TSIG signature data

I'm trying to code a DNS UPDATE dynamic IP client for my DollarDNS using TSIG authentication. I continuously get NOTAUTH/BADSIG responses to my initial update request. This means that my signature data in the TSIG RR used for authentication is wrong. After extensive testing, I've confirmed that my base64 decoding, md5 (rfc1321), and hmac (rfc2104) routines are all producing accurate results. So since I know the key is correct and the calculations are correct, then all that is left is incorrectly formatted message data whose specifications is found in the TSIG rfc (rfc2845) section 3.4.1.

There is a curious omission from the TSIG rfc however. Since my dynamic IP client could be sending many packets in a single session (2 per configured zone) and cause I want reliability, I chose TCP as the transport for the exchange. The RFC doesn't mention if the 2 byte packet length before each DNS packet is included in the "whole and complete DNS message in wire format". This 2 byte packet length is NOT included in UDP requests, so it is a matter of debate on whether it is included in the message when TCP is used.

I would like to see some documentation that state whether this 2 byte length is included in the message. There could be more than one thing wrong with the message I pass to the hmac_md5 routine so just testing with and without the 2 byte packet length doesn't tell me anything.

P.S. I AM able to update records on the server using the nsupdate utility that comes with BIND so I know it is not a server configuration problem.

P.S.S. If you are a programmer and is interested in this project, C (not C++) code is available.

Break through! I found out that I only had a minor mistake where I incorrectly calculated the size of the message data to be digested with the key.

The 2 byte length descriptor for a TCP packet is NOT included in the MD5 digest for TSIG authentication.