Why does dig report one more record in the additional section of a query response than I am seeing?

This is not a bug, and it is not new behavior, although those newly upgrading to BIND 9.9 from earlier versions may have encountered it for the first time there.

From BIND 9.9.0 and newer, dig has changed its defaults:

• dig now defaults to using options "+adflag" and "+edns=0" which better reflect the behavior of BIND and many other modern nameservers when recursing. Additionally "+dnssec" will be automatically enabled when running "dig +trace". [RT #23497]

Responses from servers that support EDNS0 will include the OPT RR, which has no text rdata format so it isn't printed, but you can see it described in comments above the question section as "OPT PSEUDOSECTION".

For example:

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000

The dig utility has always counted the OPT pseudo-record in the count of additional records, but this wouldn't have been noticed by users of older versions of dig unless they manually specified the additional options (usually to observe DNSSEC material in the query responses).