<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-kinnear-dnsop-globally-relevant-00" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Globally Relevant HTTPS RRs">Globally Relevant HTTPS RRs</title>
    <seriesInfo name="Internet-Draft" value="draft-kinnear-dnsop-globally-relevant-00"/>
    <author fullname="Eric Kinnear">
      <organization>Apple Inc.</organization>
      <address>
        <email>ekinnear@apple.com</email>
      </address>
    </author>
    <author fullname="Nidhi Jaju">
      <organization>Google</organization>
      <address>
        <email>nidhijaju@google.com</email>
      </address>
    </author>
    <author fullname="Ian Swett">
      <organization>Google</organization>
      <address>
        <email>ianswett@google.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <keyword>DNS</keyword>
    <keyword>SVCB</keyword>
    <keyword>HTTPS</keyword>
    <keyword>SvcParamKey</keyword>
    <keyword>globally-relevant</keyword>
    <abstract>
      <?line 36?>

<t>DNS answers for SVCB and HTTPS resource records are typically treated as
scoped to the network on which they were obtained. This requires clients to
re-resolve DNS when changing network attachments, adding latency to connection
establishment. This document defines a new SvcParamKey, "globally-relevant",
for use in SVCB and HTTPS DNS resource records as defined in <xref target="RFC9460"/>. When
present, this boolean flag indicates that the service binding parameters in
the record are valid regardless of the client's network attachment point.
Clients that observe this flag can reuse cached SVCB and HTTPS records across
network changes, subject to normal TTL expiry.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://ekinnear.github.io/draft-kinnear-globally-relevant/draft-kinnear-dnsop-globally-relevant.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-kinnear-dnsop-globally-relevant/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/ekinnear/draft-kinnear-globally-relevant"/>.</t>
    </note>
  </front>
  <middle>
    <?line 49?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>When a client changes its network attachment, for example, by switching from one
Wi-Fi network to another, transitioning between Wi-Fi and cellular
connectivity, or connecting or disconnecting a VPN, current practice requires
it to re-resolve DNS records for connections on the new network attachment.
This is because DNS answers may be network-specific due to split-horizon DNS
deployments, geographic load balancing, or network-level content policies. The
re-resolution adds latency to connection establishment after every network
transition, delaying the user experience.</t>
      <t>Many widely-used services, however, serve DNS answers that are identical
regardless of which network the query traverses. Their HTTPS and SVCB resource
records, including ALPN protocol identifiers, Encrypted ClientHello
(ECH) configurations, port numbers, and address hints, are globally consistent.
For these services, re-resolving DNS after a network change is unnecessary
overhead that delays connection establishment without providing any benefit.</t>
      <t>This document defines a new SvcParamKey called "globally-relevant" for SVCB
and HTTPS resource records <xref target="RFC9460"/>. It is a boolean flag with an empty
value that authoritative DNS servers set to indicate the record's service
binding parameters are valid regardless of network context. Clients observing
this flag <bcp14>MAY</bcp14> continue using cached SVCB and HTTPS records after network
transitions, avoiding the latency of re-resolution.</t>
      <t>This mechanism is strictly opt-in. Services that do not include the
"globally-relevant" SvcParamKey continue with current behavior, and their
records are treated as network-scoped as they are today.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>The following terms are used in this document:</t>
      <dl>
        <dt>Network attachment change:</dt>
        <dd>
          <t>A change in the client's network connectivity, such as switching from one
Wi-Fi network to another, transitioning between Wi-Fi and cellular
connectivity, or connecting or disconnecting a VPN.</t>
        </dd>
        <dt>Authoritative server:</dt>
        <dd>
          <t>A DNS server that is authoritative for a zone and generates responses
for names in that zone, as defined in <xref target="RFC9499"/>.</t>
        </dd>
        <dt>Recursive resolver:</dt>
        <dd>
          <t>A DNS resolver that resolves queries on behalf of a client by
iteratively querying authoritative servers, as defined in <xref target="RFC9499"/>.</t>
        </dd>
        <dt>Origin server:</dt>
        <dd>
          <t>The server that terminates the client's transport connection to the
service identified by an SVCB or HTTPS resource record. For HTTP-based
services, this is the origin server as defined in
<xref section="3.6" sectionFormat="of" target="RFC9110"/>. The <tt>ipv4hint</tt> and <tt>ipv6hint</tt> parameters of
an SVCB or HTTPS record are hints for reaching this server.</t>
        </dd>
        <dt>Operator:</dt>
        <dd>
          <t>In this document, an entity that runs both the authoritative server for
a service's zone and the origin server for that service. Where a single
operator holds both roles, it can correlate observations between DNS
queries and connections.</t>
        </dd>
      </dl>
    </section>
    <section anchor="the-globally-relevant-svcparamkey">
      <name>The "globally-relevant" SvcParamKey</name>
      <t>The "globally-relevant" SvcParamKey is a boolean flag parameter for SVCB and
HTTPS resource records <xref target="RFC9460"/>. Its presence indicates that the
authoritative DNS server asserts the service binding parameters in this record
are valid regardless of the client's network attachment point.</t>
      <section anchor="wire-format">
        <name>Wire Format</name>
        <t>The SvcParamKey number is TBD. The value <bcp14>MUST</bcp14> be empty (length 0), following the
same pattern as "no-default-alpn" (SvcParamKey 2) defined in Section 7.1.2 of
<xref target="RFC9460"/>. If a client receives this SvcParamKey with a non-empty value, the
client <bcp14>MUST</bcp14> ignore the parameter.</t>
      </section>
      <section anchor="presentation-format">
        <name>Presentation Format</name>
        <t>In DNS zone file presentation format, the key is represented as simply
<tt>globally-relevant</tt> with no value. For example:</t>
        <sourcecode type="dns-rr"><![CDATA[
