Im looking for some clarification on when DNSSEC is enabled in pihole my DNS response times increase from sub 10ms to sometimes >50-500ms.
My understanding was that enabling DNSSEC just logs and shows DNSSEC result in the query log.
If that isnt the case then the extra time would make sense due to the extra overhead from having to request the DNSSEC info and process it
That understanding is wrong.
By enabling DNSSEC, you configure Pi-hole to...
Validate DNS replies and cache DNSSEC data
(quoting directly from the settings page)
Using DNSSEC validated replies takes additional CPU, memory and storage.
In addition to retrieving a requested DNS record, Pi-hole fetches signatures and keys to validate that the record has not been tampered with, discarding it if validation fails (for further details, see Understanding DNSSEC validation using Pi-hole's Query Log).