Task #4152

Add Denail of Existence support

Added by Yumin Xia over 3 years ago. Updated almost 3 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:


NDNS should have a similar denial of existence support as nec so that private key can be offline


Updated by Yumin Xia over 3 years ago

Previously, NDNS would generate NACK and signs it to answer the requests for non-existing information. Attackers could send a massive number of requests with random names as a form of denial-of-service (DoS) attack on NDNS or data producer.

To address this issue, NDNS has adopted a NSEC-like approach by embedding the Denial-of-Existence (DoE) records into the returned unsigned NACK without re-signing the whole packet again.

A DoE record, is a signed packet that its contents are a pair of names, indicating that there is no other record laying between those two names, in the particular order, where each name is constructed by concatenating a pair of (label, type) pairs. Upon receiving DoE NACK, clients can de-encapsulate the DoE records out from the NACK, validate the record, and check the proof of non-existence. As long as the requesting record’s label-type-concatenated name falls into the range formed by DoE packet, sender can claim the non-existence of the resource record. For example, suppose that there are 3 records sorted as:
1) “ /a/TXT ”
2) “ /b/NS ”
3) “ /c/TXT ”

After DoE generation, the generated DoE records are:
1) name: “ /DOE ”, contents: (“ / ”, “ /a/TXT ”)
2) name: “ /a/TXT/DoE ”, contents: (“ /a/TXT ”, “ /b/NS ”)
3) name: “ /b/NS/DoE ”, contents: (“ /b/NS ”, “ /c/TXT ”)
4) name: “ /c/TXT/DoE ”, contents: (“ c/TXT ”, “ / ”)


Updated by Alex Afanasyev almost 3 years ago

  • Status changed from New to Closed

Also available in: Atom PDF