diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h
index ea19b7d6fb2cd603f547f03edcbb9277a5574b07..6fd0719ef43f1dfa766b3a401dd0904f493a2b13 100644
--- a/lib/dns/include/dns/message.h
+++ b/lib/dns/include/dns/message.h
@@ -157,6 +157,7 @@ struct dns_message {
 	unsigned int			need_cctx_cleanup : 1;
 	unsigned int			header_ok : 1;
 	unsigned int			question_ok : 1;
+	unsigned int			tcp_continuation: 1;
 
 	unsigned int			reserved; /* reserved space (render) */
 
@@ -181,6 +182,7 @@ struct dns_message {
 	dns_rdata_any_tsig_t	       *tsig;
 	dns_rdata_any_tsig_t	       *querytsig;
 	dns_tsig_key_t		       *tsigkey;
+	void			       *tsigctx;
 	int				tsigstart;
 };
 
diff --git a/lib/dns/message.c b/lib/dns/message.c
index 5f03679cfd39d55e5e27c944dc6298d17dba833b..64d250694b56f325f1345fcec9eefbfcb81acb87 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -322,6 +322,7 @@ msginittsig(dns_message_t *m)
 	m->tsigstatus = m->querytsigstatus = dns_rcode_noerror;
 	m->tsig = m->querytsig = NULL;
 	m->tsigkey = NULL;
+	m->tsigctx = NULL;
 	m->tsigstart = -1;
 }
 
@@ -337,6 +338,7 @@ msginit(dns_message_t *m)
 	msginittsig(m);
 	m->header_ok = 0;
 	m->question_ok = 0;
+	m->tcp_continuation = 0;
 }
 
 static inline void
@@ -1219,8 +1221,13 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
 	if (r.length != 0)
 		return (DNS_R_FORMERR);
 
-	if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_TSIG])) {
-		ret = dns_tsig_verify(source, msg);
+	if (msg->tsigkey != NULL ||
+	    !ISC_LIST_EMPTY(msg->sections[DNS_SECTION_TSIG]))
+	{
+		if (!msg->tcp_continuation)
+			ret = dns_tsig_verify(source, msg);
+		else
+			ret = dns_tsig_verify_tcp(source, msg);
 		if (ret != DNS_R_SUCCESS)
 			return ret;
 	}