nsupdate fails if the system dns resolver does not forward TKEY

I've seen this happening in this configuration:
https://github.com/systemd/systemd/issues/6727

The flow seams to be:
1. find primary master*
2. gss setup (over system defined dns server)
3. send signed update request to primary master

*there seams to be a fallback in place when no SOA is in AUTHORITY and ANSWER 
section: remove the leftmose dns label and repeat step 1

Using this "stub" resolver only QUERY and ANSWER section seem to be passed.

I would suggest a fallback for the case where TKEY gets filtered:
Talk with the primary master directly:

1. find primary master
2. gss setup (over system defined dns server, if it fails using primary master)
3. send signed update request to primary master