdentityKey()
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to get identity key from currentDID: %s", currentDID)
+	}
+	previousDIDSignature := ed25519.Sign(previousDIDPrivateKey, currentDIDIdentityKey)
+	return &PreviousDID{
+		PreviousDID: previousDID,
+		Signature:   base64.RawURLEncoding.EncodeToString(previousDIDSignature),
+	}, nil
+}
+
+// ValidatePreviousDIDSignatureValid validates the signature of the previous DID over the current DID
+func ValidatePreviousDIDSignatureValid(currentDID DHT, previousDID PreviousDID) error {
+	identityKey, err := currentDID.IdentityKey()
+	if err != nil {
+		return errors.Wrapf(err, "failed to get identity key from the current DID: %s", currentDID)
+	}
+	previousDIDKey, err := previousDID.PreviousDID.IdentityKey()
+	if err != nil {
+		return errors.Wrapf(err, "failed to get identity key from the previous DID: %s", previousDID.PreviousDID)
+	}
+	decodedSignature, err := base64.RawURLEncoding.DecodeString(previousDID.Signature)
+	if err != nil {
+		return errors.Wrap(err, "failed to decode the previous DID's signature")
+	}
+	if ok := ed25519.Verify(previousDIDKey, identityKey, decodedSignature); !ok {
+		return errors.New("the previous DID signature is invalid")
+	}
+	return nil
 }
 
 func parseTxtData(data string) map[string]string {
diff --git a/impl/internal/did/did_test.go b/impl/internal/did/did_test.go
index fe72b545..cee0203c 100644
--- a/impl/internal/did/did_test.go
+++ b/impl/internal/did/did_test.go
@@ -3,15 +3,13 @@ package did
 import (
 	"crypto/ed25519"
 	"fmt"
-	"strings"
 	"testing"
 
-	"github.com/TBD54566975/ssi-sdk/cryptosuite"
-	"github.com/goccy/go-json"
-
 	"github.com/TBD54566975/ssi-sdk/crypto"
 	"github.com/TBD54566975/ssi-sdk/crypto/jwx"
+	"github.com/TBD54566975/ssi-sdk/cryptosuite"
 	"github.com/TBD54566975/ssi-sdk/did"
+	"github.com/goccy/go-json"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -126,20 +124,22 @@ func TestToDNSPacket(t *testing.T) {
 		require.NotEmpty(t, doc)
 
 		didID := DHT(doc.ID)
-		packet, err := didID.ToDNSPacket(*doc, nil, nil)
+		packet, err := didID.ToDNSPacket(*doc, nil, nil, nil)
 		require.NoError(t, err)
 		require.NotEmpty(t, packet)
 
-		decodedDoc, types, gateways, err := didID.FromDNSPacket(packet)
+		didDHTDoc, err := didID.FromDNSPacket(packet)
 		require.NoError(t, err)
-		require.NotEmpty(t, decodedDoc)
-		require.Empty(t, types)
-		require.Empty(t, gateways)
+		require.NotEmpty(t, didDHTDoc)
+		require.NotEmpty(t, didDHTDoc.Doc)
+		require.Empty(t, didDHTDoc.Types)
+		require.Empty(t, didDHTDoc.Gateways)
+		require.Empty(t, didDHTDoc.PreviousDID)
 
 		jsonDoc, err := json.Marshal(doc)
 		require.NoError(t, err)
 
-		jsonDecodedDoc, err := json.Marshal(decodedDoc)
+		jsonDecodedDoc, err := json.Marshal(didDHTDoc.Doc)
 		require.NoError(t, err)
 
 		assert.JSONEq(t, string(jsonDoc), string(jsonDecodedDoc))
@@ -152,19 +152,21 @@ func TestToDNSPacket(t *testing.T) {
 		require.NotEmpty(t, doc)
 
 		didID := DHT(doc.ID)
-		packet, err := didID.ToDNSPacket(*doc, []TypeIndex{1, 2, 3}, []AuthoritativeGateway{"gateway1.example-did-dht-gateway.com."})
+		packet, err := didID.ToDNSPacket(*doc, []TypeIndex{1, 2, 3}, []AuthoritativeGateway{"gateway1.example-did-dht-gateway.com."}, nil)
 		require.NoError(t, err)
 		require.NotEmpty(t, packet)
 
-		decodedDoc, types, gateways, err := didID.FromDNSPacket(packet)
+		didDHTDoc, err := didID.FromDNSPacket(packet)
 		require.NoError(t, err)
-		require.NotEmpty(t, decodedDoc)
-		require.NotEmpty(t, types)
-		require.Equal(t, types, []TypeIndex{1, 2, 3})
-		require.NotEmpty(t, gateways)
-		require.Equal(t, gateways, []AuthoritativeGateway{"gateway1.example-did-dht-gateway.com."})
+		require.NotEmpty(t, didDHTDoc)
+		require.NotEmpty(t, didDHTDoc.Doc)
+		require.NotEmpty(t, didDHTDoc.Types)
+		require.Empty(t, didDHTDoc.PreviousDID)
+		require.Equal(t, didDHTDoc.Types, []TypeIndex{1, 2, 3})
+		require.NotEmpty(t, didDHTDoc.Gateways)
+		require.Equal(t, didDHTDoc.Gateways, []AuthoritativeGateway{"gateway1.example-did-dht-gateway.com."})
 
-		assert.EqualValues(t, *doc, *decodedDoc)
+		assert.EqualValues(t, *doc, didDHTDoc.Doc)
 	})
 
 	t.Run("doc with multiple keys and services - test to dns packet round trip", func(t *testing.T) {
@@ -205,17 +207,19 @@ func TestToDNSPacket(t *testing.T) {
 		require.NotEmpty(t, doc)
 
 		didID := DHT(doc.ID)
-		packet, err := didID.ToDNSPacket(*doc, nil, nil)
+		packet, err := didID.ToDNSPacket(*doc, nil, nil, nil)
 		require.NoError(t, err)
 		require.NotEmpty(t, packet)
 
-		decodedDoc, types, gateways, err := didID.FromDNSPacket(packet)
+		didDHTDoc, err := didID.FromDNSPacket(packet)
 		require.NoError(t, err)
-		require.NotEmpty(t, decodedDoc)
-		require.Empty(t, types)
-		require.Empty(t, gateways)
+		require.NotEmpty(t, didDHTDoc)
+		require.NotEmpty(t, didDHTDoc.Doc)
+		require.Empty(t, didDHTDoc.Types)
+		require.Empty(t, didDHTDoc.Gateways)
+		require.Empty(t, didDHTDoc.PreviousDID)
 
-		decodedJSON, err := json.Marshal(decodedDoc)
+		decodedJSON, err := json.Marshal(didDHTDoc.Doc)
 		require.NoError(t, err)
 
 		docJSON, err := json.Marshal(doc)
@@ -225,273 +229,7 @@ func TestToDNSPacket(t *testing.T) {
 	})
 }
 
