BIND server has tons of "no valid RRSIG" errors

It looks like Comcast's servers are deliberately stripping out DNSSEC signatures from the responses they're giving you, so your server cannot validate com. (in this case) even though it knows that one should be signed. This is unlikely to cause any directly noticeable problems, it just leaves you and your users wide open for all the attacks that DNSSEC was created to protect against.

Exactly why Comcast want to reduce your level of security you will have to ask them.

I got the similar errors in /var/log/syslog

no valid RRSIG resolving and broken trust chain resolving

After adding the following params in /etc/bind/named.conf/options, the problem is gone

dnssec-enable yes;
dnssec-validation yes;

Using Bind 9.9 on my old Ubuntu server in the file /etc/bind/named.conf.options the parameter

dnssec-validation auto;

has been set by default.

The last three or four years I received tons of error messages like:

named[2308]: validating @0x7fd77c00ffc0: . DNSKEY: please check the 'trusted-keys' for '.' in named.conf.
named[2308]: error (no valid KEY) resolving './DNSKEY/IN': 199.7.83.42#53
named[2308]: validating @0x7fd780022e80: . DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for '.'

After three or four years of friggling around with the bind configurations and keys, looking at every reachable resource dealing with isc bind at least adding / changing the parameters to

dnssec-enable yes;
dnssec-validation yes;

solved my problem with these tons of errors.