diff --git a/TODO b/TODO
index 205005dc..91d36e29 100644
--- a/TODO
+++ b/TODO
@@ -8,6 +8,9 @@ o Tsig will probably become an interface which has all configuration
   stuff, but this will come later. Config which has Tsig function
   -- get TSIG working in xfrprx and see how that impact the package.
 
+responseWriter with tsig/axfr/ixfr
+requestWriter 
+
 Todo:
 * Parsing from strings, going with goyacc and .cz lexer?
 * encoding NSEC3/NSEC bitmaps, DEcoding works
diff --git a/server.go b/server.go
index be5a3280..1444f0fd 100644
--- a/server.go
+++ b/server.go
@@ -14,9 +14,11 @@ import (
 
 type Handler interface {
 	ServeDNS(w ResponseWriter, r *Msg)
+	// IP based ACL mapping. The contains the string representation
+	// of the IP address and a boolean saying it may connect (true) or not.
 }
 
-// TODO(mg): fit axfr responses in here too
+// TODO(mg): fit axfr responses in here too???
 // A ResponseWriter interface is used by an DNS handler to
 // construct an DNS response.
 type ResponseWriter interface {
@@ -24,13 +26,6 @@ type ResponseWriter interface {
 	RemoteAddr() string
 
 	Write([]byte) (int, os.Error)
-
-	// IP based ACL mapping. The contains the string representation
-	// of the IP address and a boolean saying it may connect (true) or not.
-	Acl() map[string]bool
-
-	// Tsig secrets. Its a mapping of key names to secrets.
-	Tsig() map[string]string
 }
 
 type conn struct {
@@ -41,14 +36,11 @@ type conn struct {
 	_UDP       *net.UDPConn // i/o connection if UDP was used
 	_TCP       *net.TCPConn // i/o connection if TCP was used
 	hijacked   bool         // connection has been hijacked by hander TODO(mg)
-        tsig       map[string]string    // tsig secrets
-        acl        map[string]bool      // ip acl list
 }
 
 type response struct {
 	conn *conn
 	req  *Msg
-	xfr  bool // {i/a}xfr was requested
 }
 
 // ServeMux is an DNS request multiplexer. It matches the
@@ -322,7 +314,6 @@ func (c *conn) serve() {
                 // Request has been read in ServeUDP or ServeTCP
                 w := new(response)
                 w.conn = c
-                w.xfr = false
                 req := new(Msg)
                 if !req.Unpack(c.request) {
                         break
@@ -375,11 +366,5 @@ func (w *response) Write(data []byte) (n int, err os.Error) {
         return n, nil
 }
 
-// Acl implements the ResponseWriter.Acl
-func (w *response) Acl() map[string]bool { return w.conn.acl }
-
-// Tsig implements the ResponseWriter.Tsig
-func (w *response) Tsig() map[string]string { return w.conn.tsig }
-
 // RemoteAddr implements the ResponseWriter.RemoteAddr method
 func (w *response) RemoteAddr() string { return w.conn.remoteAddr.String() }
diff --git a/tsig.go b/tsig.go
index e1b53abe..3708b3aa 100644
--- a/tsig.go
+++ b/tsig.go
@@ -21,6 +21,30 @@ import (
 //      tsig.TimeSigned = uint64(time.Seconds())      
 //      tsig.Secret = "so6ZGir4GPAqINNh9U5c3A==" // Secret encoded in base64.
 
+type TsigWriter struct {
+        secrets map[string]string
+        w       io.Writer
+        name    string
+        fudge   uint16
+        algorithm string
+        timersOnly bool
+}
+
+// NewTsigWriter creates a new writer that implements TSIG, secrets
+// should contain a mapping from key names to secrets. A message
+// should be written with the TSIG record appends. Tsig
+func NewTsigWriter(w io.Writer, secrets map[string]string) *TsigWriter {
+        t := new(TsigWriter)
+        t.secrets = secrets
+        return t
+}
+
+func (t *TsigWriter) Write(p []byte) (int, os.Error) {
+        return 0, nil
+
+}
+
+
 type Tsig struct {
 	// The name of the key.
 	Name string