The upcoming Simple DNS Plus v. 5.2 supports secure zone transfer (TSIG authenticated).
Both zone transfer requests and responses are authenticated, so this provides protection in two ways; it prevents unauthorized transfers (only people / servers with the correct key can transfer), and it ensures data integrity on secondary servers (not possible to spoof / inject false data during transfers).
In the Zone Properties dialog, you can now specify the TSIG key(s) which are allowed to transfer the zone:
For each key, you specify a key name, signing algorithm, and a secret:
For secondary zones, you can now specify the key to sign zone transfer requests with:
In the Options dialog / DNS / Local Zones / Zone Transfers section, it is now also possible to specify keys which are allowed to transfer all zones:
And in the Options dialog / DNS / Local Zones / Super Master/Slave section, it is now possible to allow / disallow un-signed zone transfer requests from slave server - and to specify keys for master servers:
Adding / editing a master server:
This new feature is available in Simple DNS Plus v. 5.2 BETA build 25 and later - now available at https://simpledns.plus/beta.aspx
For other updates in this BETA build, please see the beta release notes