From 8fbefa34d7cfb1e7f29e9dba690013a074a9d6ff Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 21 Jun 2016 14:19:55 +0200
Subject: [PATCH] Add a remark on dig's use of the AD flag

Closes #4009
---
 docs/markdown/recursor/dnssec.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/markdown/recursor/dnssec.md b/docs/markdown/recursor/dnssec.md
index 99c13dfb25..96664cfd16 100644
--- a/docs/markdown/recursor/dnssec.md
+++ b/docs/markdown/recursor/dnssec.md
@@ -49,6 +49,10 @@ with regards to the `dnssec` mode.
 |AD in response on authenticated data| Never | Never | Only on +AD from client | Only on +AD from client | Only on +AD from client |
 |RRSIGs/NSECs in answer on +DO from client| No | Yes | Yes | Yes | Yes |
 
+**Note**: the `dig` tool sets the AD-bit in the query. This might lead to unexpected
+query results when testing. Set `+noad` on the `dig` commandline when this is the
+case.
+
 # Trust Anchor Management
 In the PowerDNS Recursor, both positive and negative trust anchors can be configured
 during startup (from a persistent configuration file) and at runtime (which is
-- 
2.47.2