Neustar studied nearly 1,350 domains with DNSSEC security. 80% of them could be used to amplify distributed denial-of-service (DDoS) attacks. Thats because the domains hadnt properly deployed DNSSec-signing of their domains, leaving them vulnerable to DDoS abuse. Best defense from DNS DDoS attacks is for DNS providers to filter for abuse or not to respond to ANY queries, according to security expert Joe Loveless.”]
Source: https://www.darkreading.com/cloud/poorly-configured-dnssec-potential-ddos-weapon