example.com. 300 IN HTTPS 1 . alpn=h2,h3 globally-relevant
]]></sourcecode>
      </section>
      <section anchor="applicability">
        <name>Applicability</name>
        <t>This parameter is applicable to both SVCB (RR type 64) and HTTPS (RR type 65)
resource records. It is only meaningful in ServiceMode records (those with
SvcPriority greater than 0) that carry service binding parameters. It has no
meaning in AliasMode records.</t>
      </section>
    </section>
    <section anchor="client-behavior">
      <name>Client Behavior</name>
      <t>When a client receives an SVCB or HTTPS record containing the
"globally-relevant" SvcParamKey, it <bcp14>MAY</bcp14> retain the cached record and continue
using its service parameters after a network attachment change.</t>
      <t>The record's TTL still applies. The "globally-relevant" flag does not extend the
record's cache lifetime; it only permits reuse of the cached record across
network changes within the remaining TTL window.</t>
      <t>If a client experiences connection failures when using cached parameters after a
network change, it <bcp14>SHOULD</bcp14> re-resolve the record regardless of the
"globally-relevant" flag.</t>
      <t>Clients <bcp14>MAY</bcp14> choose to ignore the "globally-relevant" flag entirely and always
re-resolve on network changes. This flag is purely permissive and does not
mandate any specific client behavior.</t>
      <t>When address hints (<tt>ipv4hint</tt>, <tt>ipv6hint</tt>) are present in a record carrying
the "globally-relevant" flag, the globally-relevant assertion covers those
hints as well. Clients <bcp14>MAY</bcp14> use the cached address hints on the new network,
though they <bcp14>SHOULD</bcp14> prefer fresh address resolution if readily available and <bcp14>MAY</bcp14>
choose to re-resolve in parallel with connection attempts to the cached address
hints.</t>
      <section anchor="address-synthesis-across-networks">
        <name>Address Synthesis Across Networks</name>
        <t>On IPv6-only networks that provide NAT64 connectivity <xref target="RFC6146"/>, clients can
synthesize IPv6 addresses from IPv4 addresses using the network's NAT64 prefix,
discovered via Router Advertisements <xref target="RFC8781"/> or DNS-based mechanisms
<xref target="RFC7050"/>. The "globally-relevant" flag asserts that the addresses in
<tt>ipv4hint</tt> and <tt>ipv6hint</tt> are globally valid as published by the authoritative
server; it does not assert the validity of any locally-synthesized addresses
derived from those hints.</t>
        <t>If a client has synthesized an IPv6 address from an <tt>ipv4hint</tt> value using one
network's NAT64 prefix, it <bcp14>MUST NOT</bcp14> reuse that synthesized address after moving
to a different network. Instead, the client <bcp14>MUST</bcp14> re-synthesize using the NAT64
prefix of the new network, if available. The original <tt>ipv4hint</tt> value itself
remains valid and can be used as input to the new synthesis.</t>
      </section>
    </section>
    <section anchor="server-behavior">
      <name>Server Behavior</name>
      <t>An authoritative DNS server <bcp14>SHOULD</bcp14> set the "globally-relevant" SvcParamKey
only when the service binding parameters in the record are consistent across
all resolvers and network paths. This typically applies to globally-deployed
services with uniform configurations.</t>
      <t>Services that employ split-horizon DNS, geo-dependent load balancing, or
network-specific configurations <bcp14>MUST NOT</bcp14> set this flag. The flag asserts that
all parameters in the record, including ALPN values, ECH configurations, and
port numbers, are globally valid. If any parameter varies by network context,
the flag <bcp14>MUST NOT</bcp14> be set.</t>
      <t>In particular, if the record includes <tt>ipv4hint</tt> or <tt>ipv6hint</tt> parameters,
the addresses contained in those hints <bcp14>MUST</bcp14> be reachable and correct on all
networks, not just the network on which the record was originally resolved.
Servers that use address hints to direct clients to network-specific
endpoints (e.g., CDN edge nodes selected by resolver location) <bcp14>MUST NOT</bcp14> set
the "globally-relevant" flag unless those address hints are valid globally.</t>
      <t>Operators are strongly suggested to carefully audit their DNS configurations
before deploying the "globally-relevant" flag, as incorrect use could cause
clients to use inappropriate service parameters after network changes.</t>
    </section>
    <section anchor="resolver-behavior">
      <name>Resolver Behavior</name>
      <t>Recursive resolvers <bcp14>MUST</bcp14> pass the "globally-relevant" SvcParamKey through
to clients transparently, without modification.</t>
      <t>Resolvers <bcp14>MUST NOT</bcp14> add or remove the "globally-relevant" flag. The assertion
of global relevance is made by the authoritative server for the zone, and
resolvers are not in a position to make or override this determination.</t>
      <t>Some resolvers modify DNS responses for operational purposes, such as DNS64
synthesis <xref target="RFC6147"/> or content filtering. When a resolver synthesizes or
rewrites a response, it is effectively acting as the authoritative source for
that modified answer. Such synthesized answers <bcp14>SHOULD NOT</bcp14> carry
the "globally-relevant" flag, as the resolver cannot assert that its
locally-modified response is valid on other networks.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <section anchor="incorrect-use">
        <name>Incorrect Use</name>
        <t>If an authoritative server incorrectly sets the "globally-relevant" flag on a
record whose parameters vary by network, clients may use inappropriate service
configurations after a network change. This could manifest as connection
failures or as connections to unintended endpoints if address hints are
incorrect for the client's new network. Operators bear responsibility for
ensuring the flag is only set on records with truly globally-consistent
parameters.</t>
        <t>Clients <bcp14>MUST NOT</bcp14> reuse cached address hints across network changes for
connections that are not authenticated by a security protocol, such as TLS.
This allows clients to reject connections established to an address that
responds to incoming packets, but no longer represents the desired host.</t>
      </section>
      <section anchor="network-filtering">
        <name>Network Filtering</name>
        <t>Some networks apply DNS-based content filtering or access control policies.
