In 2017, security problems were discovered in two nameservers that were following [RFC2845] and [RFC4635] (that is, TSIG and HMAC-SHA extension) specifications strictly. The implementations were fixed, and to avoid similar problems in the future, the two specification documents were updated and merged; the result is the revised specification for TSIG.
The second area where the secret key–based MACs specified in this document can be used is to authenticate DNS-update requests and transaction responses. This approach would be a lightweight alternative to the protocol described by [RFC3007].
Note
Use of TSIG presumes that the resolver and server have already agreed about the algorithm and key they will use.