DNSSEC is the amplification in "DNS amplification attack." I personally run a (heavily rate limited) open resolver as a honey pot to observe these attacks in progress.

You can read CloudFlare's own explanation of how these attacks work http://blog.cloudflare.com/deep-inside-a-dns-amplification-d...

Unless I'm misunderstanding, the 'amplification' in 'DNS amplification attack' doesn't necessarily refer to DNSSEC. The idea is that you use x amount of bandwidth to send y amount of bandwidth at the target where y = kx, for some value of k that is significant enough to make it more worthwhile than just sending the traffic directly.

E.g. make a UDP DNS request to an open resolver with the source IP forged to be your target, then the response is sent to your target (rather than to the real source of the request).

My understanding is that the problem people have with DNSSEC in this regard is that the data returned in those responses increases by a lot (allowing for a 30x increase?). But if attackers are able to accomplish this without DNSSEC, then what's the point of talking about how horrible DNSSEC will make things in this regard?

So could some right thinking person scan the internet for open DNS resolvers and perform DDoS attacks against them using other open resolvers?

Yeah! Right Thinkers! DDoS all those awful Wrong Thinkers! Knock their bastard servers right off the internet! That's the solution!

It's actually quite an elegant solution to getting people o configure their servers correctly. Instead of their servers being a hazard to the wider internet, they become a hazard to each other.

Do you simply not care about the collateral damage, or do you feel the ends justify the means?