The "globally-relevant" flag allows clients to skip DNS re-resolution when
joining such networks, which means the network's filtered DNS responses would
not be applied to cached records. However, this does not meaningfully weaken
network-level controls: users can already bypass DNS-level filtering by using
alternative resolvers, encrypted DNS, or connecting directly to known IP
addresses in some cases. Networks that require effective traffic control
already need to enforce policies at layers beyond DNS, such as IP-level or
SNI-based firewalling. The "globally-relevant" flag does not change this.</t>
      </section>
      <section anchor="dnssec-considerations">
        <name>DNSSEC Considerations</name>
        <t>Where DNSSEC validation is employed, the "globally-relevant" flag does not
change validation requirements. Cached records that were validated remain
usable as long as the DNSSEC signatures have not expired. Clients performing
DNSSEC validation <bcp14>MUST NOT</bcp14> reuse a cached record if the DNSSEC signature has
expired, even if the record's TTL has not.</t>
      </section>
      <section anchor="downgrade-and-upgrade-attacks">
        <name>Downgrade and Upgrade Attacks</name>
        <t>An on-path attacker that can modify DNS responses could strip the
"globally-relevant" flag from records, causing clients to re-resolve
unnecessarily after network changes. This degrades performance to current
behavior but does not otherwise affect security.</t>
        <t>An on-path attacker could also add the "globally-relevant" flag to a record that
the authoritative server did not mark as globally relevant. The impact of this
is limited: the client may reuse a record that would otherwise have been
re-resolved, which is only problematic if the record was network-specific, and
the resulting connection will fail to authenticate the host. DNSSEC also
protects against both of these modification attacks, when deployed.</t>
      </section>
    </section>
    <section anchor="privacy-considerations">
      <name>Privacy Considerations</name>
      <section anchor="cross-network-client-tracking-via-unique-addresses">
        <name>Cross-Network Client Tracking via Unique Addresses</name>
        <t>The "globally-relevant" flag permits a client to use cached <tt>ipv6hint</tt> (or
<tt>ipv4hint</tt>) addresses across network attachment changes. An operator that
wishes to track a specific client across networks could exploit this by
having its authoritative server return a per-client unique address, for
example by encoding a client identifier in some of the bits of an IPv6
address, and then observing the resulting connections at its origin server
from multiple networks. Because the client reuses the cached address after
a network change, the operator observes the same unique address connecting
to its origin server from a different network and links a single client
identity to both networks.</t>
        <t>Without "globally-relevant", the client would re-resolve on the new
network, and the authoritative server would issue a fresh unique address
for that resolution. The operator would have no DNS-derived signal linking
the resolutions as the same client, and the connections arriving at the
origin server would carry different addresses, offering no linkage there
either. The cross-network linkage exists in this design only because the
unique address itself acts as a stable identifier that the client carries
across networks instead of being replaced at each resolution.</t>
        <t><xref section="7.1" sectionFormat="of" target="RFC9076"/> recognizes a related class of attack in which
a user is "re-identified via DNS queries... regardless of the location from
which the user makes those queries", based on query-pattern correlation
across time. The cross-network linkage described in this section achieves
the same result through a different mechanism: rather than correlating
recurring query patterns observed by a passive watcher, an operator actively
seeds a chosen identifier into the response returned by its authoritative
server and recognizes it when the client connects to the resulting address
at the origin server.</t>
        <section anchor="comparison-to-existing-tracking-vectors">
          <name>Comparison to Existing Tracking Vectors</name>
          <section anchor="recursive-resolvers-and-anonymity-sets">
            <name>Recursive Resolvers and Anonymity Sets</name>
            <t>An authoritative server that returns a per-client unique answer today
already observes that answer being requested by a specific recursive
resolver. For clients using a shared public or ISP recursive resolver, the
authoritative server sees the recursive resolver's address, and the
client is part of an anonymity set composed of that recursive resolver's
other users (see <xref section="6.2" sectionFormat="of" target="RFC9076"/>). The set's size depends on
the deployment (see <xref section="3.3" sectionFormat="of" target="RFC6973"/> for definitions of
anonymity sets).</t>
            <t>This "hiding" by the recursive resolver is incomplete where the EDNS Client
Subnet (ECS) option <xref target="RFC7871"/> is used. <xref section="6.2" sectionFormat="of" target="RFC9076"/> notes
that with ECS, the authoritative name server "sees the original IP address
(or prefix, depending on the setup)" rather than only the recursive
resolver's address. An authoritative server returning a per-client unique
answer can therefore correlate that answer with the client's subnet on
each fresh resolution, providing some cross-network correlation even
without the "globally-relevant" flag.</t>
            <t>Without the "globally-relevant" flag, the authoritative server's view is
partitioned by recursive resolver: it sees one anonymity set per recursive
resolver, and a single client moving between networks that use different
recursive resolvers appears as independent observations from disjoint sets.
Caching at each recursive resolver further limits how often the
authoritative server is queried at all.</t>
            <t>The "globally-relevant" flag allows the operator to join observations that
would otherwise have been separated by recursive resolver boundaries,
effectively intersecting the per-recursive-resolver anonymity sets and
shrinking the set in which any one client is hidden (see
<xref section="5.2.1" sectionFormat="of" target="RFC6973"/>).</t>
          </section>
          <section anchor="aliasmode-and-cname-targets">
            <name>AliasMode and CNAME Targets</name>
            <t>A similar tracking primitive is already available without the
"globally-relevant" flag. Authoritative servers can return per-client
unique CNAME targets, SVCB AliasMode targets (<xref section="2.4.2" sectionFormat="of" target="RFC9460"/>),
or other names that function as client identifiers.</t>
            <t>However, the "globally-relevant" attack described here is harder to mount than
these similar attacks, since a unique IPv4 or IPv6 address used as an
<tt>ipv4hint</tt> or <tt>ipv6hint</tt> value must actually be routable to the operator's
origin server from every network the client uses, whereas a unique CNAME or
AliasMode target is merely a label that the client subsequently resolves
through its local recursive resolver, ultimately pointing at a shared address
that the operator already serves.</t>
            <t>The label-based approach therefore costs the operator only a DNS record per
identifier, while the address-based approach costs an IP address per
identifier and the routing infrastructure to receive traffic on each.</t>
            <t>An arbitrarily long CNAME (or DNAME-induced CNAME) chain reintroduces the same
tracking capability, because the final A or AAAA record in the chain can encode
a per-client identifier in either its name or its address, and clients caching
across networks would carry the chain's terminal answer with them.
