In 2017, security problems in two nameservers strictly following [RFC2845] and [RFC4635] (i.e., TSIG and HMAC-SHA extension) specifications were discovered. The implementations were fixed but, to avoid similar problems in the future, the two documents were updated and merged, producing these revised specifications for TSIG.
The second area where the secret key based MACs specified in this document can be used is to authenticate DNS update requests as well as transaction responses, providing a lightweight alternative to the protocol described by [RFC3007].
Note
Use of TSIG presumes prior agreement between the resolver and server involved as to the algorithm and key to be used.