Didn't you read about the recent DNS rebinding attack on wireless routers? It works on routers with remote access disabled but with the default administration password. The attack basically tricks the user's browser into attacking the local administration interface.
Except they don't have access to the router. The attack is tricking the user's browser into attacking their router. The router can be completely locked down on the WAN side. The router is vulnerable on the LAN side because of insecure password or some other attack. But that normally only works when you are inside someone's house. This is tricking the browser into performing the attack. The browser isn't compromised; it is just accessing a site normally and running some JavaScript.
This is tricking the little kid inside the car to unlock it for you.
DNSSEC requires EDNS. EDNS allows for UDP packets larger than the original 512-byte limit of DNS over UDP. There could be problems with fragmented packets which are larger than the MTU. Some experiments show that responses with DNSSEC and IPv6 are larger than 512-bytes but smaller than typical MTU of 1500 bytes.
There are some old firewall equipment that mistakenly prohibits DNS packets longer 512 bytes over UDP but those have caused problems for a while.
DNS uses UDP by default. If the response is too big for UDP, then it switches to TCP. The limit for UDP packets used to be 512 bytes but extensions allow the size to be much larger. Old firewalls think that 512-bytes is the limit of DNS over UDP and block any longer packets.
"Experience has proved that some people indeed know everything." -- Russell Baker