From a5852667e3c36e2e0b0a69ab43869e00e95aacdf Mon Sep 17 00:00:00 2001
From: David McNett <github@macnugget.org>
Date: Mon, 30 Oct 2017 01:55:49 -0500
Subject: [PATCH] Document SetTsig() needs to be final RRset change (#544)

I spent several hours trying to figure out why my TSIG signatures were
failing on requests to a server.  I finally discovered this little
detail in the RFC which turned out to be my whole problem.  Amending the
documentation to hopefully spare others the same confusion.

    If an incoming message contains a TSIG record, it MUST be the last
    record in the additional section.

RFC2845 3.2
---
 doc.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/doc.go b/doc.go
index ceabd24c..26e288df 100644
--- a/doc.go
+++ b/doc.go
@@ -168,6 +168,11 @@ Basic use pattern when querying with a TSIG name "axfr." (note that these key na
 must be fully qualified - as they are domain names) and the base64 secret
 "so6ZGir4GPAqINNh9U5c3A==":
 
+If an incoming message contains a TSIG record it MUST be the last record in
+the additional section (RFC2845 3.2).  This means that you should make the
+call to SetTsig last, right before executing the query.  If you make any
+changes to the RRset after calling SetTsig() the signature will be incorrect.
+
 	c := new(dns.Client)
 	c.TsigSecret = map[string]string{"axfr.": "so6ZGir4GPAqINNh9U5c3A=="}
 	m := new(dns.Msg)