With the new RFC2845bis draft, sparse TSIG signing is deprecated. For backward compatibility, receiving sparse TSIG responses still needs to be supported.

From draft-ietf-dnsop-rfc2845bis-06, Section 5.3.1:

The TSIG MUST be included on all DNS messages in the response. For backward compatibility, a client which receives DNS messages and verifies TSIG MUST accept up to 99 intermediary messages without a TSIG.

If draft-ietf-dnsop-rfc2845bis will be an RFC, consider dropping sparse TSIG signing support in NSD.

-- Benno