bind is also setting the AD bit on the query and this actually triggers it, though the RFC where this is defined currently doesn’t come to my mind.

Yes, I don't remember which RFC, but it is standardized that if you specify AD flag in query, the resolver should set it according to the status even when you didn't specify DO flag.  That can be a useful combination when you don't want to validate yourself and thus have no need for records like RRSIG.  If there is neither DO nor AD in query, the AD flag in reply should never be set (even if EDNS is used).

--Vladimir