Why can the domain <sub.domain.tld> not be created? (unknown TLD)
Subzones are not supported.
Why can the zone not be created due to error "Zone already claimed by somebody else"?
In this case please check your KonsoleH account. You may have to delete the zone on your KonsoleH account at first in order to recreate it via your Hetzner Console.
Primary Servers TSIG Key and Algorithm
TSIG (Transaction SIGnature) is a security mechanism used to authenticate DNS messages between servers, especially for dynamic updates or zone transfers. When creating a secondary zone, you can define a shared secret TSIG key (and it’s generation algorithm) for each primary name server that the zone is queried from.
You have to generate and configure the TSIG key on your primary name server first. Afterwards, you can copy the TSIG key and algorithm into the Hetzner Console/API when creating or updating a secondary zone. The key will be used by Hetzner’s name servers whenever the zone is queried from the specified primary name servers.
You can find a list of supported TSIG key algorithms in the DNS overview.