Hello.
I'm not quite sure what to do with this. I found an incompatibility
between experimental new features in BIND and old versions of NSD.
As this is probably a collision in experimental OPT codes, I expect this
problem to disappear when a new option code is assigned.
BIND 9.10 introduces Source Identity Token (SIT) aka DNS Cookies
(http://www.isc.org/bind-9-10-new-features/).
Currently, SIT uses experimental EDNS OPT 65,001
(http://www.ietf.org/proceedings/89/slides/slides-89-dnsop-7.pdf#7)
If SIT is enabled in a resolver, NSD 2.3.7 refuses queries with RCODE 17
(BADKEY):
named: fetch: nsd.dnstest.openchaos.org/TXT
named: 17 unexpected RCODE resolving 'nsd.dnstest.openchaos.org/TXT/IN': 46.37.189.136#53
named: query failed (SERVFAIL) for nsd.dnstest.openchaos.org/IN/TXT at query.c:7532
That leaves domains served exclusively by NSD 2.x unresolvable. I first
noticed this with "telekom.at" but there are probably more.
NSD 3 and 4 respond correctly, so maybe this could be an opportunity to
update and be compatible with bleeding-edge BIND resolvers 
Hauke.