Hi Jay,
A DNS DoS traffic amplifier just needs a large DNS record anywhere on the Internet to reflect at the target. While DNSSEC does mean there will be more records like that available to choose from, it doesn't create a problem where there wasn't one before. A claim could be made that large records on well-connected servers were hard to find but I doubt that would have stopped an attacker for more than a few minutes. I think the main thing that is a problem with the DNSSEC deployments progressing is that the "strongest" part of the hierarchy (root downwards) are the ones that make those records available. One can quite safely assume that almost any potential target on the Internet will have less capacity than a reflection processed via the root servers (for example). See also: http://www.root-servers.org/map/
The problem is mainly related to the fast implementation of those deployments and at which part in the hierarchy they happen - if that 10x amplification increase were to happen over lets say 5 years with current bandwidth growth rates one would not care much about it. However within a roll-out window of a few months the root-servers now offer 10x more bang for the buck and even Internet bandwidth growth and price drops can't stand up to that. The big game changer for a lot of infrastructure providers is that they have to realize that the real cost of operating critical infrastructure on the Internet to date is not the cost of the bandwidth you need to service your users but the total bandwidth you need to stay online. I certainly hope that this is not only occuring to folks now that DNSSEC is being deployed since it's been a reality for a number of years now. Until we find a solution to this problem as a whole it will always be down to the cheapest current method to perform such an attack and how capacity stands up against it. Regards, Wolfgang