<xref target="RFC1034"/> and <xref target="RFC6672"/> do not normatively limit CNAME chain length, and
<xref section="2.2" sectionFormat="of" target="RFC6672"/> explicitly notes that
"fairly lengthy valid chains" may occur. SVCB itself requires clients and
recursive resolvers to cap AliasMode chains at some implementation-chosen
depth (<xref section="2.4.2" sectionFormat="of" target="RFC9460"/>), but that cap applies only to SVCB
aliases, not to CNAME redirections. Implementations can bound CNAME chain
following for resource reasons, but the limit is not interoperable.</t>
            <t>Defending against attacks using CNAME chains is out-of-scope for this document,
but implementations of "globally-relevant" <bcp14>SHOULD</bcp14> generally apply the same
cross-network caching policy to all elements of an alias chain consistently,
reusing either all records in the chain after a network change or none, to
avoid creating partial-reuse states that have privacy properties differing from
either endpoint of the chain.</t>
          </section>
          <section anchor="encrypted-dns-and-odoh">
            <name>Encrypted DNS and ODoH</name>
            <t>Encrypted transports such as DNS-over-TLS <xref target="RFC7858"/>, DNS-over-HTTPS
<xref target="RFC8484"/>, and Oblivious DNS-over-HTTPS <xref target="RFC9230"/> protect the DNS query
against on-path observers but do not prevent an authoritative server from
returning a per-client unique answer. <xref section="6.1.4.1" sectionFormat="of" target="RFC9076"/> notes
that "use of encrypted transports does not reduce the data available in the
recursive resolver".</t>
            <t>ODoH in particular hides the client's IP address from the recursive resolver
(the "Target" in <xref section="4" sectionFormat="of" target="RFC9230"/>) and the query contents from the
proxy, but its threat model treats the authoritative server returning unique
records per-client as out of scope. A Target or any downstream authoritative
server "could return a DNS answer corresponding to an entity it controls and
then observe the subsequent connection from a Client" (see <xref section="11" sectionFormat="of" target="RFC9230"/>). The "globally-relevant" flag does not change this on a single
network, but it does extend the same attack surface across networks, subject to
the constraints described above.</t>
          </section>
        </section>
        <section anchor="client-mitigations">
          <name>Client Mitigations</name>
          <t>Clients implementing this specification <bcp14>SHOULD</bcp14> apply the following
mitigations to limit the cross-network tracking risk:</t>
          <ul spacing="normal">
            <li>
              <t>Treat <tt>ipv4hint</tt> and <tt>ipv6hint</tt> values that appear unlikely to be shared
with many other clients as candidates for re-resolution after a network
change, even when the "globally-relevant" flag is present. Examples
include addresses outside well-known anycast ranges, addresses that
appear unique to a single client, and addresses with high entropy in
the host bits.</t>
            </li>
            <li>
              <t>When re-resolving a globally-relevant record on a new network in the
background (for example, to refresh before TTL expiry), if the new
network blocks or refuses the resolution, stop using the cached record
rather than continuing to connect to the previously cached address. A
failed refresh on a network that otherwise resolves DNS is a signal that
the cached parameters may not be appropriate for the new network,
regardless of the flag.</t>
            </li>
            <li>
              <t>Apply existing privacy protections for address hints uniformly to
globally-relevant records, including the requirement in
<xref target="incorrect-use"/> that cached address hints not be reused across
network changes for connections that are not authenticated by a security
protocol such as TLS.</t>
            </li>
          </ul>
        </section>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document requests IANA to register the following entry in the "Service
Parameter Keys (SvcParamKeys)" registry <xref target="RFC9460"/>:</t>
      <table>
        <thead>
          <tr>
            <th align="left">Number</th>
            <th align="left">Name</th>
            <th align="left">Meaning</th>
            <th align="left">Change Controller</th>
            <th align="left">Reference</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">TBD</td>
            <td align="left">globally-relevant</td>
            <td align="left">Record is valid across network changes</td>
            <td align="left">IETF</td>
            <td align="left">(this document)</td>
          </tr>
        </tbody>
      </table>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC9460">
          <front>
            <title>Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records)</title>
            <author fullname="B. Schwartz" initials="B." surname="Schwartz"/>
            <author fullname="M. Bishop" initials="M." surname="Bishop"/>
