At the homenet meeting back in august, someone stood up and said "bind9 and DNSSEC will never run on a home router"...
... and we'd already had it up and running for quite some time at that point.
however, what you write above strongly implies that you haven't tried to get DNSSEC to work right on cheap CPE. You see, DNSSEC requires not that time be accurate, but accurate to within an hour.
Cheap CPE does not come with a battery backed up clock. So you end up with this circular dependency on getting time, for which you need DNS. There are related failure modes where basically you DO want to be able to check if it's DNS failing or DNSSEC and do the right thing.