It seems that TSIG signing does not work, everything is met with FORMERR responses.
It appears that the TSIG record is encoded incorrectly, specifically the TTL appears to be included twice, offsetting everything after it.
EncodeRecordHeader(messageData, offset, ref currentPosition, domainNames, false);
DnsMessageBase.EncodeInt(messageData, ref currentPosition, TimeToLive);
but DnsRecordBase.EncodeRecordHeader already includes the TTL.