diff --git a/docs/guides/dns/unbound.md b/docs/guides/dns/unbound.md
index 06946af..7705e97 100644
--- a/docs/guides/dns/unbound.md
+++ b/docs/guides/dns/unbound.md
@@ -169,10 +169,10 @@ You can test DNSSEC validation using
 
 ```bash
 dig fail01.dnssec.works @127.0.0.1 -p 5335
-dig dnssec.works @127.0.0.1 -p 5335
+dig +ad dnssec.works @127.0.0.1 -p 5335
 ```
 
-The first command should give a status report of `SERVFAIL` and no IP address. The second should give `NOERROR` plus an IP address.
+The first command should give a status report of `SERVFAIL` and no IP address. The second should give `NOERROR` plus an IP address in addition to a `ad` in the `flags:` section. The `ad` signifies (Authentic Data), indicating the DNS response has been authenticated and validated using DNSSEC.
 
 ### Configure Pi-hole