-func TestVectors(t *testing.T) {
-	type testVectorDNSRecord struct {
-		Name       string   `json:"name"`
-		RecordType string   `json:"type"`
-		TTL        string   `json:"ttl"`
-		Record     []string `json:"rdata"`
-	}
-
-	t.Run("test vector 1", func(t *testing.T) {
-		var pubKeyJWK jwx.PublicKeyJWK
-		retrieveTestVectorAs(t, vector1PublicKeyJWK1, &pubKeyJWK)
-
-		pubKey, err := pubKeyJWK.ToPublicKey()
-		require.NoError(t, err)
-
-		doc, err := CreateDIDDHTDID(pubKey.(ed25519.PublicKey), CreateDIDDHTOpts{})
-		require.NoError(t, err)
-		require.NotEmpty(t, doc)
-
-		var expectedDIDDocument did.Document
-		retrieveTestVectorAs(t, vector1DIDDocument, &expectedDIDDocument)
-
-		docJSON, err := json.Marshal(doc)
-		require.NoError(t, err)
-
-		expectedDIDDocJSON, err := json.Marshal(expectedDIDDocument)
-		require.NoError(t, err)
-
-		assert.JSONEq(t, string(expectedDIDDocJSON), string(docJSON))
-
-		didID := DHT(doc.ID)
-		packet, err := didID.ToDNSPacket(*doc, nil, nil)
-		require.NoError(t, err)
-		require.NotEmpty(t, packet)
-
-		var expectedDNSRecords []testVectorDNSRecord
-		retrieveTestVectorAs(t, vector1DNSRecords, &expectedDNSRecords)
-
-		// Initialize a map to track matched records
-		matchedRecords := make(map[int]bool)
-		for i := range expectedDNSRecords {
-			matchedRecords[i] = false // Initialize all expected records as unmatched
-		}
-
-		for _, record := range packet.Answer {
-			for i, expectedRecord := range expectedDNSRecords {
-				if record.Header().Name == expectedRecord.Name {
-					s := record.String()
-					if strings.Contains(s, expectedRecord.RecordType) &&
-						strings.Contains(s, expectedRecord.TTL) &&
-						strings.Contains(s, strings.Join(expectedRecord.Record, "")) {
-						matchedRecords[i] = true // Mark as matched
-						break
-					}
-				}
-			}
-		}
-
-		// Check if all expected records have been matched
-		for i, matched := range matchedRecords {
-			require.True(t, matched, fmt.Sprintf("Expected DNS record %d: %+v not matched", i, expectedDNSRecords[i]))
-		}
-
-		// Make sure going back to DID Document is consistent
-		decodedDoc, types, gateways, err := didID.FromDNSPacket(packet)
-		require.NoError(t, err)
-		require.NotEmpty(t, decodedDoc)
-		require.Empty(t, types)
-		require.Empty(t, gateways)
-
-		decodedDocJSON, err := json.Marshal(decodedDoc)
-		require.NoError(t, err)
-		assert.JSONEq(t, string(expectedDIDDocJSON), string(decodedDocJSON))
-	})
-
-	t.Run("test vector 2", func(t *testing.T) {
-		var pubKeyJWK jwx.PublicKeyJWK
-		retrieveTestVectorAs(t, vector1PublicKeyJWK1, &pubKeyJWK)
-
-		pubKey, err := pubKeyJWK.ToPublicKey()
-		require.NoError(t, err)
-
-		var secpJWK jwx.PublicKeyJWK
-		retrieveTestVectorAs(t, vector2PublicKeyJWK2, &secpJWK)
-
-		doc, err := CreateDIDDHTDID(pubKey.(ed25519.PublicKey), CreateDIDDHTOpts{
-			AuthoritativeGateways: []string{
-				"gateway1.example-did-dht-gateway.com.",
-				"gateway2.example-did-dht-gateway.com.",
-			},
-			Controller:  []string{"did:example:abcd"},
-			AlsoKnownAs: []string{"did:example:efgh", "did:example:ijkl"},
-			VerificationMethods: []VerificationMethod{
-				{
-					VerificationMethod: did.VerificationMethod{
-						ID:           secpJWK.KID,
-						Type:         cryptosuite.JSONWebKeyType,
-						PublicKeyJWK: &secpJWK,
-					},
-					Purposes: []did.PublicKeyPurpose{did.AssertionMethod, did.CapabilityInvocation},
-				},
-			},
-			Services: []did.Service{
-				{
-					ID:              "service-1",
-					Type:            "TestService",
-					ServiceEndpoint: []string{"https://test-service.com/1", "https://test-service.com/2"},
-				},
-			},
-		})
-		require.NoError(t, err)
-		require.NotEmpty(t, doc)
-
-		var expectedDIDDocument did.Document
-		retrieveTestVectorAs(t, vector2DIDDocument, &expectedDIDDocument)
-
-		docJSON, err := json.Marshal(doc)
-		require.NoError(t, err)
-
-		expectedDIDDocJSON, err := json.Marshal(expectedDIDDocument)
-		require.NoError(t, err)
-
-		assert.JSONEq(t, string(expectedDIDDocJSON), string(docJSON))
-
-		didID := DHT(doc.ID)
-		packet, err := didID.ToDNSPacket(*doc, []TypeIndex{1, 2, 3},
-			[]AuthoritativeGateway{"gateway1.example-did-dht-gateway.com.", "gateway2.example-did-dht-gateway.com."})
-		require.NoError(t, err)
-		require.NotEmpty(t, packet)
-
-		var expectedDNSRecords []testVectorDNSRecord
-		retrieveTestVectorAs(t, vector2DNSRecords, &expectedDNSRecords)
-
-		// Initialize a map to track matched records
-		matchedRecords := make(map[int]bool)
-		for i := range expectedDNSRecords {
-			matchedRecords[i] = false // Initialize all expected records as unmatched
-		}
-
-		for _, record := range packet.Answer {
-			for i, expectedRecord := range expectedDNSRecords {
-				if record.Header().Name == expectedRecord.Name {
-					s := record.String()
-					if strings.Contains(s, expectedRecord.RecordType) &&
-						strings.Contains(s, expectedRecord.TTL) &&
-						strings.Contains(s, strings.Join(expectedRecord.Record, "")) {
-						matchedRecords[i] = true // Mark as matched
-						break
-					}
-				}
-			}
-		}
-
-		// Check if all expected records have been matched
-		for i, matched := range matchedRecords {
-			require.True(t, matched, fmt.Sprintf("Expected DNS record %d: %+v not matched", i, expectedDNSRecords[i]))
-		}
-
-		// Make sure going back to DID Document is consistent
-		decodedDoc, types, gateways, err := didID.FromDNSPacket(packet)
-		require.NoError(t, err)
-		require.NotEmpty(t, decodedDoc)
-		require.NotEmpty(t, types)
-		require.Equal(t, types, []TypeIndex{1, 2, 3})
-		require.NotEmpty(t, gateways)
-		require.Equal(t, gateways, []AuthoritativeGateway{"gateway1.example-did-dht-gateway.com.", "gateway2.example-did-dht-gateway.com."})
-
-		decodedDocJSON, err := json.Marshal(decodedDoc)
-		require.NoError(t, err)
-		assert.JSONEq(t, string(expectedDIDDocJSON), string(decodedDocJSON))
-	})
-
-	t.Run("test vector 3", func(t *testing.T) {
-		var pubKeyJWK jwx.PublicKeyJWK
-		retrieveTestVectorAs(t, vector3PublicKeyJWK1, &pubKeyJWK)
-
-		pubKey, err := pubKeyJWK.ToPublicKey()
-		require.NoError(t, err)
-
-		var x25519JWK jwx.PublicKeyJWK
-		retrieveTestVectorAs(t, vector3PublicKeyJWK2, &x25519JWK)
-
-		doc, err := CreateDIDDHTDID(pubKey.(ed25519.PublicKey), CreateDIDDHTOpts{
-			VerificationMethods: []VerificationMethod{
-				{
-					VerificationMethod: did.VerificationMethod{
-						ID:           x25519JWK.KID,
-						Type:         cryptosuite.JSONWebKeyType,
-						PublicKeyJWK: &x25519JWK,
-					},
-					Purposes: []did.PublicKeyPurpose{did.KeyAgreement},
-				},
-			},
-			Services: []did.Service{
-				{
-					ID:              "service-1",
-					Type:            "TestLongService",
-					ServiceEndpoint: []string{"https://test-lllllllllllllllllllllllllllllllllllooooooooooooooooooooonnnnnnnnnnnnnnnnnnngggggggggggggggggggggggggggggggggggggsssssssssssssssssssssssssseeeeeeeeeeeeeeeeeeerrrrrrrrrrrrrrrvvvvvvvvvvvvvvvvvvvviiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiccccccccccccccccccccccccccccccceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee.com/1"},
-				},
-			},
-		})
-		require.NoError(t, err)
-		require.NotEmpty(t, doc)
-
-		var expectedDIDDocument did.Document
-		retrieveTestVectorAs(t, vector3DIDDocument, &expectedDIDDocument)
-
-		docJSON, err := json.Marshal(doc)
-		require.NoError(t, err)
-
-		expectedDIDDocJSON, err := json.Marshal(expectedDIDDocument)
-		require.NoError(t, err)
-
-		assert.JSONEq(t, string(expectedDIDDocJSON), string(docJSON))
-		didID := DHT(doc.ID)
-		packet, err := didID.ToDNSPacket(*doc, nil, []AuthoritativeGateway{"gateway1.example-did-dht-gateway.com."})
-		require.NoError(t, err)
-		require.NotEmpty(t, packet)
-
-		var expectedDNSRecords []testVectorDNSRecord
-		retrieveTestVectorAs(t, vector3DNSRecords, &expectedDNSRecords)
-
-		// Initialize a map to track matched records
-		matchedRecords := make(map[int]bool)
-		for i := range expectedDNSRecords {
-			matchedRecords[i] = false // Initialize all expected records as unmatched
-		}
-
-		for _, record := range packet.Answer {
-			for i, expectedRecord := range expectedDNSRecords {
-				if record.Header().Name == expectedRecord.Name {
-					s := record.String()
-					if strings.Contains(s, expectedRecord.RecordType) &&
-						strings.Contains(s, expectedRecord.TTL) {
-						// make sure all parts of the record are contained within s
-						for _, r := range expectedRecord.Record {
-							if !strings.Contains(s, r) {
-								break
-							}
-						}
-						matchedRecords[i] = true // Mark as matched
-						break
-					}
-				}
-			}
-		}
-
-		// Check if all expected records have been matched
-		for i, matched := range matchedRecords {
-			require.True(t, matched, fmt.Sprintf("Expected DNS record %d: %+v not matched", i, expectedDNSRecords[i]))
-		}
-
-		// Make sure going back to DID Document is consistent
-		decodedDoc, types, gateways, err := didID.FromDNSPacket(packet)
-		require.NoError(t, err)
-		require.NotEmpty(t, decodedDoc)
-		require.Empty(t, types)
-		require.NotEmpty(t, gateways)
-		require.Equal(t, gateways, []AuthoritativeGateway{"gateway1.example-did-dht-gateway.com."})
-
-		decodedDocJSON, err := json.Marshal(decodedDoc)
-		require.NoError(t, err)
-		assert.JSONEq(t, string(expectedDIDDocJSON), string(decodedDocJSON))
-	})
-}
-
-func TestMisc(t *testing.T) {
+func TestDIDDHTFeatures(t *testing.T) {
 	t.Run("DHT.Method()", func(t *testing.T) {
 		privKey, doc, err := GenerateDIDDHT(CreateDIDDHTOpts{})
 		require.NoError(t, err)
@@ -639,6 +377,73 @@ func TestMisc(t *testing.T) {
 		assert.NoError(t, err)
 		assert.NotEmpty(t, doc)
 	})
+
+	t.Run("prev", func(t *testing.T) {
+		previousPrivKey, previousDoc, err := GenerateDIDDHT(CreateDIDDHTOpts{})
+		require.NoError(t, err)
+		require.NotEmpty(t, previousPrivKey)
+		require.NotEmpty(t, previousDoc)
+
+		previousDIDDHT := DHT(previousDoc.ID)
+		previousDID, err := CreatePreviousDIDRecord(previousPrivKey, previousDIDDHT, "did:dht:sr6jgmcc84xig18ix66qbiwnzeiumocaaybh13f5w97bfzus4pcy")
+		assert.NoError(t, err)
+		assert.NotEmpty(t, previousDID)
+
+		println(previousDID.PreviousDID.String())
+		println(previousDID.Signature)
+	})
+
+	t.Run("Test Previous DID", func(t *testing.T) {
+		// generate previous DID
+		previousPrivKey, previousDoc, err := GenerateDIDDHT(CreateDIDDHTOpts{})
+		require.NoError(t, err)
+		require.NotEmpty(t, previousPrivKey)
+		require.NotEmpty(t, previousDoc)
+
+		// generate new DID
+		doc, err := CreateDIDDHTDID(pubKey.(ed25519.PublicKey), CreateDIDDHTOpts{})
+		assert.NoError(t, err)
+		assert.NotEmpty(t, doc)
+
+		// set previous DID signature
+		previousDIDDHT := DHT(previousDoc.ID)
+		currentDIDDHT := DHT(doc.ID)
+		previousDID, err := CreatePreviousDIDRecord(previousPrivKey, previousDIDDHT, currentDIDDHT)
+		assert.NoError(t, err)
+		assert.NotEmpty(t, previousDID)
+		assert.NotEmpty(t, previousDID.PreviousDID)
+		assert.Equal(t, previousDID.PreviousDID.String(), previousDoc.ID)
+		assert.NotEmpty(t, previousDID.Signature)
+
+		// validate previous DID signature
+		err = ValidatePreviousDIDSignatureValid(currentDIDDHT, *previousDID)
+		assert.NoError(t, err)
+
+		// construct the DNS packet with the previous DID entry
+		dnsMsg, err := currentDIDDHT.ToDNSPacket(*doc, nil, nil, previousDID)
+		assert.NoError(t, err)
+		assert.NotEmpty(t, dnsMsg)
+
+		// parse the DNS packet
+		didDHTDoc, err := currentDIDDHT.FromDNSPacket(dnsMsg)
+		assert.NoError(t, err)
+		assert.NotEmpty(t, didDHTDoc)
+		assert.NotEmpty(t, didDHTDoc.Doc)
+		assert.NotEmpty(t, didDHTDoc.PreviousDID)
+		assert.Equal(t, didDHTDoc.PreviousDID.PreviousDID.String(), previousDoc.ID)
+		assert.NotEmpty(t, didDHTDoc.PreviousDID.Signature)
+
+		// validate previous DID signature with wrong DID
+		err = ValidatePreviousDIDSignatureValid("did:dht:123456789abcdefghi", *previousDID)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "failed to get identity key from the current DID")
+
+		// validate previous DID signature with wrong signature
+		previousDID.Signature = "wrong signature"
+		err = ValidatePreviousDIDSignatureValid(currentDIDDHT, *previousDID)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "failed to decode the previous DID's signature")
+	})
 }
 
