Comment 1 for bug 242956

9.4.2 rc1 introduced the following change:
  2249. [bug] Only set Authentic Data bit if client requested DNSSEC, per RFC 3655 [RT #17175]

What you're seeing here is that the AD bit was redefined here: http://www.ietf.org/rfc/rfc3655.txt