From 97c6a849b7515d1b18976e51ce1d11b9511d0d97 Mon Sep 17 00:00:00 2001
From: HeliusMagnum <82977614+HeliusMagnum@users.noreply.github.com>
Date: Mon, 14 Jul 2025 02:10:38 -0400
Subject: [PATCH] Update unbound.md

add ad flag to dig command

Update unbound.md

Update unbound.md to include more information about the DNSSEC validation flags.

Signed-off-by: HeliusMagnum <82977614+HeliusMagnum@users.noreply.github.com>
---
 docs/guides/dns/unbound.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/guides/dns/unbound.md b/docs/guides/dns/unbound.md
index 06946af..7705e97 100644
--- a/docs/guides/dns/unbound.md
+++ b/docs/guides/dns/unbound.md
@@ -169,10 +169,10 @@ You can test DNSSEC validation using
 
 ```bash
 dig fail01.dnssec.works @127.0.0.1 -p 5335
-dig dnssec.works @127.0.0.1 -p 5335
+dig +ad dnssec.works @127.0.0.1 -p 5335
 ```
 
-The first command should give a status report of `SERVFAIL` and no IP address. The second should give `NOERROR` plus an IP address.
+The first command should give a status report of `SERVFAIL` and no IP address. The second should give `NOERROR` plus an IP address in addition to a `ad` in the `flags:` section. The `ad` signifies (Authentic Data), indicating the DNS response has been authenticated and validated using DNSSEC.
 
 ### Configure Pi-hole