 func TestCreationFailures(t *testing.T) {
diff --git a/impl/internal/did/did_vectors_test.go b/impl/internal/did/did_vectors_test.go
new file mode 100644
index 00000000..7f5a22bf
--- /dev/null
+++ b/impl/internal/did/did_vectors_test.go
@@ -0,0 +1,291 @@
+package did
+
+import (
+	"crypto/ed25519"
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/TBD54566975/ssi-sdk/crypto/jwx"
+	"github.com/TBD54566975/ssi-sdk/cryptosuite"
+	"github.com/TBD54566975/ssi-sdk/did"
+	"github.com/goccy/go-json"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// TestVectors from the spec https://did-dht.com/#test-vectors
+func TestVectors(t *testing.T) {
+	type testVectorDNSRecord struct {
+		Name       string   `json:"name"`
+		RecordType string   `json:"type"`
+		TTL        string   `json:"ttl"`
+		Record     []string `json:"rdata"`
+	}
+
+	// https://did-dht.com/#vector-1
+	t.Run("test vector 1", func(t *testing.T) {
+		var pubKeyJWK jwx.PublicKeyJWK
+		retrieveTestVectorAs(t, vector1PublicKeyJWK1, &pubKeyJWK)
+
+		pubKey, err := pubKeyJWK.ToPublicKey()
+		require.NoError(t, err)
+
+		doc, err := CreateDIDDHTDID(pubKey.(ed25519.PublicKey), CreateDIDDHTOpts{})
+		require.NoError(t, err)
+		require.NotEmpty(t, doc)
+
+		var expectedDIDDocument did.Document
+		retrieveTestVectorAs(t, vector1DIDDocument, &expectedDIDDocument)
+
+		docJSON, err := json.Marshal(doc)
+		require.NoError(t, err)
+
+		expectedDIDDocJSON, err := json.Marshal(expectedDIDDocument)
+		require.NoError(t, err)
+
+		assert.JSONEq(t, string(expectedDIDDocJSON), string(docJSON))
+
+		didID := DHT(doc.ID)
+		packet, err := didID.ToDNSPacket(*doc, nil, nil, nil)
+		require.NoError(t, err)
+		require.NotEmpty(t, packet)
+
+		var expectedDNSRecords []testVectorDNSRecord
+		retrieveTestVectorAs(t, vector1DNSRecords, &expectedDNSRecords)
+
+		// Initialize a map to track matched records
+		matchedRecords := make(map[int]bool)
+		for i := range expectedDNSRecords {
+			matchedRecords[i] = false // Initialize all expected records as unmatched
+		}
+
+		for _, record := range packet.Answer {
+			for i, expectedRecord := range expectedDNSRecords {
+				if record.Header().Name == expectedRecord.Name {
+					s := record.String()
+					if strings.Contains(s, expectedRecord.RecordType) &&
+						strings.Contains(s, expectedRecord.TTL) &&
+						strings.Contains(s, strings.Join(expectedRecord.Record, "")) {
+						matchedRecords[i] = true // Mark as matched
+						break
+					}
+				}
+			}
+		}
+
+		// Check if all expected records have been matched
+		for i, matched := range matchedRecords {
+			require.True(t, matched, fmt.Sprintf("Expected DNS record %d: %+v not matched", i, expectedDNSRecords[i]))
+		}
+
+		// Make sure going back to DID Document is consistent
+		didDHTDoc, err := didID.FromDNSPacket(packet)
+		require.NoError(t, err)
+		require.NotEmpty(t, didDHTDoc)
+		require.NotEmpty(t, didDHTDoc.Doc)
+		require.Empty(t, didDHTDoc.Types)
+		require.Empty(t, didDHTDoc.Gateways)
+
+		decodedDocJSON, err := json.Marshal(didDHTDoc.Doc)
+		require.NoError(t, err)
+		assert.JSONEq(t, string(expectedDIDDocJSON), string(decodedDocJSON))
+	})
+
+	// https://did-dht.com/#vector-2
+	t.Run("test vector 2", func(t *testing.T) {
+		var pubKeyJWK jwx.PublicKeyJWK
+		retrieveTestVectorAs(t, vector1PublicKeyJWK1, &pubKeyJWK)
+
+		pubKey, err := pubKeyJWK.ToPublicKey()
+		require.NoError(t, err)
+
+		var secpJWK jwx.PublicKeyJWK
+		retrieveTestVectorAs(t, vector2PublicKeyJWK2, &secpJWK)
+
+		doc, err := CreateDIDDHTDID(pubKey.(ed25519.PublicKey), CreateDIDDHTOpts{
+			Controller:  []string{"did:example:abcd"},
+			AlsoKnownAs: []string{"did:example:efgh", "did:example:ijkl"},
+			VerificationMethods: []VerificationMethod{
+				{
+					VerificationMethod: did.VerificationMethod{
+						ID:           secpJWK.KID,
+						Type:         cryptosuite.JSONWebKeyType,
+						PublicKeyJWK: &secpJWK,
+					},
+					Purposes: []did.PublicKeyPurpose{did.AssertionMethod, did.CapabilityInvocation},
+				},
+			},
+			Services: []did.Service{
+				{
+					ID:              "service-1",
+					Type:            "TestService",
+					ServiceEndpoint: []string{"https://test-service.com/1", "https://test-service.com/2"},
+				},
+			},
+		})
+		require.NoError(t, err)
+		require.NotEmpty(t, doc)
+
+		var expectedDIDDocument did.Document
+		retrieveTestVectorAs(t, vector2DIDDocument, &expectedDIDDocument)
+
+		docJSON, err := json.Marshal(doc)
+		require.NoError(t, err)
+
+		expectedDIDDocJSON, err := json.Marshal(expectedDIDDocument)
+		require.NoError(t, err)
+
+		assert.JSONEq(t, string(expectedDIDDocJSON), string(docJSON))
+
+		didID := DHT(doc.ID)
+		packet, err := didID.ToDNSPacket(*doc, []TypeIndex{1, 2, 3},
+			[]AuthoritativeGateway{"gateway1.example-did-dht-gateway.com.", "gateway2.example-did-dht-gateway.com."}, nil)
+		require.NoError(t, err)
+		require.NotEmpty(t, packet)
+
+		var expectedDNSRecords []testVectorDNSRecord
+		retrieveTestVectorAs(t, vector2DNSRecords, &expectedDNSRecords)
+
+		// Initialize a map to track matched records
+		matchedRecords := make(map[int]bool)
+		for i := range expectedDNSRecords {
+			matchedRecords[i] = false // Initialize all expected records as unmatched
+		}
+
+		for _, record := range packet.Answer {
+			for i, expectedRecord := range expectedDNSRecords {
+				if record.Header().Name == expectedRecord.Name {
+					s := record.String()
+					if strings.Contains(s, expectedRecord.RecordType) &&
+						strings.Contains(s, expectedRecord.TTL) &&
+						strings.Contains(s, strings.Join(expectedRecord.Record, "")) {
+						matchedRecords[i] = true // Mark as matched
+						break
+					}
+				}
+			}
+		}
+
+		// Check if all expected records have been matched
+		for i, matched := range matchedRecords {
+			require.True(t, matched, fmt.Sprintf("Expected DNS record %d: %+v not matched", i, expectedDNSRecords[i]))
+		}
+
+		// Make sure going back to DID Document is consistent
+		didDHTDoc, err := didID.FromDNSPacket(packet)
+		require.NoError(t, err)
+		require.NotEmpty(t, didDHTDoc)
+		require.NotEmpty(t, didDHTDoc.Doc)
+		require.NotEmpty(t, didDHTDoc.Types)
+		require.Equal(t, didDHTDoc.Types, []TypeIndex{1, 2, 3})
+		require.NotEmpty(t, didDHTDoc.Gateways)
+		require.Equal(t, didDHTDoc.Gateways, []AuthoritativeGateway{"gateway1.example-did-dht-gateway.com.", "gateway2.example-did-dht-gateway.com."})
+		require.Empty(t, didDHTDoc.PreviousDID)
+
+		decodedDocJSON, err := json.Marshal(didDHTDoc.Doc)
+		require.NoError(t, err)
+		assert.JSONEq(t, string(expectedDIDDocJSON), string(decodedDocJSON))
+	})
+
+	// https://did-dht.com/#vector-3
+	t.Run("test vector 3", func(t *testing.T) {
+		var pubKeyJWK jwx.PublicKeyJWK
+		retrieveTestVectorAs(t, vector3PublicKeyJWK1, &pubKeyJWK)
+
+		pubKey, err := pubKeyJWK.ToPublicKey()
+		require.NoError(t, err)
+
+		var x25519JWK jwx.PublicKeyJWK
+		retrieveTestVectorAs(t, vector3PublicKeyJWK2, &x25519JWK)
+
+		doc, err := CreateDIDDHTDID(pubKey.(ed25519.PublicKey), CreateDIDDHTOpts{
+			VerificationMethods: []VerificationMethod{
+				{
+					VerificationMethod: did.VerificationMethod{
+						ID:           x25519JWK.KID,
+						Type:         cryptosuite.JSONWebKeyType,
+						PublicKeyJWK: &x25519JWK,
+					},
+					Purposes: []did.PublicKeyPurpose{did.KeyAgreement},
+				},
+			},
+			Services: []did.Service{
+				{
+					ID:              "service-1",
+					Type:            "TestLongService",
+					ServiceEndpoint: []string{"https://test-lllllllllllllllllllllllllllllllllllooooooooooooooooooooonnnnnnnnnnnnnnnnnnngggggggggggggggggggggggggggggggggggggsssssssssssssssssssssssssseeeeeeeeeeeeeeeeeeerrrrrrrrrrrrrrrvvvvvvvvvvvvvvvvvvvviiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiccccccccccccccccccccccccccccccceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee.com/1"},
+				},
+			},
+		})
+		require.NoError(t, err)
+		require.NotEmpty(t, doc)
+
+		var expectedDIDDocument did.Document
+		retrieveTestVectorAs(t, vector3DIDDocument, &expectedDIDDocument)
+
+		docJSON, err := json.Marshal(doc)
+		require.NoError(t, err)
+
+		expectedDIDDocJSON, err := json.Marshal(expectedDIDDocument)
+		require.NoError(t, err)
+
+		assert.JSONEq(t, string(expectedDIDDocJSON), string(docJSON))
+		didID := DHT(doc.ID)
+		previousDID := PreviousDID{
+			PreviousDID: "did:dht:x3heus3ke8fhgb5pbecday9wtbfynd6m19q4pm6gcf5j356qhjzo",
+			Signature:   "Tt9DRT6J32v7O2lzbfasW63_FfagiMHTHxtaEOD7p85zHE0r_EfiNleyL6BZGyB1P-oQ5p6_7KONaHAjr2K6Bw",
+		}
+		packet, err := didID.ToDNSPacket(*doc, nil, []AuthoritativeGateway{"gateway1.example-did-dht-gateway.com."}, &previousDID)
+		require.NoError(t, err)
+		require.NotEmpty(t, packet)
+
+		var expectedDNSRecords []testVectorDNSRecord
+		retrieveTestVectorAs(t, vector3DNSRecords, &expectedDNSRecords)
+
+		// Initialize a map to track matched records
+		matchedRecords := make(map[int]bool)
+		for i := range expectedDNSRecords {
+			matchedRecords[i] = false // Initialize all expected records as unmatched
+		}
+
+		for _, record := range packet.Answer {
+			for i, expectedRecord := range expectedDNSRecords {
+				if record.Header().Name == expectedRecord.Name {
+					s := record.String()
+					if strings.Contains(s, expectedRecord.RecordType) &&
+						strings.Contains(s, expectedRecord.TTL) {
+						// make sure all parts of the record are contained within s
+						for _, r := range expectedRecord.Record {
+							if !strings.Contains(s, r) {
+								break
+							}
+						}
+						matchedRecords[i] = true // Mark as matched
+						break
+					}
+				}
+			}
+		}
+
+		// Check if all expected records have been matched
+		for i, matched := range matchedRecords {
+			require.True(t, matched, fmt.Sprintf("Expected DNS record %d: %+v not matched", i, expectedDNSRecords[i]))
+		}
+
+		// Make sure going back to DID Document is consistent
+		didDHTDoc, err := didID.FromDNSPacket(packet)
+		require.NoError(t, err)
+		require.NotEmpty(t, didDHTDoc)
+		require.NotEmpty(t, didDHTDoc.Doc)
+		require.Empty(t, didDHTDoc.Types)
+		require.NotEmpty(t, didDHTDoc.Gateways)
+		require.Equal(t, didDHTDoc.Gateways, []AuthoritativeGateway{"gateway1.example-did-dht-gateway.com."})
+		require.NotEmpty(t, didDHTDoc.PreviousDID)
+		require.Equal(t, didDHTDoc.PreviousDID.PreviousDID.String(), "did:dht:x3heus3ke8fhgb5pbecday9wtbfynd6m19q4pm6gcf5j356qhjzo")
+
+		decodedDocJSON, err := json.Marshal(didDHTDoc.Doc)
+		require.NoError(t, err)
+		assert.JSONEq(t, string(expectedDIDDocJSON), string(decodedDocJSON))
+	})
+}
diff --git a/impl/internal/did/testdata/vector-3-dns-records.json b/impl/internal/did/testdata/vector-3-dns-records.json
index 4f250e9f..cc123891 100644
--- a/impl/internal/did/testdata/vector-3-dns-records.json
+++ b/impl/internal/did/testdata/vector-3-dns-records.json
@@ -1,4 +1,10 @@
 [
+  {
+    "name": "_prv._did.",
+    "type": "TXT",
+    "ttl": "7200",
+    "rdata": ["id=did:dht:x3heus3ke8fhgb5pbecday9wtbfynd6m19q4pm6gcf5j356qhjzo;s=Tt9DRT6J32v7O2lzbfasW63_FfagiMHTHxtaEOD7p85zHE0r_EfiNleyL6BZGyB1P-oQ5p6_7KONaHAjr2K6Bw"]
+  },
   {
     "name": "_did.sr6jgmcc84xig18ix66qbiwnzeiumocaaybh13f5w97bfzus4pcy.",
     "type": "NS",
diff --git a/impl/pkg/dht/dns_test.go b/impl/pkg/dht/dns_test.go
index 431e4a0c..cee05c3f 100644
--- a/impl/pkg/dht/dns_test.go
+++ b/impl/pkg/dht/dns_test.go
@@ -100,7 +100,7 @@ func TestGetPutDIDDHT(t *testing.T) {
 	require.NotEmpty(t, doc)
 
