BIND server has tons of "no valid RRSIG" errors

It looks like Comcast's servers are deliberately stripping out DNSSEC signatures from the responses they're giving you, so your server cannot validate com. (in this case) even though it knows that one should be signed. This is unlikely to cause any directly noticeable problems, it just leaves you and your users wide open for all the attacks that DNSSEC was created to protect against.

Exactly why Comcast want to reduce your level of security you will have to ask them.