NASTY! You’d be right. I too did not get the ‘ad’ notation in my own dig response record.

This mean, any TXT record can easily be spoofed via a simple transparent MitM packet munging.

https://dnssec-analyzer.verisignlabs.com/current.cvd.clamav....