 	didID := did.DHT(doc.ID)
-	didDocPacket, err := didID.ToDNSPacket(*doc, nil, nil)
+	didDocPacket, err := didID.ToDNSPacket(*doc, nil, nil, nil)
 	require.NoError(t, err)
 
 	putReq, err := CreateDNSPublishRequest(privKey, *didDocPacket)
@@ -119,7 +119,7 @@ func TestGetPutDIDDHT(t *testing.T) {
 	require.NotEmpty(t, gotMsg.Answer)
 
 	d := did.DHT("did:dht:" + gotID)
-	gotDoc, _, _, err := d.FromDNSPacket(gotMsg)
+	gotDoc, err := d.FromDNSPacket(gotMsg)
 	require.NoError(t, err)
 	require.NotEmpty(t, gotDoc)
 }
diff --git a/impl/pkg/dht/record_test.go b/impl/pkg/dht/record_test.go
index 4be14fce..4875dd3a 100644
--- a/impl/pkg/dht/record_test.go
+++ b/impl/pkg/dht/record_test.go
@@ -22,7 +22,7 @@ func TestNewRecord(t *testing.T) {
 	require.NoError(t, err)
 	require.NotEmpty(t, doc)
 
-	packet, err := did.DHT(doc.ID).ToDNSPacket(*doc, nil, nil)
+	packet, err := did.DHT(doc.ID).ToDNSPacket(*doc, nil, nil, nil)
 	assert.NoError(t, err)
 	assert.NotEmpty(t, packet)
 
diff --git a/impl/pkg/server/dht_test.go b/impl/pkg/server/dht_test.go
index 64e068d3..01470ac1 100644
--- a/impl/pkg/server/dht_test.go
+++ b/impl/pkg/server/dht_test.go
@@ -184,7 +184,7 @@ func generateDIDPutRequest(t *testing.T) (string, []byte) {
 	require.NoError(t, err)
 	require.NotEmpty(t, doc)
 
-	packet, err := did.DHT(doc.ID).ToDNSPacket(*doc, nil, nil)
+	packet, err := did.DHT(doc.ID).ToDNSPacket(*doc, nil, nil, nil)
 	assert.NoError(t, err)
 	assert.NotEmpty(t, packet)
 
diff --git a/impl/pkg/service/dht_test.go b/impl/pkg/service/dht_test.go
index f2affb02..2042677c 100644
--- a/impl/pkg/service/dht_test.go
+++ b/impl/pkg/service/dht_test.go
@@ -44,7 +44,7 @@ func TestDHTService(t *testing.T) {
 		require.NotEmpty(t, doc)
 
 		d := did.DHT(doc.ID)
-		packet, err := d.ToDNSPacket(*doc, nil, nil)
+		packet, err := d.ToDNSPacket(*doc, nil, nil, nil)
 		assert.NoError(t, err)
 		assert.NotEmpty(t, packet)
 
@@ -71,7 +71,7 @@ func TestDHTService(t *testing.T) {
 		require.NotEmpty(t, doc)
 
 		d := did.DHT(doc.ID)
-		packet, err := d.ToDNSPacket(*doc, nil, nil)
+		packet, err := d.ToDNSPacket(*doc, nil, nil, nil)
 		assert.NoError(t, err)
 		assert.NotEmpty(t, packet)
 
@@ -99,7 +99,7 @@ func TestDHTService(t *testing.T) {
 		require.NotEmpty(t, doc)
 
 		d := did.DHT(doc.ID)
-		packet, err := d.ToDNSPacket(*doc, nil, nil)
+		packet, err := d.ToDNSPacket(*doc, nil, nil, nil)
 		require.NoError(t, err)
 		require.NotEmpty(t, packet)
 
@@ -146,7 +146,7 @@ func TestDHT(t *testing.T) {
 	require.NoError(t, err)
 	require.NotEmpty(t, doc)
 	d := did.DHT(doc.ID)
-	packet, err := d.ToDNSPacket(*doc, nil, nil)
+	packet, err := d.ToDNSPacket(*doc, nil, nil, nil)
 	require.NoError(t, err)
 	require.NotEmpty(t, packet)
 	putMsg, err := dht.CreateDNSPublishRequest(sk, *packet)
diff --git a/impl/pkg/storage/db/bolt/bolt_test.go b/impl/pkg/storage/db/bolt/bolt_test.go
index 7d9ee485..5ce89542 100644
--- a/impl/pkg/storage/db/bolt/bolt_test.go
+++ b/impl/pkg/storage/db/bolt/bolt_test.go
@@ -118,7 +118,7 @@ func TestReadWrite(t *testing.T) {
 	require.NoError(t, err)
 	require.NotEmpty(t, doc)
 
-	packet, err := did.DHT(doc.ID).ToDNSPacket(*doc, nil, nil)
+	packet, err := did.DHT(doc.ID).ToDNSPacket(*doc, nil, nil, nil)
 	require.NoError(t, err)
 	require.NotEmpty(t, packet)
 
@@ -163,7 +163,7 @@ func TestDBPagination(t *testing.T) {
 		require.NoError(t, err)
 		require.NotEmpty(t, doc)
 
-		packet, err := did.DHT(doc.ID).ToDNSPacket(*doc, nil, nil)
+		packet, err := did.DHT(doc.ID).ToDNSPacket(*doc, nil, nil, nil)
 		assert.NoError(t, err)
 		assert.NotEmpty(t, packet)
 
@@ -184,7 +184,7 @@ func TestDBPagination(t *testing.T) {
 	require.NoError(t, err)
 	require.NotEmpty(t, doc)
 
-	packet, err := did.DHT(doc.ID).ToDNSPacket(*doc, nil, nil)
+	packet, err := did.DHT(doc.ID).ToDNSPacket(*doc, nil, nil, nil)
 	assert.NoError(t, err)
 	assert.NotEmpty(t, packet)
 
diff --git a/impl/pkg/storage/db/postgres/postgres_test.go b/impl/pkg/storage/db/postgres/postgres_test.go
index 028146d0..ce8f598e 100644
--- a/impl/pkg/storage/db/postgres/postgres_test.go
+++ b/impl/pkg/storage/db/postgres/postgres_test.go
@@ -3,6 +3,7 @@ package postgres_test
 import (
 	"context"
 	"net/url"
+	"os"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -15,7 +16,7 @@ import (
 )
 
 func getTestDB(t *testing.T) storage.Storage {
-	uri := "postgres://postgres:a@127.0.0.1:5432/postgres" // os.Getenv("TEST_DB")
+	uri := os.Getenv("TEST_DB")
 	if uri == "" {
 		t.SkipNow()
 	}
@@ -44,7 +45,7 @@ func TestReadWrite(t *testing.T) {
 	require.NoError(t, err)
 	require.NotEmpty(t, doc)
 
-	packet, err := did.DHT(doc.ID).ToDNSPacket(*doc, nil, nil)
+	packet, err := did.DHT(doc.ID).ToDNSPacket(*doc, nil, nil, nil)
 	require.NoError(t, err)
 	require.NotEmpty(t, packet)
 
@@ -89,7 +90,7 @@ func TestDBPagination(t *testing.T) {
 		require.NoError(t, err)
 		require.NotEmpty(t, doc)
 
-		packet, err := did.DHT(doc.ID).ToDNSPacket(*doc, nil, nil)
+		packet, err := did.DHT(doc.ID).ToDNSPacket(*doc, nil, nil, nil)
 		assert.NoError(t, err)
 		assert.NotEmpty(t, packet)
 
@@ -110,7 +111,7 @@ func TestDBPagination(t *testing.T) {
 	require.NoError(t, err)
 	require.NotEmpty(t, doc)
 
-	packet, err := did.DHT(doc.ID).ToDNSPacket(*doc, nil, nil)
+	packet, err := did.DHT(doc.ID).ToDNSPacket(*doc, nil, nil, nil)
 	assert.NoError(t, err)
 	assert.NotEmpty(t, packet)
 
diff --git a/spec/spec.md b/spec/spec.md
index 72149bbd..1a3f0080 100644
--- a/spec/spec.md
+++ b/spec/spec.md
@@ -9,7 +9,7 @@ The DID DHT Method Specification 1.0
 
 **Draft Created:** October 20, 2023
 
-**Latest Update:** April 22, 2024
+**Last Updated:** April 29, 2024
 
 **Editors:**
 ~ [Gabe Cohen](https://github.com/decentralgabe)
@@ -26,7 +26,8 @@ The DID DHT Method Specification 1.0
 
 ## Abstract
 
-A DID Method [[spec:DID-CORE]] based on [[ref:DNS Resource Records]] and [[ref:Mainline DHT]], identified by the prefix `did:dht`.
+A DID Method [[spec:DID-CORE]] based on [[ref:DNS Resource Records]] and [[ref:Mainline DHT]], identified by the prefix
+`did:dht`.
 
 <style id="protocol-stack-styles">
   #protocol-stack-styles + table {
@@ -85,17 +86,18 @@ decentralized digital identity_. A DID identifier is associated with a JSON docu
 services, and other properties outlined in the specification.
 
 [[def:DID Suffix, Suffix]]
-~ The unique identifier string within a DID URI. For DID DHT the suffix is the [[ref:z-base-32]] encoded [[ref:Identity Key]].
+~ The unique identifier string within a DID URI. For DID DHT the suffix is the [[ref:z-base-32]] encoded
+[[ref:Identity Key]].
 
 [[def:Identity Key]]
-~ An [Identity Key](#identity-key) is a [[ref:z-base-32]] encoded [[ref:Ed25519]] public key required to authenticate all records in 
-[[ref:Mainline DHT]]. The encoded string comprises the [[ref:Suffix]] of `did:dht` identifier. This key is guaranteed to be present
-in each `did:dht` document.
+~ An [Identity Key](#identity-key) is a [[ref:z-base-32]] encoded [[ref:Ed25519]] public key required to authenticate
+all records in  [[ref:Mainline DHT]]. The encoded string comprises the [[ref:Suffix]] of `did:dht` identifier. This key
+is guaranteed to be present in each `did:dht` document.
 
 [[def:DID DHT Service]]
 ~ A service that provides a [[ref:Mainline]] interface, extended to support this [[ref:DID]] method.
 
-[[def:DNS Resource Records]]
+[[def:DNS Resource Records, DNS Resource Record]]
 ~ An efficient format for representing [[ref:DID Documents]] and providing semantics pertinent to DID DHT,
 such as TTLs, caching, and different record types (e.g. `NS`, `TXT`). Follows [[spec:RFC1035]].
 
