You can see an example of a response from the isc.org zone that contains DNSSEC records on my blog. The size of the response is 4,077 bytes, compared with a query of just 44 bytes.
Now, picture attackers from around the Internet sending that spoofed query from your Web server's IP address to the isc.org name servers. For each 44-byte query, your Web server receives a 4,077-byte response, for an amplification factor of almost 93 times.
Let's do a quick calculation to figure out how bad this could get. Say each attacker has a relatively modest 1Mbps connection to the Internet. He can send about 2,840 44-byte queries across that link per second. This query stream would result in almost 93Mbps worth of replies reaching your Web server. Every 11 attackers represent 1Gbps.
Where would antisocial attackers find 10 friends to help them carry out an attack? Actually, they don't need any. They'll use a botnet of thousands of computers.
The ultimate effect is devastating. In their quarterly global DDoS Attack Report, Prolexic (a DDoS-mitigation company) reported a recent DNS-based attack against a customer that topped 167Gbps. Prolexic further reported that average DDoS attack bandwidth was up 718 percent to 48Gbps in a single quarter.
But wait! Couldn't the isc.org name servers be modified to recognize that they're being queried over and over for the same data, from the same IP address? Couldn't they squelch the attack?
They certainly can. But the isc.org name servers aren't the only ones an attacker can use to amplify his traffic. Sure, there are other authoritative name servers the attacker could use, but even worse are open recursive name servers.
An open recursive name server is simply a name server that will process recursive queries from any IP address. I can send it that query for isc.org data and it will reply to me, and you can do the same.
There shouldn't be many open recursive name servers on the Internet. A recursive name server's function is to look up data in the Internet's namespace on behalf of DNS clients, like the ones on your laptop or smartphone. The network administrators who set up recursive name servers (such as your IT department) usually intend them for use by a particular community (for example, you and your fellow employees). Unless they're running services such as OpenDNS or Google Public DNS, they don't mean to have them used by the citizens of Moldova. So public-spirited, security-minded, and most especially competent administrators configure access controls on their recursive name servers to limit their use to authorized systems.