I spent several hours trying to figure out why my TSIG signatures were
failing on requests to a server. I finally discovered this little
detail in the RFC which turned out to be my whole problem. Amending the
documentation to hopefully spare others the same confusion.
If an incoming message contains a TSIG record, it MUST be the last
record in the additional section.
RFC2845 3.2
* Fix $TTL handling
* Error when there is no TTL for an RR
* Fix relative name handling
* Error when a relative name is used without an origin (cf. https://tools.ietf.org/html/rfc1035#section-5.1 )
Fixes#484