@@ -103,8 +105,9 @@ such as TTLs, caching, and different record types (e.g. `NS`, `TXT`). Follows [[
 ~ [Mainline DHT](https://en.wikipedia.org/wiki/Mainline_DHT) is the name given to the 
 [Distributed Hash Table](https://en.wikipedia.org/wiki/Distributed_hash_table) used by the 
 [BitTorrent protocol](https://github.com/bittorrent/bittorrent.org). It is a distributed system for storing and
-finding data on a peer-to-peer network. It is based on [Kademlia](https://en.wikipedia.org/wiki/Kademlia) and is primarily
-used to store and retrieve peer data. It is estimated to consistently have tens of millions of concurrent active users.
+finding data on a peer-to-peer network. It is based on [Kademlia](https://en.wikipedia.org/wiki/Kademlia) and is
+primarily used to store and retrieve peer data. It is estimated to consistently have tens of millions of concurrent
+active users.
 
 [[def:Gateway, Gateways, DID DHT, Bitcoin-anchored Gateway]]
 ~ A server that that facilitates DID DHT operations. The gateway may offer a set of APIs to interact with the DID DHT
@@ -117,7 +120,8 @@ and other features. Gateways can make themselves discoverable via a [[ref:Gatewa
 
 [[def:Client, Clients]]
 ~ A client is a piece of software that is responsible for generating a `did:dht` and submitting it to a 
-[[ref:Mainline Server]] or [[ref:Gateway]]. Notably, a client has the ability to sign messages with the [[ref:Identity Key]].
+[[ref:Mainline Server]] or [[ref:Gateway]]. Notably, a client has the ability to sign messages with the
+[[ref:Identity Key]].
 
 [[def:Retained DID Set, Retained Set, Retention Set]]
 ~ The set of DIDs that a [[ref:Gateway]] is retaining and thus is responsible for republishing.
@@ -127,20 +131,21 @@ and other features. Gateways can make themselves discoverable via a [[ref:Gatewa
 [[ref:Gateways]] use this proof to determine how long they should retain a DID.
 
 [[def:Sequence Number, Sequence Numbers, Sequence]]
-~ A sequence number, or `seq`, is a property of a mutable item as defined in [[ref:BEP44]]. It is a 64-bit integer that increases
-in a consistent, unidirectional manner, ensuring that items are ordered sequentially. This specification requires that sequence 
-numbers are [[ref:Unix Timestamps]] represented in seconds.
+~ A sequence number, or `seq`, is a property of a mutable item as defined in [[ref:BEP44]]. It is a 64-bit integer that
+increases in a consistent, unidirectional manner, ensuring that items are ordered sequentially. This specification
+requires that sequence numbers are [[ref:Unix Timestamps]] represented in seconds.
 
 [[def:Unix Timestamp, Unix Timestamps]]
-~ A value that measures time by the number of non-leap seconds that have elapsed since 00:00:00 UTC on 1 January 1970, the Unix epoch.
+~ A value that measures time by the number of non-leap seconds that have elapsed since 00:00:00 UTC on 1 January 1970,
+the Unix epoch.
 
