I have done a little bit of work on nsdiff recently.
You can now explicitly manage your DNSKEY RRset, instead of leaving it to named. This is helpful when you are transferring a zone from one operator to another: you need to include the other operator's zone signing key in your DNSKEY RRset to ensure that validation works across the transfer.
There is now support for bump-in-the-wire signing, where nsdiff transfers the new version of the zone from a back-end hidden master server and pushes the updates to a signing server which feeds the public authoritative servers.
Get nsdiff from https://fanf2.user.srcf.net/hermes/conf/bind/bin/nsdiff
(Edit: I decided to simplify the -u option so updated from version 1.46 to 1.47.)