include a header, the zone to be updated, the prerequisites that must be satisfied, and the record(s) to be updated. TSIG adds a final record, which includes a timestamp and the hash of the request. It also includes the name of the secret key that was used to sign the request. RFC 2535 has recommendations on the form of the name.

The response to a successful TSIG update will also be signed with a TSIG record. Failures are not signed to prevent an attacker from learning anything about the TSIG key using specially crafted update "probes".