A DNS DoS traffic amplifier just needs a large DNS
record anywhere on the Internet to reflect at the target. While DNSSEC does mean there
will be more records like that available to choose from, it doesn't create a problem
where there wasn't one before. A claim could be made that large records on
well-connected servers were hard to find but I doubt that would have stopped an attacker
for more than a few minutes.
I think the main thing that is a problem with the
DNSSEC deployments progressing is that the "strongest" part of the hierarchy
(root downwards) are the ones that make those records available. One can quite safely
assume that almost any potential target on the Internet will have less capacity than a
reflection processed via the root servers (for example). See also:
The problem is mainly related to the fast implementation of those deployments and at which
part in the hierarchy they happen - if that 10x amplification increase were to happen over
lets say 5 years with current bandwidth growth rates one would not care much about it.
However within a roll-out window of a few months the root-servers now offer 10x more bang
for the buck and even Internet bandwidth growth and price drops can't stand up to
The big game changer for a lot of infrastructure providers is that they have to realize
that the real cost of operating critical infrastructure on the Internet to date is not the
cost of the bandwidth you need to service your users but the total bandwidth you need to
stay online. I certainly hope that this is not only occuring to folks now that DNSSEC is
being deployed since it's been a reality for a number of years now. Until we find a
solution to this problem as a whole it will always be down to the cheapest current method
to perform such an attack and how capacity stands up against it.