 ## DID DHT Method Specification
 
 ### Format
 
 The format for `did:dht` conforms to the [[spec:DID Core]] specification. It consists of the `did:dht` prefix followed by 
-the [[ref:Mainline]] identifier. The [[ref:Mainline]] identifier is a [[ref:z-base-32]]-encoded [[ref:Ed25519]] public key, which
-we refer to as an [[ref:Identity Key]].
+the [[ref:Mainline]] identifier. The [[ref:Mainline]] identifier is a [[ref:z-base-32]]-encoded [[ref:Ed25519]] public
+key, which we refer to as an [[ref:Identity Key]].
 
 ```text
 did-dht-format := did:dht:<z-base-32-value>
@@ -155,44 +160,48 @@ did-dht-format := did:dht:Z-BASE-32(raw-public-key-bytes)
 
 ### Identity Key
 
-A unique property of DID DHT is its dependence on an a single non-rotatable key which we refer to as an _Identity Key_. This requirement
-stems from [[ref:BEP44]], particularly within the _Mutable Items_ section:
+A unique property of DID DHT is its dependence on an a single non-rotatable key which we refer to as an _Identity Key_.
+This requirement stems from [[ref:BEP44]], particularly within the _Mutable Items_ section:
 
-> Mutable items can be updated, without changing their DHT keys. To authenticate that only the original publisher can update an item,
-it is signed by a private key generated by the original publisher. The target ID mutable items are stored under is the SHA-1 hash of
-the public key (as it appears in the put message).
+> Mutable items can be updated, without changing their DHT keys. To authenticate that only the original publisher can
+update an item, it is signed by a private key generated by the original publisher. The target ID mutable items are
+stored under is the SHA-1 hash of the public key (as it appears in the put message).
 
-This mechanism, as detailed in [[ref:BEP44]], ensures that all entries in the DHT are authenticated through a private key unique
-to the initial publisher. Consequently, DHT records, including DID DHT Documents, are _independently verifiable_. This independence
-implies that trust in a specific [[ref:Mainline]] or [[ref:Gateway]] server for providing unaltered messages is unnecessary. Instead,
-all clients can, and should, verify messages themselves. This approach significantly mitigates risks associated with other DID methods,
-where a compromised server or [DID resolver](https://www.w3.org/TR/did-core/#choosing-did-resolvers) might tamper with a [[ref:DID Document]]
+This mechanism, as detailed in [[ref:BEP44]], ensures that all entries in the DHT are authenticated through a private
+key unique to the initial publisher. Consequently, DHT records, including DID DHT Documents, are
+_independently verifiable_. This independence implies that trust in a specific [[ref:Mainline]] or [[ref:Gateway]] server
+for providing unaltered messages is unnecessary. Instead, all clients can, and should, verify messages themselves. This
+approach significantly mitigates risks associated with other DID methods, where a compromised server or
+[DID resolver](https://www.w3.org/TR/did-core/#choosing-did-resolvers) might tamper with a [[ref:DID Document]]
 which would be undetectable by a client.
 
-Currently, [[ref:Mainline]] exclusively supports the [[ref:Ed25519]] key type. In turn, [[ref:Ed25519]] is required by DID DHT and is 
-used to uniquely identify DID DHT Documents. DID DHT identifiers are formed by concatenating the `did:dht:` prefix with a [[ref:z-base-32]]
-encoded Identity Key, which acts as its [[ref:suffix]]. Identity Keys ****MUST**** have the identifier `0` as both its Verification Method 
-`id` and JWK `kid` [[spec:RFC7517]]. Identity Keys ****MUST**** have the [Verification Relationships](#verification-relationships) 
-_Authentication_, _Assertion_, _Capability Invocation_, and _Capability Delegation_.
+Currently, [[ref:Mainline]] exclusively supports the [[ref:Ed25519]] key type. In turn, [[ref:Ed25519]] is required by
+DID DHT and is used to uniquely identify DID DHT Documents. DID DHT identifiers are formed by concatenating the
+`did:dht:` prefix with a [[ref:z-base-32]] encoded Identity Key, which acts as its [[ref:suffix]]. Identity Keys
+****MUST**** have the identifier `0` as both its Verification Method  `id` and JWK `kid` [[spec:RFC7517]]. Identity Keys
+****MUST**** have the [Verification Relationships](#verification-relationships) _Authentication_, _Assertion_,
+_Capability Invocation_, and _Capability Delegation_.
 
-While the system requires at least one [[ref:Ed25519]], a DID DHT Document can include any number of additional keys. Additional key 
-types ****MUST**** be registered in the [Key Type Index](registry/index.html##key-type-index).
+While the system requires at least one [[ref:Ed25519]], a DID DHT Document can include any number of additional keys.
+Additional key types ****MUST**** be registered in the [Key Type Index](registry/index.html##key-type-index).
 
-As a unique consequence of the requirement of the Identity Key, DID DHT Documents are able to be partially-resolved without contacting
-[[ref:Mainline]] or [[ref:Gateway]] servers, though it is ****RECOMMENDED**** that deterministic resolution is only used as a fallback mechanism.
-Similarly, the requirement of an Identity Key enables [interoperability with other DID methods](#interoperability-with-other-did-methods).
+As a unique consequence of the requirement of the Identity Key, DID DHT Documents are able to be partially-resolved
+without contacting [[ref:Mainline]] or [[ref:Gateway]] servers, though it is ****RECOMMENDED**** that deterministic
+resolution is only used as a fallback mechanism. Similarly, the requirement of an Identity Key enables
+[interoperability with other DID methods](#interoperability-with-other-did-methods).
 
 ### DIDs as DNS Records
 
-In this scheme, we encode the [[ref:DID Document]] as [DNS Resource Records](https://en.wikipedia.org/wiki/Domain_Name_System#Resource_records). These resource records make up a DNS packet [[spec:RFC1034]] [[spec:RFC1035]], which is then 
-stored in the [[ref:DHT]].
+In this scheme, we encode the [[ref:DID Document]] as
+[DNS Resource Records](https://en.wikipedia.org/wiki/Domain_Name_System#Resource_records). These resource records make
+up a DNS packet [[spec:RFC1034]] [[spec:RFC1035]], which is then stored in the [[ref:DHT]].
 
 | Name         | Type | TTL    | Rdata                                                        |
 | ------------ | ---- | ------ | ------------------------------------------------------------ |
-| _did.`<ID>`. | TXT  |  7200  | v=0;vm=k0,k1,k2;auth=k0;asm=k1;inv=k2;del=k2;srv=s0,s1,s2    |
+| _did.`<ID>`. | TXT  |  7200  | v=0;vm=k0,k1,k2;auth=k0;asm=k1;inv=k2;del=k2;svc=s0,s1,s2    |
 | _k0._did.    | TXT  |  7200  | id=0;t=0;k=`<unpadded-b64url>`                               |
-| _k1._did.    | TXT  |  7200  | id=1;t=1;k=`<unpadded-b64url>`                               |
-| _k2._did.    | TXT  |  7200  | id=2;t=1;k=`<unpadded-b64url>`                               |
+| _k1._did.    | TXT  |  7200  | t=1;k=`<unpadded-b64url>`                               |
+| _k2._did.    | TXT  |  7200  | t=1;k=`<unpadded-b64url>`                               |
 | _s0._did.    | TXT  |  7200  | id=domain;t=LinkedDomains;se=https://foo.com                 |
 | _s1._did.    | TXT  |  7200  | id=dwn;t=DecentralizedWebNode;se=https://dwn.tbddev.org/dwn5 |
 
@@ -203,7 +212,7 @@ The recommended TTL value is 7200 seconds (2 hours), the default TTL for [[ref:M
 - The [Root Record](#root-record) serves as a "map" to reconstruct a [[ref:DID Document]] from a DNS packet.
 This record contains a _version_ number, indicating the version of this specification a given record is created against.
 
-- Additional records like `srv` (services), `vm` ([Verification Methods](#verification-methods)), and 
+- Additional records like `svc` (services), `vm` ([Verification Methods](#verification-methods)), and
 [Verification Relationships](#verification-relationships) (e.g., authentication, assertion, etc.) are 
 represented as additional records in the format `<ID>._did.`. These records contain the zero-indexed value of 
 each `key` or `service` as attributes.
@@ -229,7 +238,7 @@ identifier associated with the DID (i.e. `did:dht:<ID>` becomes `_did.<ID>.`).
 
 - The root record's **type** is `TXT`, indicating a Text record.
 
-- The root record's **rdata** is represented by the form `v=M;vm=N;auth=O;asm=P;inv=Q;del=R;srv=S` where 
+- The root record's **rdata** is represented by the form `v=M;vm=N;auth=O;asm=P;inv=Q;del=R;svc=S` where
 `M` is the version of the DNS packet representation defined by this specification. `N` is the set 
 [Verification Method](#verification-methods) identifiers (e.g. `k0,k1`) present in the document, always
 containing at least `k0`. `O`, `P`, `Q`, and `R` contain the set of Verification Method resource 
@@ -243,16 +252,16 @@ Additionally:
 
   - The `vm` property ****MUST**** always contain _at least_ the [[ref:Identity Key]] represented by `k0`.
 
-  - Verification Relationships (`auth`, `asm`, `inv`, `del`, `srv`) without any members ****MUST**** be omitted.
+  - Verification Relationships (`auth`, `asm`, `inv`, `del`, `svc`) without any members ****MUST**** be omitted.
 
-  - If there are no [Services](#services) the `srv` property ****MUST**** be omitted.
+  - If there are no [Services](#services) the `svc` property ****MUST**** be omitted.
 
 
 **Example Root Record**
 
 | Name                                                       | Type | TTL    | Rdata                                                     
 | ---------------------------------------------------------- | ---- | ------ | --------------------------------------------------------- 
-| _did.o4dksfbqk85ogzdb5osziw6befigbuxmuxkuxq8434q89uj56uyy. | TXT  |  7200  | v=0;vm=k0,k1,k2;auth=k0;asm=k1;inv=k2;del=k2;srv=s0,s1,s2 
+| _did.o4dksfbqk85ogzdb5osziw6befigbuxmuxkuxq8434q89uj56uyy. | TXT  |  7200  | v=0;vm=k0,k1,k2;auth=k0;asm=k1;inv=k2;del=k2;svc=s0,s1,s2
 
 ### Property Mapping
 
@@ -267,9 +276,11 @@ values within each property are separated by a comma (`,`).
 commas (`,`).
 
 - Additional properties not defined by this specification ****MAY**** be represented in a [[ref:DID Document]] and
-its corresponding DNS packet if the properties [are registered in the additional properties registry](registry/index.html#additional-properties).
+its corresponding DNS packet if the properties are registered in the
+[additional properties registry](registry/index.html#additional-properties).
 
-The subsequent instructions serve as a reference for mapping DID Document properties to [DNS Resource Records](https://en.wikipedia.org/wiki/Domain_Name_System#Resource_records):
+The subsequent instructions serve as a reference for mapping DID Document properties to
+[DNS Resource Records](https://en.wikipedia.org/wiki/Domain_Name_System#Resource_records):
 
 #### Identifiers
 
@@ -281,9 +292,11 @@ A [DID controller](https://www.w3.org/TR/did-core/#did-controller) ****MAY**** b
 
 - The [Controller](https://www.w3.org/TR/did-core/#did-controller) record's **type** is `TXT`, indicating a Text record.
 
-- The [Controller](https://www.w3.org/TR/did-core/#did-controller) record's **data** is represented as a comma-separated list of controller DID identifiers.
+- The [Controller](https://www.w3.org/TR/did-core/#did-controller) record's **data** is represented as a comma-separated
+list of controller DID identifiers.
 
-To ensure that the DID controller is authorized to make changes to the DID Document, the controller for the [[ref:Identity Key]] Verification Method ****MUST**** be contained within the controller property.
+To ensure that the DID controller is authorized to make changes to the DID Document, the controller for the
+[[ref:Identity Key]] Verification Method ****MUST**** be contained within the controller property.
 
 **Example Controller Record**
 
@@ -293,13 +306,15 @@ To ensure that the DID controller is authorized to make changes to the DID Docum
 
 ##### Also Known As
 
-A `did:dht` document ****MAY**** have multiple identifiers using the [alsoKnownAs](https://www.w3.org/TR/did-core/#also-known-as) property.
+A `did:dht` document ****MAY**** have multiple identifiers using the
+[alsoKnownAs](https://www.w3.org/TR/did-core/#also-known-as) property.
 
 - The [Also Known As](https://www.w3.org/TR/did-core/#also-known-as) record's **name** is represented as a `_aka._did.`.
 
 - The [Also Known As](https://www.w3.org/TR/did-core/#also-known-as) record's **type** is `TXT`, indicating a Text record.
 
-- The [Also Known As](https://www.w3.org/TR/did-core/#also-known-as) record's **data** is represented as a comma-separated list of DID identifiers.
+- The [Also Known As](https://www.w3.org/TR/did-core/#also-known-as) record's **data** is represented as a
+comma-separated list of DID identifiers.
 
 **Example AKA Record**
 
@@ -312,7 +327,8 @@ A `did:dht` document ****MAY**** have multiple identifiers using the [alsoKnownA
 - Each [Verification Method](https://www.w3.org/TR/did-core/#verification-methods) record's **name** is represented 
 as a `_kN._did.` record where `N` is the zero-indexed positional index of a given Verification Method (e.g. `_k0`, `_k1`).
 
-- Each [Verification Method]((https://www.w3.org/TR/did-core/#verification-methods)) record's **type** is `TXT`, indicating a Text record.
+- Each [Verification Method]((https://www.w3.org/TR/did-core/#verification-methods)) record's **type** is `TXT`,
+indicating a Text record.
 
 - Each [Verification Method](https://www.w3.org/TR/did-core/#verification-methods) record's **rdata** is represented by the form
 `id=M;t=N;k=O;a=P` where `M` is the Verification Method's `id`, `N` is the index of the key's type from the
@@ -387,7 +403,7 @@ where `M` is the Service's ID, `N` is the Service's Type and `O` is the Service'
 | --------- | ---- | ---- | -------------------------------------------------------- |
 | _s0._did. | TXT  | 7200 | id=dwn;t=DecentralizedWebNode;se=https://example.com/dwn |
 
-Each Service is represented as part of the root record (`_did.<ID>.`) as a list under the key `srv=<ids>` where `ids`
+Each Service is represented as part of the root record (`_did.<ID>.`) as a list under the key `svc=<ids>` where `ids`
 is a comma-separated list of all IDs for each Service.
 
 #### Example
@@ -456,7 +472,7 @@ A sample transformation of a fully-featured DID Document to a DNS packet is exem
 
 | Name         | Type | TTL   | Rdata                                                                              |
 | ------------ | ---- | ----- | ---------------------------------------------------------------------------------- |
-| _did.`<ID>`. | TXT  | 7200  | v=0;vm=k0,k1;auth=k0,k1;asm=k0,k1;inv=k0;del=k0;srv=s1                             |
+| _did.`<ID>`. | TXT  | 7200  | v=0;vm=k0,k1;auth=k0,k1;asm=k0,k1;inv=k0;del=k0;svc=s1                             |
 | _cnt.did.    | TXT  | 7200  | did:example:abcd                                                                   |
 | _aka.did.    | TXT  | 7200  | did:example:efgh,did:example:ijkl                                                  |
 | _k0._did.    | TXT  | 7200  | t=0;k=afdea69c63605863a68edea0ff7ff49dde0a96ce7e9249eb7780dd3d6f2ab5fc;a=Ed25519   |
@@ -470,7 +486,7 @@ identifier is also used to sign the [[ref:DHT]] record.
 
 #### Create
 
-To create a `did:dht`, the process is as follows:
+To create a `did:dht` document, the process is as follows:
 
 1. Generate an [[ref:Ed25519]] keypair and encode the public key using the format provided in the [format section](#format).
 
@@ -481,9 +497,9 @@ To create a `did:dht`, the process is as follows:
     `JsonWebKey` defined by [[ref:VC-JOSE-COSE]].
 
     b. The document can include any number of other [core properties](https://www.w3.org/TR/did-core/#core-properties);
-    always representing key material as a `JWK` as per [[spec:RFC7517]]. In addition to the properties required by the `JWK`
-    specification, the `alg` property ****MUST**** always be present. Default algorithms are defined per key type in
-    the [indexed types registry](registry/index.html#indexed-types).
+    always representing key material as a `JWK` as per [[spec:RFC7517]]. In addition to the properties required by
+    the `JWK` specification, the `alg` property ****MUST**** always be present. Default algorithms are defined per key
+    type in the [indexed types registry](registry/index.html#indexed-types).
 
 3. Map the output [[ref:DID Document]] to a DNS packet as outlined in [property mapping](#property-mapping).
 
@@ -495,18 +511,20 @@ To create a `did:dht`, the process is as follows:
 
    b. `seq` ****MUST**** be set to the current [[ref:Unix Timestamp]] in seconds.
 
-6. Submit the result of to the [[ref:DHT]] via a [[ref:Mainline]] node, or a [[ref:Gateway]], with the identifier created in step 1.
+6. Submit the result of to the [[ref:DHT]] via a [[ref:Mainline]] node, or a [[ref:Gateway]], with the identifier created
+in step 1.
 
 ::: note
-This specification **does not** make use of [JSON-LD](https://json-ld.org/). As such DID DHT Documents ****MUST NOT**** include the `@context` property.
+This specification **does not** make use of [JSON-LD](https://json-ld.org/). As such DID DHT Documents ****MUST NOT****
+include the `@context` property.
 :::
 
 #### Read
 
-To read a `did:dht`, the process is as follows:
+To read a `did:dht` document, the process is as follows:
 
-1. Take the [[ref:suffix]] of the DID, that is, the _[[ref:z-base-32]] encoded identifier key_, and submit it to a [[ref:Mainline]]
-node or a [[ref:Gateway]].
+1. Take the [[ref:suffix]] of the DID, that is, the _[[ref:z-base-32]] encoded identifier key_, and submit it to a
+[[ref:Mainline]] node or a [[ref:Gateway]].
 
 2. Decode the resulting [[ref:BEP44]] response's `v` value using [[ref:bencode]].
 
@@ -516,14 +534,16 @@ node or a [[ref:Gateway]].
 
     a. Expand all identifiers (i.e. Verification Methods, Services, etc.) to their fully-qualified 
     form (e.g. `did:dht:uodqi99wuzxsz6yx445zxkp8ddwj9q54ocbcg8yifsqru45x63kj#0` 
-    as opposed to `0` or `#0`, `did:dht:uodqi99wuzxsz6yx445zxkp8ddwj9q54ocbcg8yifsqru45x63kj#service-1` as opposed to `#service-1`).
+    as opposed to `0` or `#0`, `did:dht:uodqi99wuzxsz6yx445zxkp8ddwj9q54ocbcg8yifsqru45x63kj#service-1` as opposed
+    to `#service-1`).
 
 5. If [NS records](#designating-authoritative-gateways) are present this process should be repeated, making the initial
-request against the given [[ref:Gateway]]. The document with the highest [[ref:sequence number]] is to be treated as authoritative.
+request against the given [[ref:Gateway]]. The document with the highest [[ref:sequence number]] is to be treated
+as authoritative.
 
 ::: note
-As a fallback, if a `did:dht` value cannot be resolved via the network, it can be expanded to a conformant [[ref:DID Document]]
-containing just the [[ref:Identity Key]].
+As a fallback, if a `did:dht` value cannot be resolved via the network, it can be expanded to a conformant
+[[ref:DID Document]] containing just the [[ref:Identity Key]].
 :::
 
 #### Update
@@ -536,38 +556,73 @@ It is ****RECOMMENDED**** that updates are infrequent, as caching of the DHT is
 
 #### Deactivate
 
-To deactivate a [[ref:DID Document]], there are a couple options:
+To deactivate a `did:dht` document, controllers have multiple options:
 
 1. Let the DHT record expire and cease to publish it.
 
-2. Publish a new DHT record where the `rdata` of the root DNS record is the string "deactivated."
+2. Publish a new DHT record where the `rdata` of the root DNS record is the string `deactivated`.
 
 | Name         | Type | TTL  | Rdata       |
 | ------------ | ---- | ---- | ----------- |
 | _did.`<ID>`. | TXT  | 7200 | deactivated |
 
 ::: note
-If you have published your DID through a [[ref:Gateway]], you may need to contact the operator to have them remove the
-record from their [[ref:Retained DID Set]].
+If you have published your DID through a [[ref:Gateway]], you can contact the operator to have them remove the
+record from their [[ref:Retained DID Set]] via the [DID Deactivation API](#deactivating-a-did).
 :::
 
-::: todo
-[](https://github.com/TBD54566975/did-dht-method/issues/100)
-Add guidance for rotating to a new DID after deactivation.
-:::
+### Rotation
+
+[Verification Method Rotation](https://www.w3.org/TR/did-core/#verification-method-rotation) is a recommended practice
+for avoiding the risks associated with [key compromise](#key-compromise). Rotating Verification Methods is straightforward
+using the [update](#update) functionality enabled by this specification; however, rotation of the [[ref:Identity Key]] is
+not possible given the constraints imposed by [[ref:Mainline]]. To mitigate this limitation, DID DHT controllers have the
+option to rotate to a new DID, and thus a new [[ref:Identity Key]], while maintaining a cryptographic linkage between the 
+two documents. This linkage can be useful in providing an auditable history of a controller's activity as they move between
+root Verification Methods and identifiers.
+
+To establish a cryptographic linkage between the old and new [[ref:DID Documents]], adhere to the following steps:
+
+1. Using the old [[ref:Identity Key]], sign over the new [[ref:Identity Key]] using EdDSA [[spec:RFC8032]].
+
+2. Encode the resulting signature data using the unpadded base64URL [[spec:RFC4648]] scheme.
+
+3. Set the resulting string as the data for a new [[ref:DNS Resource Record]], called a _previous record_, in
+the new DID's record set. 
+
+A `did:dht` Document ****MUST NOT**** have more than **one** Previous Record. The Previous record is defined as follows:
+
+- The Previous record's **name** is represented as a `_prv._did.` record.
+
+- The Previous record's **type** is `TXT`, indicating a Text record.
+
+- The Previous record's **data** is represented with the form `id=M,s=N` where `M` is the identifier of the previous DID,
+and `N` is the the unpadded base64URL signature from step (3) above.
+
+| Name         | Type | TTL   | Rdata                                                                                  |
+| ------------ | ---- | ----- | -------------------------------------------------------------------------------------- |
+| _prv._did.   | TXT  | 7200  | id=did:dht:pxoem5sfzxxxrnrwfgiu5i5wc7epouy1jk9zb7ad159dsxbxy8io;s=ol5LbUydL3_PdChE8tVYH-z_NhyFDQlop0agYtjyYbKz_-CYrj_3JGLiFne1e7PruOwf-b91uEFq9R_PgBn-Bg |
+
+
+The DID controller ****MAY**** include a statement in the old [[ref:DID Document]] indicating the rotation to the new identifier, 
+by setting the [controller property](#controller) to the new DID. Without the previous record present in the new DID's
+record set, the linkage ****MUST NOT**** be considered legitimate.
 
 ### Designating Authoritative Gateways
 
-[Gateways](#gateways) provide additional benefits to `did:dht`, such as the ability to [resolve historical DID Documents](#historical-resolution),
-or support [type indexing](#type-indexing). To enable the usage of these additional features, `did:dht` documents need to be published to 
-Gateway(s) that with the necessary capabilities. Whether it's accessing historical states, engaging with type indexes, or utilizing other
-specialized features, the [resolution process](#resolving-a-did) must be directed towards a [[ref:Gateway]] that maintains this supplementary data.
+[Gateways](#gateways) provide additional benefits to `did:dht`, such as the ability to
+[resolve historical DID Documents](#historical-resolution), or support [type indexing](#type-indexing). To enable the
+usage of these additional features, `did:dht` documents need to be published to Gateway(s) that with the necessary
+capabilities. Whether it's accessing historical states, engaging with type indexes, or utilizing other specialized
+features, the [resolution process](#resolving-a-did) must be directed towards a [[ref:Gateway]] that maintains this
+supplementary data.
 
-To facilitate the discovery of authoritative [[ref:Gateways]] for a `did:dht` and to ensure consistent access to a DID's state 
-across different [[ref:Gateways]], DID controllers may designate one or more [[ref:Gateways]] as authoritative sources for their DID. This
-designation is accomplished by incorporating [DNS NS records](https://en.wikipedia.org/wiki/List_of_DNS_record_types#NS) within the 
-DNS packet destined for storage in the DHT. A DID ****MAY**** have multiple NS records, enhancing redundancy and reliability. The format
-for these records is outlined as follows:
+To facilitate the discovery of authoritative [[ref:Gateways]] for a `did:dht` and to ensure consistent access to a DID's
+state across different [[ref:Gateways]], DID controllers may designate one or more [[ref:Gateways]] as authoritative
+sources for their DID. This designation is accomplished by incorporating
+[DNS NS records](https://en.wikipedia.org/wiki/List_of_DNS_record_types#NS) within the DNS packet destined for storage
+in the DHT. A DID ****MAY**** have multiple NS records, enhancing redundancy and reliability. The format for these
+records is outlined as follows:
 
 - Each Gateway record's **name** is represented as `_did.<ID>.` record, where `ID` represents the unique identifier of the [[ref:DID Document]].
 
@@ -586,15 +641,15 @@ Type indexing is an **OPTIONAL** feature that enables DIDs to become **discovera
 a particular type. Types are not included as a part of the DID Document, but rather as part of the DNS packet. This allows
 for DIDs to be indexed by type by [[ref:Gateways]], and for DIDs to be resolved by type.
 
-DIDs can be indexed by type by adding a `_typ._did.` record to the DNS packet. A DID ****MAY**** have **AT MOST** one type index
-record. This record is of the following format:
+DIDs can be indexed by type by adding a `_typ._did.` record to the DNS packet. A DID ****MAY**** have **AT MOST** one
+type index record. This record is of the following format:
 
 - The Type Index record's **name** is represented as a `_typ._did.` record.
 
 - The Type Index record's **type** is `TXT`, indicating a Text record.
 
-- The Type Index record's **data** is represented with the form `id=0,1,2` where the value is a comma-separated list of integer types from
-the [type index](#type-indexing).
+- The Type Index record's **data** is represented with the form `id=H,I,J,...N` where the value is a comma-separated list of
+integer types from the [type index](#type-indexing).
 
 **Example Type Index Record**
 
@@ -664,9 +719,9 @@ The algorithm, in detail, is as follows:
 
 5. Inspect the result of `ATTEMPT`, and ensure it has >= `DIFFICULTY` bits of leading zeroes.
 
-  a. If so, `ATTEMPT` = `RETENTION_PROOF`.
+    a. If so, `ATTEMPT` = `RETENTION_PROOF`.
 
-  b. Otherwise, regenerate `NONCE` and go to step 3.
+    b. Otherwise, regenerate `NONCE` and go to step 3.
 
 6. Submit the `RETENTION_PROOF` to the [Gateway API](#register=or-update-a-did).
 
@@ -705,11 +760,13 @@ Public relays will need to set up [Cross-origin resource sharing (CORS)](https:/
 
 ##### Put
 
-On receiving a `PUT` request the server verifiers the `sig` and submits a mutable put to [[ref:Mainline]] as per [[ref:BEP44]].
+On receiving a `PUT` request the server verifiers the `sig` and submits a mutable put to [[ref:Mainline]] as per
+[[ref:BEP44]].
 
 - **Method:** `PUT`
 - **Path:** `/:id`
-  - `id` - **string** - **REQUIRED** - The [[ref:z-base-32]] encoded [[ref:Identity Key]], equivalent to the suffix of the DID DHT identifier.
+  - `id` - **string** - **REQUIRED** - The [[ref:z-base-32]] encoded [[ref:Identity Key]], equivalent to the suffix of
+  the DID DHT identifier.
 - **Request Body:** `application/octet-stream`
   - The binary representation of `<sig><seq>[<v>]` where:
     - `sig` - represents the 64-byte [[ref:BEP44]] payload signature.
@@ -726,7 +783,8 @@ On receiving a `GET` request the server submits a mutable get query to [[ref:Mai
 
 - **Method:** `GET`
 - **Path:** `/:id`
-  - `id` - **string** - **REQUIRED** - The [[ref:z-base-32]] encoded [[ref:Identity Key]], equivalent to the suffix of the DID DHT identifier.
+  - `id` - **string** - **REQUIRED** - The [[ref:z-base-32]] encoded [[ref:Identity Key]], equivalent to the suffix of
+   the DID DHT identifier.
 - **Returns:** `application/octet-stream`
   - `200` - Success. The binary representation of `<sig><seq>[<v>]` where:
     - `sig` - represents the 64-byte [[ref:BEP44]] payload signature.
@@ -761,15 +819,18 @@ Difficulty is exposed as an **OPTIONAL** endpoint based on support of [retention
 - **Request Body:** – application/json
   - `did` - **string** - **REQUIRED** - The DID to register or update.
   - `sig` - **string** - **REQUIRED** - An unpadded base64URL-encoded signature of the [[ref:BEP44]] payload.
-  - `seq` - **integer** - **REQUIRED** - A [[ref:sequence number]] for the request. This number ****MUST**** be unique for each DID operation,
-    which ****MUST**** be a [[ref:Unix Timestamp]] in seconds.
-  - `v` - **string** - **REQUIRED** - An unpadded base64URL-encoded [[ref:bencoded]] compressed DNS packet containing the DID Document.
-  - `retention_proof` - **string** - **OPTIONAL** - A retention proof calculated according to the [retention proof algorithm](#generating-a-retention-proof).
+  - `seq` - **integer** - **REQUIRED** - A [[ref:sequence number]] for the request. This number ****MUST**** be unique
+   for each DID operation, which ****MUST**** be a [[ref:Unix Timestamp]] in seconds.
+  - `v` - **string** - **REQUIRED** - An unpadded base64URL-encoded [[ref:bencoded]] compressed DNS packet containing
+   the DID Document.
+  - `retention_proof` - **string** - **OPTIONAL** - A retention proof calculated according to the
+  [retention proof algorithm](#generating-a-retention-proof).
 - **Returns:** `application/json`
   - `202` - Accepted. The server has accepted the request as valid and will publish to the DHT.
   - `400` - Invalid request.
   - `401` - Invalid signature.
-  - `409` - DID already exists with a higher [[ref:sequence number]]. DID may be accepted if the [[ref:Gateway]] supports [historical resolution](#historical-resolution).
+  - `409` - DID already exists with a higher [[ref:sequence number]]. DID may be accepted if the [[ref:Gateway]]
+  supports [historical resolution](#historical-resolution).
 
