How should an ISP tell the difference between "good" DNS packets and "bad" DNS packets?
the bad ones are the ones people complain about.
You aren't complaining about your dynamic update packets or even all dynamic updates. You are complaining about someone sending you packets you don't want. And more precisely, you are complaining that Comcast is failing to send you other packets you want to receive, i.e. a response to your e-mail packets.
yup. where "packets i do not want" could as easily be ddos ("zwil") or spam.
I've been thinking how to use ICMP to signal different types of responses; and even how "smart" edges on both ends of a communication could establish and enforce policies. Most of these are non-malicious communications involving misconfigured systems. Edge communications avoids problems with the host system, but has problems with multi-path communications and source validation.
the whole end-to-end argument depends on uniform clue distribution for scale.