            <author fullname="E. Nygren" initials="E." surname="Nygren"/>
            <date month="November" year="2023"/>
            <abstract>
              <t>This document specifies the "SVCB" ("Service Binding") and "HTTPS" DNS resource record (RR) types to facilitate the lookup of information needed to make connections to network services, such as for HTTP origins. SVCB records allow a service to be provided from multiple alternative endpoints, each with associated parameters (such as transport protocol configuration), and are extensible to support future uses (such as keys for encrypting the TLS ClientHello). They also enable aliasing of apex domains, which is not possible with CNAME. The HTTPS RR is a variation of SVCB for use with HTTP (see RFC 9110, "HTTP Semantics"). By providing more information to the client before it attempts to establish a connection, these records offer potential benefits to both performance and privacy.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9460"/>
          <seriesInfo name="DOI" value="10.17487/RFC9460"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC9499">
          <front>
            <title>DNS Terminology</title>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <author fullname="K. Fujiwara" initials="K." surname="Fujiwara"/>
            <date month="March" year="2024"/>
            <abstract>
              <t>The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document.</t>
              <t>This document updates RFC 2308 by clarifying the definitions of "forwarder" and "QNAME". It obsoletes RFC 8499 by adding multiple terms and clarifications. Comprehensive lists of changed and new definitions can be found in Appendices A and B.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="219"/>
          <seriesInfo name="RFC" value="9499"/>
          <seriesInfo name="DOI" value="10.17487/RFC9499"/>
        </reference>
        <reference anchor="RFC9110">
          <front>
            <title>HTTP Semantics</title>
            <author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
            <author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
            <author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes.</t>
              <t>This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="97"/>
          <seriesInfo name="RFC" value="9110"/>
          <seriesInfo name="DOI" value="10.17487/RFC9110"/>
        </reference>
        <reference anchor="RFC6146">
          <front>
            <title>Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers</title>
            <author fullname="M. Bagnulo" initials="M." surname="Bagnulo"/>
            <author fullname="P. Matthews" initials="P." surname="Matthews"/>
            <author fullname="I. van Beijnum" initials="I." surname="van Beijnum"/>
            <date month="April" year="2011"/>
            <abstract>
              <t>This document describes stateful NAT64 translation, which allows IPv6-only clients to contact IPv4 servers using unicast UDP, TCP, or ICMP. One or more public IPv4 addresses assigned to a NAT64 translator are shared among several IPv6-only clients. When stateful NAT64 is used in conjunction with DNS64, no changes are usually required in the IPv6 client or the IPv4 server.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6146"/>
          <seriesInfo name="DOI" value="10.17487/RFC6146"/>
        </reference>
        <reference anchor="RFC8781">
          <front>
            <title>Discovering PREF64 in Router Advertisements</title>
            <author fullname="L. Colitti" initials="L." surname="Colitti"/>
            <author fullname="J. Linkova" initials="J." surname="Linkova"/>
            <date month="April" year="2020"/>
            <abstract>
              <t>This document specifies a Neighbor Discovery option to be used in Router Advertisements (RAs) to communicate prefixes of Network Address and Protocol Translation from IPv6 clients to IPv4 servers (NAT64) to hosts.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8781"/>
          <seriesInfo name="DOI" value="10.17487/RFC8781"/>
        </reference>
        <reference anchor="RFC7050">
          <front>
            <title>Discovery of the IPv6 Prefix Used for IPv6 Address Synthesis</title>
            <author fullname="T. Savolainen" initials="T." surname="Savolainen"/>
            <author fullname="J. Korhonen" initials="J." surname="Korhonen"/>
            <author fullname="D. Wing" initials="D." surname="Wing"/>
            <date month="November" year="2013"/>
            <abstract>
              <t>This document describes a method for detecting the presence of DNS64 and for learning the IPv6 prefix used for protocol translation on an access network. The method depends on the existence of a well-known IPv4-only fully qualified domain name "ipv4only.arpa.". The information learned enables nodes to perform local IPv6 address synthesis and to potentially avoid NAT64 on dual-stack and multi-interface deployments.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7050"/>
          <seriesInfo name="DOI" value="10.17487/RFC7050"/>