 ```json
 {
@@ -781,8 +842,8 @@ Difficulty is exposed as an **OPTIONAL** endpoint based on support of [retention
 ```
 
 Upon receiving a request to register a DID, the Gateway ****MUST**** verify the signature of the request and if valid
-publish the DID Document to the DHT. If the DNS Packets contain a `_typ._did.` record, the [[ref:Gateway]] ****MUST**** index the
-DID by its type.
+publish the DID Document to the DHT. If the DNS Packets contain a `_typ._did.` record, the [[ref:Gateway]] ****MUST****
+index the DID by its type.
 
 #### Resolving a DID
 
@@ -792,10 +853,12 @@ DID by its type.
 - **Returns:** `application/json`
   - `200` - Success.
     - `did` - **object** - **REQUIRED** - A JSON object representing the DID Document.
-    - `dht` - **string** - **REQUIRED** - An unpadded base64URL-encoded representation of the full [[ref:BEP44]] payload, represented as 64 bytes sig,
+    - `dht` - **string** - **REQUIRED** - An unpadded base64URL-encoded representation of the full [[ref:BEP44]]
+    payload, represented as 64 bytes sig,
     8 bytes u64 big-endian seq, and 0-1000 bytes of v concatenated, enabling independent verification.
     - `types` - **array** - **OPTIONAL** - An array of [type integers](#type-indexing) for the DID.
-    - `sequence_numbers` - **array** - **OPTIONAL** - An sorted array of seen [[ref:sequence numbers]], used with [historical resolution](#historical-resolution).
+    - `sequence_numbers` - **array** - **OPTIONAL** - An sorted array of integers representing seen
+    [[ref:sequence numbers]], used with [historical resolution](#historical-resolution).
     - `400` - Invalid request.
   - `404` - DID not found.
 
@@ -824,20 +887,21 @@ DID by its type.
       "did:dht:i9xkp8ddcbcg8jwq54ox699wuzxyifsqx4jru45zodqu453ksz6y#0"
     ]
   },
-  "dht": "<unpadded-base64URL-encoded bep44 payload as [sig][seq][v]>",
+  "dht": "<unpadded-base64URL-encoded BEP44 payload as [sig][seq][v]>",
   "types": [1, 4],
   "sequence_numbers": [1700356854, 1700461736]
 }
 ```
 
-Upon receiving a request to resolve a DID, the [[ref:Gateway]] ****MUST**** query the DHT for the [[ref:DID Document]], and if found,
-return the document. If the records are not found in the DHT, the [[ref:Gateway]] ****MAY**** fall back to its local storage.
-If the DNS Packets contain a `_typ._did.` record, the [[ref:Gateway]] ****MUST**** return the type index.
+Upon receiving a request to resolve a DID, the [[ref:Gateway]] ****MUST**** query the DHT for the [[ref:DID Document]],
+and if found, return the document. If the records are not found in the DHT, the [[ref:Gateway]] ****MAY**** fall back
+to its local storage. If the DNS Packets contain a `_typ._did.` record, the [[ref:Gateway]] ****MUST**** return the
+type index.
 
