<mode aspect="visionary" mood="frustrated">
DNS would work better for this since it has well-defined caching, unlike VRFY, but adding a local cache would also work well, and nobody wants to muck with custom DNS servers that much
</mode>
I have to say that this is completely daft (IMNSHO). This is yet another precarious layer to the house of cards that people have made DNS (c.f. all the arguments about SPF), for no good reason. The mere presence of a cache does not mean that this is an appropriate usage for DNS. DNS is intended to be used as a distributed database; if you are already planning on distributing your user validation information to multiple servers, why not just have a local copy on your inbound MTA's?
In addition, using DNS for user validation would make dictionary attacks practical again, since DNS is a public service by default. Both my implementation of VRFY and my finger server specifically were designed to allow only specified hosts to access the data. Yes, I know you could run a second authoritative DNS server, but that immediately loses what little benefit to using an existing framework by having to provide parallel services.
FWIW, with my finger server the amount of data that goes over the wire is very minimal, so the lack of a cache is not in any way significant to performance.
John
