I added the 2 NS back to infoblox.com and it still works. So I assume those 2 lingering DS keys were enough to send unbound off the deep end. Thanks again guys.
Yes, depending on the server. For instance if you added a copy of the zone to Route53, you might wind up with an NS name like ns-959.awsdns-55.net. That would work.
Part of the problem was specific to the infoblox.com domain: that it had exactly 512 bytes of data. It was also dependent on the fact the infoblox.com used in-domain NS records (ns1.infoblox.com), which meant that it needs glue records to be resolvable. However, the .com nameservers were truncating off the glue records without setting the TC bit.
Using an extra NS record under a different domain would mean glue records are not needed (even if that domain is under .com/.net). I'm making the assumption that the other domain wouldn't have the same problem of (A) an exactly-512-bytes zone and (B) in-domain nameservers.
In this case, @thisisbroken solved it another way - by making the zone smaller.
From the above, it sounds like @thisisbroken is testing on unboundtest.com, which does not cache anything. And we have good reason to believe it will work as is. So I think there is not need to do another test on a completely new FQDN.