 This API is returns a `dht` property which matches the payload of a [Relay GET Request](#relay),
-when encoded as an unpadded base64URL string. Implementers are ****RECOMMENDED**** to verify the integrity of the response using
-the `dht` data and reconstruct the DID Document themselves. The `did` property is provided as a utility which, without independent verification,
-****SHOULD NOT**** be trusted.
+when encoded as an unpadded base64URL string. Implementers are ****RECOMMENDED**** to verify the integrity of the
+response using the `dht` data and reconstruct the DID Document themselves. The `did` property is provided as a utility
+which, without independent verification, ****MUST NOT**** be trusted.
 
 ##### Historical Resolution
 
@@ -846,7 +910,8 @@ same [[ref:DID Document]], sorted by [[ref:sequence number]], according to the r
 [conflict resolution](#conflict-resolution).
 
 Upon [resolving a DID](#resolving-a-did), the Gateway will return the parameter `sequence_numbers` if there exists
-historical state for a given [[ref:DID]]. The following API can be used with specific [[ref:sequence numbers]] to fetch historical state:
+historical state for a given [[ref:DID]]. The following API can be used with specific [[ref:sequence numbers]] to fetch
+historical state:
 
 - **Method:** `GET`
 - **Path:** `/did/:id?seq=:sequence_number`
@@ -855,8 +920,9 @@ historical state for a given [[ref:DID]]. The following API can be used with spe
 - **Returns:** `application/json`
   - `200` - Success.
     - `did` - **object** - **REQUIRED** - A JSON object representing the DID Document.
-    - `dht` - **string** - **REQUIRED** - An unpadded base64URL-encoded representation of the full [[ref:BEP44]] payload, represented as 64 bytes sig,
-    8 bytes u64 big-endian seq, and 0-1000 bytes of v concatenated, enabling independent verification.
+    - `dht` - **string** - **REQUIRED** - An unpadded base64URL-encoded representation of the full [[ref:BEP44]]
+    payload, represented as 64 bytes sig, 8 bytes u64 big-endian seq, and 0-1000 bytes of v concatenated, enabling
+    independent verification.
     - `types` - **array** - **OPTIONAL** - An array of [type integers](#type-indexing) for the DID.
   - `400` - Invalid request.
   - `404` - DID not found for the given [[ref:sequence number]].
@@ -903,7 +969,8 @@ type(s) for the DID.
 - **Method:** `GET`
 - **Path:** `/did/types/:id`
   - `id` - **integer** - **REQUIRED** - The type to query from the index.
-  - `offset` - **integer** - **OPTIONAL** - Specifies the starting position from where the type records should be retrieved (Default: `0`).
+  - `offset` - **integer** - **OPTIONAL** - Specifies the starting position from where the type records should be
+  retrieved (Default: `0`).
   - `limit` - **integer** - **OPTIONAL** - Specifies the maximum number of type records to retrieve (Default: `100`).
 - **Returns:** `application/json`
   - `200` - Success.
@@ -930,7 +997,8 @@ key format. By adopting this optional extension, users can maintain their curren
 they gain the ability to add extra information to their DIDs. This is achieved by either publishing or retrieving
 data from [[ref:Mainline]].
 
-Interoperable DID methods ****MUST**** be registered in [this specification's registry](registry/index.html#interoperable-did-methods).
+Interoperable DID methods ****MUST**** be registered in
+[this specification's registry](registry/index.html#interoperable-did-methods).
 
 ## Implementation Considerations
 
@@ -942,10 +1010,10 @@ Per [[ref:BEP44]], [[ref:Gateway]] servers can leverage the `seq` [[ref:sequence
 ****MUST**** reject the request. If the [[ref:sequence number]] is equal, and the value is also the same, the server
 ****SHOULD**** reset its timeout counter.
 
-When the [[ref:sequence number]] is equal, but the value is different, servers need to decide which value to accept and which
-to reject. To make this determination [[ref:Gateways]] ****MUST**** compare the payloads lexicographically to determine a
-[lexicographical order](https://en.wikipedia.org/wiki/Lexicographic_order), and reject the payload with a **lower**
-lexicographical order.
+When the [[ref:sequence number]] is equal, but the value is different, servers need to decide which value to accept
+and which to reject. To make this determination [[ref:Gateways]] ****MUST**** compare the payloads lexicographically
+to determine a [lexicographical order](https://en.wikipedia.org/wiki/Lexicographic_order), and reject the payload with
+a **lower** lexicographical order.
 
 ### Size Constraints
 
@@ -1040,14 +1108,15 @@ to ensure expected and legitimate behavior.
 
 ### Data Conflicts
 
-Malicious actors may try to force [[ref:Gateways]] into uncertain states by manipulating the [[ref:sequence number]] associated
-with a record set. There are three such cases to be aware of:
+Malicious actors may try to force [[ref:Gateways]] into uncertain states by manipulating the [[ref:sequence number]]
+associated with a record set. There are three such cases to be aware of:
 
-- **Low Sequence Number** - If a [[ref:Gateway]] has yet to see [[ref:sequence numbers]] for a given record it ****MUST**** query
-its peers to see if they have encountered the record. If a peer is found who has encountered the record, the record
-with the latest sequence number must be selected. If the server has encountered greater [[ref:sequence numbers]] before, the
-server ****MAY**** reject the record set. If the server supports [historical resolution](#historical-resolution) it
-****MAY**** choose to accept the request and insert the record into its historical ordered state.
+- **Low Sequence Number** - If a [[ref:Gateway]] has yet to see [[ref:sequence numbers]] for a given record it
+****MUST**** query its peers to see if they have encountered the record. If a peer is found who has encountered the
+record, the record with the latest sequence number must be selected. If the server has encountered greater
+[[ref:sequence numbers]] before, the server ****MAY**** reject the record set. If the server supports
+[historical resolution](#historical-resolution) it ****MAY**** choose to accept the request and insert the record into
+its historical ordered state.
 
 - **Conflicting Sequence Number** - When a malicious actor publishes _valid but conflicting_ records to two different
 [[ref:Mainline Servers]] or [[ref:Gateways]]. Implementers are encouraged to follow the guidance outlined in [conflict
@@ -1073,9 +1142,10 @@ to have done the validation. Servers that do not return a signature value ****MU
 
 ### Key Compromise
 
-Since the `did:dht` uses a single, un-rotatable root key, there is a risk of root key compromise. Such a compromise
-may be tough to detect without external assurances of identity. Implementers are encouraged to be aware of this
-possibility and devise strategies that support entities transitioning to new [[ref:DIDs]] over time.
+Since the `did:dht` uses a single, un-rotatable root key, there is are significant consequences associated with root key
+compromise. Such a compromise may be tough to detect without external assurances of identity. Implementers are encouraged
+to be aware of this possibility and devise strategies that support entities transitioning to new [[ref:DIDs]] regularly,
+such as the mechanism for [rotation](#rotation) noted in this specification.
 
 ### Public Data
 
@@ -1278,7 +1348,8 @@ With controller: `did:dht:i9xkp8ddcbcg8jwq54ox699wuzxyifsqx4jru45zodqu453ksz6y`.
 #### Vector 3
 
 A DID Document with two keys -- the [[ref:Identity Key]] and an X25519 key used with a different `alg` value than
-what is specified in the registry. The DID also has two gateway records and a service with an endpoint greater than 255 characters.
+what is specified in the registry. The DID also has two gateway records and a service with an endpoint greater than
+255 characters, and a previous record.
 
 **Identity Public Key JWK:**
 
@@ -1318,6 +1389,8 @@ what is specified in the registry. The DID also has two gateway records and a se
 
 **Gateways:**: `gateway1.example-did-dht-gateway.com.`, `gateway2.example-did-dht-gateway.com.`.
 
+**Previous DID:**: `did:dht:pxoem5sfzxxxrnrwfgiu5i5wc7epouy1jk9zb7ad159dsxbxy8io`.
+
 **DID Document:**
 
 ```json
@@ -1378,10 +1451,11 @@ what is specified in the registry. The DID also has two gateway records and a se
 
 | Name      | Type | TTL  | Rdata       |
 | --------- | ---- | ---- | ----------- |
+| _prv.did. | TXT  | 7200 | id=did:dht:x3heus3ke8fhgb5pbecday9wtbfynd6m19q4pm6gcf5j356qhjzo;s=Tt9DRT6J32v7O2lzbfasW63_FfagiMHTHxtaEOD7p85zHE0r_EfiNleyL6BZGyB1P-oQ5p6_7KONaHAjr2K6Bw |
 | _did.sr6jgmcc84xig18ix66qbiwnzeiumocaaybh13f5w97bfzus4pcy. | NS  | 7200 | gateway1.example-did-dht-gateway.com.                              |
 | _did.sr6jgmcc84xig18ix66qbiwnzeiumocaaybh13f5w97bfzus4pcy. | TXT | 7200 | v=0;vm=k0,k1;auth=k0;asm=k0;agm=k1;inv=k0;del=k0;svc=s0            |
 | _k0.did.  | TXT  | 7200 | id=0;t=0;k=sTyTLYw-n1NI9X-84NaCuis1wZjAA8lku6f6Et5201g                                                             |
-| _k1.did.  | TXT  | 7200 | id=WVy5IWMa36AoyAXZDvPd5j9zxt2t-GjifDEV-DwgIdQ;t=3;k=3POE0_i2mGeZ2qiQCA3KcLfi1fZo0311CXFSIwt1nB4;a=ECDH-ES+A128KW   |
+| _k1.did.  | TXT  | 7200 | id=WVy5IWMa36AoyAXZDvPd5j9zxt2t-GjifDEV-DwgIdQ;t=3;k=3POE0_i2mGeZ2qiQCA3KcLfi1fZo0311CXFSIwt1nB4;a=ECDH-ES+A128KW  |
 | _s0.did.  | TXT  | 7200 | id=service-1;t=TestLongService;se=https://test-lllllllllllllllllllllllllllllllllllooooooooooooooooooooonnnnnnnnnnnnnnnnnnngggggggggggggggggggggggggggggggggggggsssssssssssssssssssssssssseeeeeeeeeeeeeeeeeeerrrrrrrrrrrrrrrvvvvvvvvvvvvvvvvvvvviiiiiiiiiiiiiiii iiiiiiiiiiiiiiiccccccccccccccccccccccccccccccceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee.com/1 |
 
 ### Open API Definition