diff --git a/plugin/cache/cache.go b/plugin/cache/cache.go
index 5673cc948..54e5e4db3 100644
--- a/plugin/cache/cache.go
+++ b/plugin/cache/cache.go
@@ -181,6 +181,10 @@ func (w *ResponseWriter) WriteMsg(res *dns.Msg) error {
 	res.Ns = filterRRSlice(res.Ns, ttl, w.do, false)
 	res.Extra = filterRRSlice(res.Extra, ttl, w.do, false)
 
+	if !w.do {
+		res.AuthenticatedData = false // unset AD bit if client is not OK with DNSSEC
+	}
+
 	return w.ResponseWriter.WriteMsg(res)
 }
 
diff --git a/plugin/cache/dnssec_test.go b/plugin/cache/dnssec_test.go
index 446718c9f..a746387bf 100644
--- a/plugin/cache/dnssec_test.go
+++ b/plugin/cache/dnssec_test.go
@@ -23,7 +23,8 @@ func TestResponseWithDNSSEC(t *testing.T) {
 		},
 		{
 			Qname: "invent.example.org.", Qtype: dns.TypeA,
-			Do: true,
+			Do:                true,
+			AuthenticatedData: true,
 			Answer: []dns.RR{
 				test.CNAME("invent.example.org.		1781	IN	CNAME	leptone.example.org."),
 				test.RRSIG("invent.example.org.		1781	IN	RRSIG	CNAME 8 3 1800 20201012085750 20200912082613 57411 example.org. ijSv5FmsNjFviBcOFwQgqjt073lttxTTNqkno6oMa3DD3kC+"),
@@ -40,6 +41,9 @@ func TestResponseWithDNSSEC(t *testing.T) {
 		m := tc.Msg()
 		rec := dnstest.NewRecorder(&test.ResponseWriter{})
 		c.ServeDNS(context.TODO(), rec, m)
+		if tc.AuthenticatedData != rec.Msg.AuthenticatedData {
+			t.Errorf("Test %d, expected AuthenticatedData=%v", i, tc.AuthenticatedData)
+		}
 		if err := test.Section(tc, test.Answer, rec.Msg.Answer); err != nil {
 			t.Errorf("Test %d, expected no error, got %s", i, err)
 		}
@@ -64,6 +68,7 @@ func dnssecHandler() plugin.Handler {
 		m := new(dns.Msg)
 		m.SetQuestion("example.org.", dns.TypeA)
 
+		m.AuthenticatedData = true
 		m.Answer = make([]dns.RR, 4)
 		m.Answer[0] = test.CNAME("invent.example.org.		1781	IN	CNAME	leptone.example.org.")
 		m.Answer[1] = test.RRSIG("invent.example.org.		1781	IN	RRSIG	CNAME 8 3 1800 20201012085750 20200912082613 57411 example.org. ijSv5FmsNjFviBcOFwQgqjt073lttxTTNqkno6oMa3DD3kC+")
diff --git a/plugin/test/helpers.go b/plugin/test/helpers.go
index 0c7e85f2a..cb7b0994b 100644
--- a/plugin/test/helpers.go
+++ b/plugin/test/helpers.go
@@ -29,14 +29,15 @@ func (p RRSet) Less(i, j int) bool { return p[i].String() < p[j].String() }
 // Case represents a test case that encapsulates various data from a query and response.
 // Note that is the TTL of a record is 303 we don't compare it with the TTL.
 type Case struct {
-	Qname  string
-	Qtype  uint16
-	Rcode  int
-	Do     bool
-	Answer []dns.RR
-	Ns     []dns.RR
-	Extra  []dns.RR
-	Error  error
+	Qname             string
+	Qtype             uint16
+	Rcode             int
+	Do                bool
+	AuthenticatedData bool
+	Answer            []dns.RR
+	Ns                []dns.RR
+	Extra             []dns.RR
+	Error             error
 }
 
 // Msg returns a *dns.Msg embedded in c.