Hi Magnus,
Example of such machines may be machines behind firewalls, private addresses (193.168/16 and 10/8) or dial-in machines. These machines will not be found in the DNS and therefore will not be counted.
There is also the other side: we do have lots of RFC1918 addresses registered in the DNS, we have lots of dummy addresses (one zone in DE consists of entries for nearly a complete "class B" network), there are thousands of IP addresses allocated for dialup (with only a small fraction being accessible at a time) and we have those "virtual domains", where many addresses represent different (inter-)faces of the same host for obvious reasons.
One method that came to mind was to allow for some extra DNS entry to hold a domains true hostcount. Even if you do not want to propose a new RR type but use TXT (or even kitchen sink :-) RRs instead, this would contribute to a higher complexity for DNS configuration for customers. With any modification (addition, deletion) you would have to update the "count" entry. Even without thinking of malicious intent, the numbers would soon become less accurate than they are.
I also thougth that some ISPs for instance migth object to have thier customer count out public since this migth be of sensitive nature. If
All privacy issues should be (and, in fact, are) covered by restricting outgoing AXFRs on all auth servers for a zone. -Peter