plugin/tsig: Document unimplemented secondary tsig transfers (#5605)

document unimplemented secondary tsig; clarify plugin description

1 files changed, 11 insertions, 4 deletions

diff --git a/plugin/tsig/README.md b/plugin/tsig/README.md
index 025c43ab1..d73b9ca9c 100644
--- a/plugin/tsig/README.md
+++ b/plugin/tsig/README.md
@@ -2,12 +2,15 @@
 
 ## Name
 
-*tsig* - validate TSIG requests and sign responses.
+*tsig* - define TSIG keys, validate incoming TSIG signed requests and sign responses.
 
 ## Description
 
-With *tsig*, you can define a set of TSIG secret keys for validating incoming TSIG requests and signing
-responses. It can also require TSIG for certain query types, refusing requests that do not comply.
+With *tsig*, you can define CoreDNS's TSIG secret keys. Using those keys, *tsig* validates incoming TSIG requests and signs
+responses to those requests. It does not itself sign requests outgoing from CoreDNS; it is up to the
+respective plugins sending those requests to sign them using the keys defined by *tsig*.
+
+The *tsig* plugin can also require that incoming requests be signed for certain query types, refusing requests that do not comply.
 
 ## Syntax
 
@@ -67,9 +70,13 @@ auth.zone {
 
 ## Bugs
 
+### Secondary
+
+TSIG transfers are not yet implemented for the *secondary* plugin.  The *secondary* plugin will not sign its zone transfer requests.
+
 ### Zone Transfer Notifies
 
-With the transfer plugin, zone transfer notifications from CoreDNS are not TSIG signed.
+With the *transfer* plugin, zone transfer notifications from CoreDNS are not TSIG signed.
 
 ### Special Considerations for Forwarding Servers (RFC 8945 5.5)