TSIG (Transaction Signature)
Transaction Signature (TSIG, RFC 8945) is a mechanism for authenticating [[dns|DNS]] messages between servers using a shared secret key and HMAC cryptography. TSIG is commonly used to secure [[axfr|zone transfers]] between primary and secondary nameservers and to authenticate dynamic DNS update requests. Unlike [[dnssec|DNSSEC]], which secures data in transit to end users, TSIG secures server-to-server DNS communication at the transport layer.
Example
A primary nameserver configured with TSIG will reject zone transfer requests from secondary servers that don't present the correct shared secret, preventing unauthorized zone replication.