It would be very useful to have a complete implementation of TSIG in PowerDNS.
I was considering it for a design where pdns would be acting as slave for Infoblox (BIND) appliances, with master-slave communication happening over public links.
The documentation says:
PowerDNS for now only verifies the TSIG signature on the first AXFR
'message', which helps for access control, but does not provide 100.0%
protection of subsequent AXFR zone content messages.
Thanks a lot.
fixed in r2506