DNS reflection has been known (and used) for years. That is why cloudflare mentions there has been an ongoing effort to clean up open resolvers.

Yet another reason DNSSEC is more trouble than it's worth.

It's a gift to anyone wanting to do this type of DDOS.

Was that the bit about amplification via DNSSEC?

The amplification is by asking the misconfigured resolver about a DNSSEC zone.

Basically, DNSSEC just mean you do not need to search the for a large zone to request. Given that large zones are not directly in shot supply, and that searching for them is (in the age of ipv4) rather easy, I wonder if DNSSEC actually have any affect on the issue what so ever.

DNSSEC-signed responses can be very large. Here's an example of turning a 31 byte request into a 3974 byte response: http://dnscurve.org/amplification.html That's ~128x amplification -- with a 100Mbps connection, roughly 12.8Gbps of responses would be sent to the forged IP source.

i'm pretty sure it was. but he has been telling the world about dnssec amplification for years now, so this is hardly news.