Have this setup currently that is officially published by pihole I presume. What I found is another website that suggests below that is hosted by @Anudeep who is quite active participant here.
The question is whether this supposed to be done as official pihole documentation does not mention this
In order to experience high speed and low latency DNS resolution, you need to make some changes to your Pi-hole. These configurations are crucial because if you skip these steps you may experience very slow response times:
Open the configuration file /etc/dnsmasq.d/01-pihole.conf and make sure that cache size is zero by setting cache-size=0 . This step is important because the caching is already handled by the Unbound Please note that the changes made to this file will be overwritten once you update/modify Pi-hole.
When you're using unbound you're relying on that for DNSSEC validation and caching, and pi-hole doing those same things are just going to waste time validating DNSSEC twice. In order to resolve this issue you need to untick the Use DNSSEC option in Pi-hole web interface by navigating to Settings > DNS > Advanced DNS settings .
The answer to both is no. The person who posted that guide may think they are important, but as one example, I have five instance of unbound running on various Pi-holes using the Pi-hole guide, with no problems.
Leave the Pi-hole cache enabled. There is no problem with having multiple caches. Your client and browser cache as well, and you likely aren't disabling those caches either.
Enabling DNSSEC in Pi-hole doesn't waste time. Unbound is doing the DNSSEC, and when you enable DNSSEC in Pi-hole you add the DNSSEC status in the status column of the query log. Storing DNSSEC information does slightly increase the size of your long term database since there is additional information stored with DNSSEC enabled.
DNSSEC will be done by unbound whether or not you enable DNSSEC in Pi-hole.
Also note that on the web you will find older recommendations to not enable DNSSEC in Pi-hole with unbound due to performance issues. This was true with versions of dnsmasq prior to 2.80 (bugs in dnsmasq). We currently ship with dnsmasq 2.82 and this problem exists no longer.
Note that the guide provided by that user has a number of other changes that they recommend but that the Pi-hole developers do not. Feel free to use that guide if you wish, but if you have subsequent problems using that guide, open an issue on their Gitbhub page.
Note also that the website you reference bases their configuration on our guide, with no attribution or credit to the origin of the guide they are using. They have recently stripped out some of the text they had taken verbatim from our guide:
@jfb@DanSchaper
Appreciate your thorough and complete response. Your explanation answers my questions so I am not making any additional changes at this time and will continue following official guide for pihole on all matters pihole.
Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients. This is an alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network between dnsmasq and the upstream servers, and the trustworthiness of the upstream servers.
Note that caching the Authenticated Data bit correctly in all cases is not technically possible.
If the AD bit is to be relied upon when using this option, then the cache should be disabled using --cache-size=0. In most cases, enabling DNSSEC validation within dnsmasq is a better option. See --dnssec for details.