Dhalgren Tor:
Respectfully, I disagree.
https://lists.torproject.org/pipermail/tor-relays/2015-October/007904.html wrote:
Spent a few minutes activating the DNSSEC trust-anchor for 'unbound'.
Ran 'dig' on a few signed domains and observed that queries that took under 50 milliseconds without went to 2000 milliseconds with.
My attitude toward DNSSEC has deteriorated steadily over time and this finishes it off for me. It's simply not worth the cost. Many serious folk have commented in detail on what a horror show it is.
Disabled it on the exit.
Without DNSSEC, 'unbound' has been reporting:
server stats for thread 0: 1296326 queries, 454942 answers from cache, 841384 recursions, 0 prefetch server stats for thread 0: requestlist max 112 avg 28.1553 exceeded 0 jostled 0 histogram of recursion processing times [25%]=0.00737672 median[50%]=0.0492239 [75%]=0.144125
I'll do some comparisons over some weeks or months and come back to this once I have some more data to show.