        </reference>
        <reference anchor="RFC6147">
          <front>
            <title>DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers</title>
            <author fullname="M. Bagnulo" initials="M." surname="Bagnulo"/>
            <author fullname="A. Sullivan" initials="A." surname="Sullivan"/>
            <author fullname="P. Matthews" initials="P." surname="Matthews"/>
            <author fullname="I. van Beijnum" initials="I." surname="van Beijnum"/>
            <date month="April" year="2011"/>
            <abstract>
              <t>DNS64 is a mechanism for synthesizing AAAA records from A records. DNS64 is used with an IPv6/IPv4 translator to enable client-server communication between an IPv6-only client and an IPv4-only server, without requiring any changes to either the IPv6 or the IPv4 node, for the class of applications that work through NATs. This document specifies DNS64, and provides suggestions on how it should be deployed in conjunction with IPv6/IPv4 translators. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6147"/>
          <seriesInfo name="DOI" value="10.17487/RFC6147"/>
        </reference>
        <reference anchor="RFC9076">
          <front>
            <title>DNS Privacy Considerations</title>
            <author fullname="T. Wicinski" initials="T." role="editor" surname="Wicinski"/>
            <date month="July" year="2021"/>
            <abstract>
              <t>This document describes the privacy issues associated with the use of the DNS by Internet users. It provides general observations about typical current privacy practices. It is intended to be an analysis of the present situation and does not prescribe solutions. This document obsoletes RFC 7626.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9076"/>
          <seriesInfo name="DOI" value="10.17487/RFC9076"/>
        </reference>
        <reference anchor="RFC6973">
          <front>
            <title>Privacy Considerations for Internet Protocols</title>
            <author fullname="A. Cooper" initials="A." surname="Cooper"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <author fullname="B. Aboba" initials="B." surname="Aboba"/>
            <author fullname="J. Peterson" initials="J." surname="Peterson"/>
            <author fullname="J. Morris" initials="J." surname="Morris"/>
            <author fullname="M. Hansen" initials="M." surname="Hansen"/>
            <author fullname="R. Smith" initials="R." surname="Smith"/>
            <date month="July" year="2013"/>
            <abstract>
              <t>This document offers guidance for developing privacy considerations for inclusion in protocol specifications. It aims to make designers, implementers, and users of Internet protocols aware of privacy-related design choices. It suggests that whether any individual RFC warrants a specific privacy considerations section will depend on the document's content.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6973"/>
          <seriesInfo name="DOI" value="10.17487/RFC6973"/>
        </reference>
        <reference anchor="RFC7871">
          <front>
            <title>Client Subnet in DNS Queries</title>
            <author fullname="C. Contavalli" initials="C." surname="Contavalli"/>
            <author fullname="W. van der Gaast" initials="W." surname="van der Gaast"/>
            <author fullname="D. Lawrence" initials="D." surname="Lawrence"/>
            <author fullname="W. Kumari" initials="W." surname="Kumari"/>
            <date month="May" year="2016"/>
            <abstract>
              <t>This document describes an Extension Mechanisms for DNS (EDNS0) option that is in active use to carry information about the network that originated a DNS query and the network for which the subsequent response can be cached. Since it has some known operational and privacy shortcomings, a revision will be worked through the IETF for improvement.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7871"/>
          <seriesInfo name="DOI" value="10.17487/RFC7871"/>
        </reference>
        <reference anchor="RFC1034">
          <front>
            <title>Domain names - concepts and facilities</title>
            <author fullname="P. Mockapetris" initials="P." surname="Mockapetris"/>
            <date month="November" year="1987"/>
            <abstract>
              <t>This RFC is the revised basic definition of The Domain Name System. It obsoletes RFC-882. This memo describes the domain style names and their used for host address look up and electronic mail forwarding. It discusses the clients and servers in the domain name system and the protocol used between them.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="13"/>
          <seriesInfo name="RFC" value="1034"/>
          <seriesInfo name="DOI" value="10.17487/RFC1034"/>
        </reference>
        <reference anchor="RFC6672">
          <front>
            <title>DNAME Redirection in the DNS</title>
            <author fullname="S. Rose" initials="S." surname="Rose"/>
            <author fullname="W. Wijngaards" initials="W." surname="Wijngaards"/>
