feat(nsmaster): do not sign outgoing NOTIFYs

Our secondaries will have different TSIG key configurations, and
nsmaster currently cannot pick the right key.  As a result,
secondaries would discard (some) NOTIFYs.

Outgoing AXFRs can still use TSIG, as the AXFR query contains the
required parameters.

Related: https://github.com/PowerDNS/pdns/issues/10867

nsmaster/conf/pdns.conf.var

@@ -7,6 +7,7 @@ setgid=pdns
 setuid=pdns
 secondary=yes
 secondary-do-renotify=yes
+send-signed-notify=no
 max-tcp-connections=200
 version-string=powerdns
 webserver=yes