diff --git a/src/storage.cr b/src/storage.cr
index 3515f85..3f8e7c3 100644
--- a/src/storage.cr
+++ b/src/storage.cr
@@ -75,6 +75,7 @@ class DNSManager::Storage
 	def generate_all_zonefiles() : IPC::JSON
 		Baguette::Log.info "writing all zone files in #{@zonefiledir}/"
 		zones.each do |zone|
+			# TODO: safe write.
 			File.open("#{@zonefiledir}/#{zone.domain}", "w") do |file|
 				zone.to_bind9 file
 			end
@@ -88,6 +89,7 @@ class DNSManager::Storage
 		return Response::DomainNotFound.new unless zone
 
 		Baguette::Log.info "writing zone file #{@zonefiledir}/#{zone.domain}"
+		# TODO: safe write.
 		File.open("#{@zonefiledir}/#{zone.domain}", "w") do |file|
 			zone.to_bind9 file
 		end
@@ -263,6 +265,13 @@ class DNSManager::Storage
 			return Response::NoOwnership.new
 		end
 
+		# Verify the RR exists.
+		stored_rr = zone.get_rr rr.rrid
+		return Response::RRNotFound.new unless stored_rr
+
+		# Verify the RR isn't read only.
+		return Response::RRReadOnly.new domain, stored_rr if stored_rr.readonly
+
 		# Test RR validity.
 		rr.get_errors.tap do |errors|
 			unless errors.empty?
@@ -271,16 +280,7 @@ class DNSManager::Storage
 			end
 		end
 
-		stored_rrs = zone.resources.select { |x| x.rrid == rr.rrid }
-		unless stored_rrs.size > 0
-			Baguette::Log.warning "modifying a RR that doesn't exist (#{rr.rrid}) in domain #{domain}"
-			return Response::RRNotFound.new
-		end
-
-		# Verify that this resource isn't ReadOnly.
-		stored_rrs.each do |stored_rr|
-			return Response::RRReadOnly.new domain, rr if stored_rr.readonly
-		end
+		zone.update_rr rr
 
 		zone.resources = zone.resources.map { |x| x.rrid == rr.rrid ? rr : x }
 
@@ -310,6 +310,17 @@ class DNSManager::Storage
 			return Response::NoOwnership.new
 		end
 
+		# Verify the RR exists.
+		rr = zone.get_rr rrid
+		return Response::RRNotFound.new unless rr
+
+		# Verify the RR isn't read only.
+		return Response::RRReadOnly.new domain, rr if rr.readonly
+
+		# Remove token from the db.
+		if token_uuid = rr.token
+			tokens_by_uuid.delete token_uuid
+		end
 		zone.resources.select! { |x| x.rrid != rrid }
 
 		update_zone zone
@@ -390,8 +401,6 @@ class DNSManager::Storage
 	end
 
 	def new_token(user_id : Int32, domain : String, rrid : UInt32) : IPC::JSON
-		puts "new token for domain #{domain} rrid #{rrid}"
-
 		# 0. verifications: must exist: user, zone, RR. Zone must be owned by user.
 
 		# User must exist.
diff --git a/src/storage/zone.cr b/src/storage/zone.cr
index 9aa34b7..a9477f2 100644
--- a/src/storage/zone.cr
+++ b/src/storage/zone.cr
@@ -630,9 +630,7 @@ class DNSManager::Storage::Zone
 	end
 
 	def update_rr(rr : ResourceRecord)
-		puts "updating rr #{rr.rrid}"
-		@resources.select! { |x| x.rrid != rr.rrid }
-		@resources << rr
+		@resources.map! { |x| x.rrid != rr.rrid ? x : rr }
 	end
 
 	def to_s(io : IO)