            <date month="June" year="2012"/>
            <abstract>
              <t>The DNAME record provides redirection for a subtree of the domain name tree in the DNS. That is, all names that end with a particular suffix are redirected to another part of the DNS. This document obsoletes the original specification in RFC 2672 as well as updates the document on representing IPv6 addresses in DNS (RFC 3363). [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6672"/>
          <seriesInfo name="DOI" value="10.17487/RFC6672"/>
        </reference>
        <reference anchor="RFC7858">
          <front>
            <title>Specification for DNS over Transport Layer Security (TLS)</title>
            <author fullname="Z. Hu" initials="Z." surname="Hu"/>
            <author fullname="L. Zhu" initials="L." surname="Zhu"/>
            <author fullname="J. Heidemann" initials="J." surname="Heidemann"/>
            <author fullname="A. Mankin" initials="A." surname="Mankin"/>
            <author fullname="D. Wessels" initials="D." surname="Wessels"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="May" year="2016"/>
            <abstract>
              <t>This document describes the use of Transport Layer Security (TLS) to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626. In addition, this document specifies two usage profiles for DNS over TLS and provides advice on performance considerations to minimize overhead from using TCP and TLS with DNS.</t>
              <t>This document focuses on securing stub-to-recursive traffic, as per the charter of the DPRIVE Working Group. It does not prevent future applications of the protocol to recursive-to-authoritative traffic.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7858"/>
          <seriesInfo name="DOI" value="10.17487/RFC7858"/>
        </reference>
        <reference anchor="RFC8484">
          <front>
            <title>DNS Queries over HTTPS (DoH)</title>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <author fullname="P. McManus" initials="P." surname="McManus"/>
            <date month="October" year="2018"/>
            <abstract>
              <t>This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS. Each DNS query-response pair is mapped into an HTTP exchange.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8484"/>
          <seriesInfo name="DOI" value="10.17487/RFC8484"/>
        </reference>
        <reference anchor="RFC9230">
          <front>
            <title>Oblivious DNS over HTTPS</title>
            <author fullname="E. Kinnear" initials="E." surname="Kinnear"/>
            <author fullname="P. McManus" initials="P." surname="McManus"/>
            <author fullname="T. Pauly" initials="T." surname="Pauly"/>
            <author fullname="T. Verma" initials="T." surname="Verma"/>
            <author fullname="C.A. Wood" initials="C.A." surname="Wood"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>This document describes a protocol that allows clients to hide their IP addresses from DNS resolvers via proxying encrypted DNS over HTTPS (DoH) messages. This improves privacy of DNS operations by not allowing any one server entity to be aware of both the client IP address and the content of DNS queries and answers.</t>
              <t>This experimental protocol has been developed outside the IETF and is published here to guide implementation, ensure interoperability among implementations, and enable wide-scale experimentation.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9230"/>
          <seriesInfo name="DOI" value="10.17487/RFC9230"/>
        </reference>
      </references>
    </references>
    <?line 463?>

<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>TODO acknowledge.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA81c23LbyJm+76fopS8ipUiOZXtsjzYnjSzHSmxZK2mSSm1t
1TSBJtljEGDQgDSMx3mWfZZ9sv1P3WgQoO3K3qxvTIFA4+//+P2H5mw2U41r
CnuqJ38sqoUpip2+sYW9N2Wj39zdXd/qmxs/UWaxqO39l+7KTGNXVb071b7J
lcqrrDQbWDuvzbKZfXBlaU09y0tfbWcrWWhWy0Kzx4+Vbxcb572ryma3hQcv
L+5eq7LdLGx9qnJY/VRlVelt6Vt/qpu6tQqIeqo+2N1DVeenSs/0q6tb/O/2
L+ff4/9EHl24z65NbTZ/tjv8c/B+dW/LFl6g9co163YBm7VC8jf9DQwencBD
BVDnG3ho3TRbf/rNN+HhOS83d9WXlvnmq/g0XzebYqKUaZt1VeOW4e1aL9ui
YG5PLmqX6T/zKhP6sqpXpnT/MA1w9lSfbbeF1ZdlNqcv7ca4ItntHwx+P8+q
zWRk8SuXr53+k/mpHVv6j1W1Kmxv2RIf+Anu/8OKvjy08KUp9e2DbZqvXNeZ
0uPtvWXVbDbTZuGb2mSNUqALmm6rvV5WNSkFXMhFaWvrq7bOLHzIQH28NrXV
oHkuIxVvagtCzbXxymfVFj41lW7WVpe2AXX7oKtSP6xdtsaLOw1vsbpaNMaV
Np/ru7XzsPDfWwev0VnhbNl4WEHVdoYvLu4t6iqsYEudrU25cuUqLm2axmTr
DT4z1SbP8TtUsTLbIRVgBaXNkDcKtM4sCufpZnktWF6Lf+rcLoEa2Bgs/JCa
wFRPhmo8Vcik1lvtyn1eIalDfnl5Q45PfPz4bzevz7979vzxp09z/VfYl9rC
I0DHFDgEZC2qqrAg5mVhVvBA7tBhAE/WpiG+elvfO1h+gd/BhrdIrG1Qeq5U
eAe/mOR0bwqXw4WVqfPCeq+rJS3CnP6VH2Gl3lYOeKTOgzDwxdUCX2uZQqIs
AxJri2zI4EHY20BtZPdZXXmvwntIhhbEBV7sJxAOyqms6o0p9N3dW21/3rp6
N1esoxuXA9VKPQI7bOoqb1mYCrkG0uJNhCW1a8a2MyWdtj+bDdjrVC922j+4
Jlsj65Z1tQH9tOqvbvbaxYeBJFNWwKYaRFKDaTh8LT6wgDssvJvvx81mtija
wtQqKNu9a0Bv4JXhAjwGf+XOJxeM/sv11VRnbV0Tx9EQHakMW4JyxJg9Iwgs
XSarg6NHC2ODexjZ/1yRsqNi2cygvFJ735gdXA+PzfzWZm4JjjFvLRLgt4Vr
ZuBB3T/gJRg0crstqp2Y3MpWq9pswbp1UZlcg6WYMoMNEgPComA3tkCCG9au
