DNSSEC using Comcast DNS servers

I have a caching BIND server running on the LAN, and it logs hundreds of errors like this per day:

Aug 30 12:05:47 nuc named[850]:   validating @0x7fc6d4018b50: com SOA: got insecure response; parent indicates it should be secure
Aug 30 12:05:47 nuc named[850]: error (no valid RRSIG) resolving 'facebook.com/DS/IN': 75.75.75.75#53
Aug 30 12:05:47 nuc named[850]:   validating @0x7fc6cc4fe120: com SOA: got insecure response; parent indicates it should be secure
Aug 30 12:05:47 nuc named[850]: error (no valid RRSIG) resolving 'amazonaws.com/DS/IN': 75.75.75.75#53
Aug 30 12:06:23 nuc named[850]:   validating @0x7fc6dc8a03e0: com SOA: got insecure response; parent indicates it should be secure
Aug 30 12:06:23 nuc named[850]: error (no valid RRSIG) resolving 'mozilla.com/DS/IN': 75.75.75.75#53

This doesn't actually prevent clients from resolving names, but it logs a ton of errors. This is the BIND setup in named.conf:

    forwarders {
            # Comcast
            2001:558:feed::1;
            2001:558:feed::2;
            75.75.75.75;
            75.75.76.76;
    };
    forward only;

    dnssec-enable yes;
    dnssec-validation auto;
    dnssec-lookaside auto;

Are the Comcast servers stripping out DNSSEC signatures (I asked this on serverfault and that's what the responses were)? If that's the case, why do this? Is there a way to use Comcast DNS servers and do DNSSEC validation locally?