At 06:02 AM 11/25/2003 -0800, Hallam-Baker, Phillip wrote:

...

Especially for domains, it's important to do some validation, though in the absence of widely-deployed DNSSEC, it's hard to do automatically.

DNSSEC is not happening, [...] We do not need DNSSEC, we just need a notice in the DNS. It would be a relatively easy task to walk the .com zone and dump out a list of all the zones which contain a 'do not spam' TXT property record.

I suppose you could do that, though it's probably harder to coordinate that for subdomains, whose owners are less likely to be directly managing their DNS records.

...

There's a scalability problem that has to be solved, which is how to prevent a DOS-by-signing-up-too-many-addresses attack.

I do not expect that to be a problem, that would be a problem for the contractor. Limit the number of direct registrations from a particular IP address within a given time interval.

You'd probably want to do special cases for large domains like AOL, etc., where the users have limited gateways to the internet. You're still vulnerable to DDOS-type attacks by armies of zombies, though of course they've got lots of other bad things they can do.

It is likely to result in the cost of the system being considerably more than the cost of a couple of mid range servers and some software. This is not a new phenomena.

Too true. It's too bad, because you'd only need a couple hundred million records for the US, and signing up is the only part that's got real-time performance constraints.