From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 21 Jun 2016 12:19:55 +0000 (+0200)
Subject: Add a remark on dig's use of the AD flag
X-Git-Tag: auth-4.0.0-rc1~30^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8fbefa34d7cfb1e7f29e9dba690013a074a9d6ff;p=pdns

Add a remark on dig's use of the AD flag

Closes #4009
---

diff --git a/docs/markdown/recursor/dnssec.md b/docs/markdown/recursor/dnssec.md
index 99c13dfb2..96664cfd1 100644
--- a/docs/markdown/recursor/dnssec.md
+++ b/docs/markdown/recursor/dnssec.md
@@ -49,6 +49,10 @@ with regards to the `dnssec` mode.
 |AD in response on authenticated data| Never | Never | Only on +AD from client | Only on +AD from client | Only on +AD from client |
 |RRSIGs/NSECs in answer on +DO from client| No | Yes | Yes | Yes | Yes |
 
+**Note**: the `dig` tool sets the AD-bit in the query. This might lead to unexpected
+query results when testing. Set `+noad` on the `dig` commandline when this is the
+case.
+
 # Trust Anchor Management
 In the PowerDNS Recursor, both positive and negative trust anchors can be configured
 during startup (from a persistent configuration file) and at runtime (which is