At least that is what I would do if I had to set up a recursive resolver. Mine sits in my private network at home behind a NAT router, so the chance of an attacker reaching it is small. If I were responsible for a nameserver with a public IP address, reachable from every corner of the Internet, I would seriously restrict whose queries it answers for a number of reasons. The one you mentioned among them, but also things like DNS cache poisoning.
TBH I am a little surprised that there have not been any large scale attacks on the DNS infrastructure, considering the fact that any sort of security was bolted on to DNS as an afterthought. DNSSEC is a step forward, but I have no clue if any resolvers and/or clients make use of it.
There have been _lots_ of large scale attacks on DNS infrastructure. DDoS against root servers, TLD servers, and well known nameservers is commonplace; occasionally with some success. Because DNS is mostly UDP, it works well with anycast, and anycast with many pops is a great way to handle traffic from a big DDoS. There's also a lot of good decisions in the protocol/general implementations that reduce the impact of outages.
DNSSEC is a bolt on intended to address response forgery, it doesn't address DDoS.
Huh, I did not know that. Fascinating!
What I meant was that there have not been any disturbances that had widespread consequences; imagine that one day, out of nothing, it is impossible to get an answer for the .com zone, just for an hour or so. In my mind I see the news reporting about this the way they would report about a hurricane or earthquake. Unless a lot of their broadcasting / distribution also would be out of order. ;-)
and dnssec is fundamentally flawed
