I’ve given my share of DNSSEC talks over the last three years. I usually explain what exactly DNSSEC provides and what it does not. One of the downsides I tell ISPs about is that other people’s DNSSEC errors will hit your call-center if you’re doing DNSSEC-validation.
This just happened to Comcast.
I really recommend that anyone enabling DNSSEC validation on their resolvers should be prepared for this case. The report from Comcast is instructive, especially the media fallout they had to cope with.