During a training I gave last week, a student asked whether it is possible to protect an XFR by IP and a TSIG key. I quickly found somebody who'd done this before and have now tested with this configuration: The following (tested with a BIND 9.11.2 server) permits XFR to a client authenticated by IP and by a key (i.e. the slave must appear from a valid IP and must present a correct TSIG key)
$ tsig-keygen xfr.key > xfr.key