DNSmasq and Unbound Peacefully Co-Existing?

[DEC740airp414user]

Great. And you needed to add a forward from unbound to dnsmasq, right? As for DNSEC, I have been reading up on this:
https://blog.cloudflare.com/dns-encryption-explained/
https://www.cloudflare.com/learning/dns/dns-security/
https://security.stackexchange.com/questions/239698/does-cloudflares-dns-over-tls-dot-implement-dnssec-too

I think DSNSEC should be enabled. It is a client/server situation.
"DNSSEC allows clients to verify the integrity of the returned DNS answer"
It seems like a provider, like cloudflare, will use DNSSEC flags and the client, like OPNsense, will process them. If you turn off DNSSEC, then you can no longer trust the answer you get was from your provider.

In summary:
DoT: Encrypts your DNS query.
DNSSEC: cryptographically verifies DNSSEC-signed records. (only within unbound)

Therefore, these are two different functions that work together to increase DNS security. Quite fascinating.

DNSSEC is already enforced by Quad9, and enabling DNSSEC at the forwarder level can cause false DNSSEC failures.

[DEC740airp414user]

DNSSEC is already enforced by Quad9, and enabling DNSSEC at the forwarder level can cause false DNSSEC failures.

[vimage22]

DNSSEC is already enforced by Quad9

Maybe, but you are not addressing the technical details of my response. Without DSNSEC, you have no guarantee the the DNS answer is from Quad9.

BTW, I am running a performance test against DSNSEC fully enabled or disabled. Granted, using cloudflare, as opposed to Quad9. I want to look at a 24 hr period looking at:
Services: Unbound DNS: Statistics:
It will show:
Recursion time (average):
Recursion time (median):
Hoping this will show any performance issue.