Previously, NDNS would generate NACK and signs it to answer the requests for non-existing information. Attackers could send a massive number of requests with random names as a form of denial-of-service (DoS) attack on NDNS or data producer.
To address this issue, NDNS has adopted a NSEC-like approach by embedding the Denial-of-Existence (DoE) records into the returned unsigned NACK without re-signing the whole packet again.
A DoE record, is a signed packet that its contents are a pair of names, indicating that there is no other record laying between those two names, in the particular order, where each name is constructed by concatenating a pair of (label, type) pairs. Upon receiving DoE NACK, clients can de-encapsulate the DoE records out from the NACK, validate the record, and check the proof of non-existence. As long as the requesting record’s label-type-concatenated name falls into the range formed by DoE packet, sender can claim the non-existence of the resource record. For example, suppose that there are 3 records sorted as:
1) “ /a/TXT ”
2) “ /b/NS ”
3) “ /c/TXT ”
After DoE generation, the generated DoE records are:
1) name: “ /DOE ”, contents: (“ / ”, “ /a/TXT ”)
2) name: “ /a/TXT/DoE ”, contents: (“ /a/TXT ”, “ /b/NS ”)
3) name: “ /b/NS/DoE ”, contents: (“ /b/NS ”, “ /c/TXT ”)
4) name: “ /c/TXT/DoE ”, contents: (“ c/TXT ”, “ / ”)