I wrote one such proxy, though mine is not open source: I found relatively easy working with zones and records, and a well-designed test suite helps building confidence that a key for an "account" A cannot read or write into "account" B.

I'm putting "account" between quotes because it isn't a PowerDNS concept, there is just a lonely varchar column in the 'domains' table where one can store some account-related information. To handle TSIG keys I had to extend PowerDNS's data model to represent the association between a TSIG key and an "account".