On Tue, Mar 03, 2020 at 12:50:20PM +0100, Remi Gacogne via dnsdist <dnsdist at mailman.powerdns.com> wrote a message of 104 lines which said: > Be careful that recent versions of dig are setting AD=1 by default > but a lot of DoH and DoT clients aren't. This is what I missed. Thank you. I now understand that dnsdist is right.