An issue has been found in PowerDNS allowing an attacker in position of man-in-the-middle to alter the content of an AXFR because of insufficient validation of TSIG signatures. A missing check that the TSIG record is the last one, leading to the possibility of parsing records that are not covered by the TSIG signature. External References: https://doc.powerdns.com/md/security/powerdns-advisory-2016-04/