wmXOejRCG828xZ2gCftxA9Y9A9YQASwI9d7Wu/Aa1UlqCvZWmB0yGvkCe0YF
2Noa1CWzoFzvTAmeyMFduxl8mwebgi2tqwdcdqpZ31NekSGgUcGDZYPuT/UN
i91c1CJ49d9bpBAogyW97NnVYiGoPmQ0wWMoEfAUDDkrWrLus7fXV6AfVVNl
VSFvXjpYbaovyqzebdH3sqm+AVWs1NHF+Ztj5NzSrdqaIgPcu63qRjNGQFcJ
bwZe10g3GAJ5T9hX8HX4tHe+Ie15DZKErXibMCnqJVJILCJ5GN23clS6FiUI
7zH1TlXAhbUFPSFOkoz8YRmDla6rFo2junfEC5TawpbgS4Eu9ZU+XGOYAh6N
ePIY7dRnot3Hj4m7vmxwT6bvo5FQoA1i7rbZKfC4aDukKwQ+XANCEFUipQJV
8pbsO3h33XntX/nAZzXi4A+59Mh3NLKfIcAF581+G1ZRned+d/Y3utEBkgPj
wFd8wYWTdId2hmpzX7FscAfBcoGgnl0HYW0s6oXzG2QioA+XNaBs1baZuXKu
b0W9RDswLDRiCMQgNSbBnqDDnkggwbcu7Nrcu6pmrW/Q/lQPyUT80nlBxjHG
M2Shu6rcUFh6pM+r8h6tED0vLvkKNY/5gfu0+gPCHFp/8u6H27vJlP/XV+/p
883Ff/xweXPxCj/fvjl7+zZ+UHLH7Zv3P7x91X3qnjx//+7dxdUrfhiu6t4l
NQHRTnijk/fXd5fvr87eThB0ND1b4Q2h3wfbtzXADwFwufVZ7RYMVL4/v/6f
/z55JoDlycnJd58+yR8vT148gz8QlPHbqhIEyX8iyxSAY8DIuArIC7RrC0ZQ
oLqA3MHDlhpiKzriX/8ncua/TvVvFtn25Nnv5AJuuHcx8Kx3kXg2vDJ4mJk4
cmnkNZGbvet7nO7Te/a33t+B78nF3/y+AN+kZycvf/87xTqyrMBXP5Dh2HrD
mkiRaF9Yp0pdDSEa+9dTBWlK9LXlOLDr4xLfQoRCKfw/wUCgA2c9L8keknfW
eUz2Ceh6ezej/zYaoIklOlYQG2oCy+B7tpgCe8LqmDt5ZhCsgrdPB6D89+Tl
vwMdB5JuLHgPj28Q+JUQFK7wYvKXp0gPqAaxGHqcYoleMELUxQ4QHdIGa4Kl
ECwgHozs3X+BuPe1gyQoYdTd2vbYhBrlSkkaEo0gMRIQSGIuJ2sqJBURYOSI
lI0kOFU9Hh3n+rV8NVsY0F7VQYRGQCdSUKUU9zenPn68FUqezp8jz2ivJycU
bnFnP7rt/TMEKT+SjPHP5/xnEherpRqhNWZBhHFIW8DZs9oTfUwR8nSLwqmI
nZd7Fjil2A5caXYi87bELK2hjHZUhPgqZUIgB9ZHFR2yY1mJ2ORuygmBZngc
6ITspxLaAJoWuby4BviBMLGhNAz2CRERcQSHewZ90VARtgf1JHPtUgeOaMjm
LwRX9lpfisBDbBRl1KssqK/DWl5zZox6OciD1SF0BQoGHxr/5WSZ5cwvV//H
bFk9egQeEdZ4jclsw/xKecPgG1l09/0rVm2GihTwIBYTfNRHhS1XIOHHx9M0
SKCJAuFAfwPEl2hEk7KagSGZtmhmptiWE32Uvu/JcepDgpG9mJ/Mn6C59Fmd
uCpgh3X3xGigNV2RcS7AsnLGtBL9FPGVPEx7cStI6BnTRnYzg6650EH6GRl1
SRrKJrJ0hRWhy11LuoteQsCKBCZ3MEbzDjL7nfpxoJs/MsVlxYSys5JCAITV
f/7znzov/ayulVzE6thcP338WF9eiRM50XONzP3t+sl0/XSkHgqr0NawXAga
unCQMO8E73bKj4YhNxSMvdCKyRyObm6wmmb182fHCfbuLn97rPYNJSQiBLs2
YGygI8u2YEGTwr+r8s6sjsBQPMNihQKtHdrNTq8I+pL7KUHh2LQyU0PKethu
6N1rRMuVklfje88KZ3z6VgHLrBffCwjfL91EZTvkvRHTG1cGG/iCAyKPiOkN
IFoTABGnNiEasP+jPEFx7oNlo7DdNNXaS2kH6GvONh7TNixf+cYB3iVRS7Y/
nneia8wr6ynHgYTNcmhQcTGiWhduaRu3sf+O+yJhbzG2N14qb8E99bc4WnAj
6QtLaqwOE0+RZnAwefUAu0m9QFcu6WXoS+OKFiu1VI/t5Y5D1u2RQMIR4J0U
tpKC5cDxjsobmQfUhgyXstl1hQqOGXXnew4yHmN5jTCMyiDFg9n5tNwM29zj
ndSLuSALZt3S0yQKTygRFwriVBv4C2MxVitiPS3gQLGDeTCEtAijjzqsM02A
zjFhGPF5lFNF60Bb5eT+8H7Zdw6+lDCJUs2qe65vARMVkwL2/QCoviskIJtR
5RJ96xM/LEJOFRZwVlL4F8nDNpaIBuDJdVwhKQE6rB2Y3KF47kHbyGEif4EA
1ck5kRcwBHWvKGwhmX+nrxgtIVT50JPoU8575dB0JqTc7kqsdoGYz8iOtGRf
kNu/L/Xl9f3zGRmi7FHwCNeorL46u3v+rJdyCXp/fvLs+adP09jhANimvLzq
H5bWDVSBGlFOBteeJdfY2JLGCngJfh2y1P08VZRegSRhg/fO6JuqRTM8y+9R
zN5SzVbIefni5Qkk8OBtIfQydu+qM17xTS8efxtR+EFj6sCWtCc6igHdHwbv
vXoj4y6DpkX1P84+BuhaMcAjbxi9JxNAN9MyyHNMvcD6iopaVLOO0XlHnsrB
wd3DFWI2R8igD6knxFDXW6DsSYsfh4vJVhnXscAwsz4gMApWUu0Qh86JwJBc
cambikt5kJtDMr0EQ0IKZXkIzKVvwHamCWblF4C1JMrWaRKRo5icEExSA0Zr
jFbIisDJiymG+4WwZIul4uDig0wx3hrMibm8YVAttm3TNQkf4n7JEgnAwFY7
xHBWHiykBqdC5dSvSGJimeqrcoNeI60riYcAi5WtUAzgxCqEDQDp6xA0ukap
oALceSSTuylJ4swerC0d4t69Kj6wp18jBdcGTw+bNNSYwbUBViDBw96MGjR8
+q/q9JJZK9GPVWBg98SKQ9wbNDNIW7B9cf5m0KbA3HCvVTHwE5yugHl38Pre
UHK72O0XwqcUGbnqHXa0QMljxnZJgaNxGdauSNcTmUvh2ad6Du5ytPzAb+kc
n4DWUM2LniWmelSFiJGN0vcMAR5WS4NoYO/o3n5qfXOwnR6IfQCzCoYJbBKt
zOfqVvoNpC7oYPoxG1Qxd/TurvM+6AUq0CJKcgGg2PlqPtXnr660zVdAU4Uc
ArOHJdhnx+oY+l4U6nFPlT4LVEDtCfsxx/qUdtl5eDip2vDXvqmrcgXb9+0K
QFvDkwgAkSzOT4D9gQ423AAgF9LXPbWwS0SObJHBQR7GVOTIguSoC161Bfo6
+KwSbvKcANh+XW1rh7jwYK6xjzrRG94Efnb+cFicFMXaGu+/xg3CPTXiMowj
kVKqDRqMJwWkUaH3tqlyVAEjXZyb/gtRqCAmTXU1iE2fx93sPCLqVBBv+E4t
92XUMNwYwFFj0b9fMLOhjgseI/HCtZW2EUTIbcVFaxTDxnzA2KURH9Uul0GG
3IZaKe/vttqkXKXd70LVlwvK9HouycEzQDxkA/Ainmjg2jrcD1E1RrUOAb5g
yBU64UtXwOtB1XgMhGC9SLuL1mjYsMEH4AJ1NwMhhB5gcQsoIJOyspHCuh9j
HhcQsDBJzoAlS3gGu9tzfYvU94EOt727XgnnG19INuTtcSsQ/XswDev4jVcB
m0U6wsZwU2zpIDlqQESszSWFW9R/RHnnGJJzGwwYUfxlNMkfYKWPj6KJYpv/
EwO7fTghahVvRQ9im8OWRK4KfbUK3pf8VWLOEI52STDqUD9OWxx0CGovBI/3
1AVWsLeBVNMtwdUh05Nhp5ilV3X/G/ZIJXb9ABnkuvPsCPT2Ha7qHFywuaQQ
+tDhzs4PL7DrJ5J0XAsjlcNZxDo41ZBHExpDfFGVsVRF8KepW/gmsr6DXiop
QyUVgD6GHs1OGbPtu1iirceeMOJBKgtqwoMeEtywoi+6FyYyOqu/e3srozYG
q7bpMBsQRqNO6ZvirAOHKdPVAghRMQ9zz1MCWbVhgJp9sDissQDXXFYQY2ET
dVcPZZ2FkOwwBwStbMhiHoUcVr8OHkdcXUxiEZvuklxw4KJIlTIc5KDv6qro
BnkOtgYYKA644T+4rTjVdPgHcbn6qeLCFHG1Q0KMeLDc6PdSYKYQSO576Qe0
D4VSBLjFyFvgQFIqA4z+Joz7SMtHksqupooJg4XgUUbI3I0zARf8KY0XUUIP
W8XSBZo+hWJkJ9/csXGx4/QLIDPW8dkDxYgzBYsMMz2E4/stVMZqBY1GfSix
jX55rdJ8G7z8Bg2ARo2uehUKmSzr4gWG/KUgf9yJCtSXllllS7AOxCkiZw2r
FGZnycx3VSkkBv2/vJbNgkndXl2KIi3hnQ+gAhTlvq4cKv1sFIioL7zn9uJ8
4O+5TyZfUsjglgFGxQ3nVdPPe/FYs5N3JosIv6hoMtfnPbVhjtIkqzxB32He
q1rPuN6TdYZoKER6twKRk2sGNGel+rtFc+0qbeBMMflDJRnubc/Xmb3ar+Qw
+6/DIoaSF01xbK7sZztSveaqfnAar0DBVjWiMUxSftjy5zMsg2M1DNLyqpxh
qsul8Q+h/YyWMIqcOGbh3M/2s8VdLqnEWTiE1FRnTv1pqP6pbr6MSoajQFrG
fS3tIDKYACe6BB4UUqE2S941aiMhkAeHvCbLiSFgPs4C3qQpfEXQ+LPqR3Uc
kRx5/YOYNwc4RH7JYCfCdxlxnHcn43IbCBENV3KcV7Dpwm0AOOanaUkIUUhQ
n+Tt7DOTDZOKLiy4vo7fefDFIX5DIAR93wC12V4G/ZBOVEkuyXhd8GFbkFdL
yrUP2D1B9EKsScIvrUsBLeg2clhhFIZHwTWtsObUcFuNC1mwgTR7EQlRLAH1
D4UXhpTXtbs32SiiPEfcMAsBVNpZdzUshbRjnfWH0v29taGAbP3hVjl3xKWD
EwuMkiSKIScFhiPwpF314TgpMOyhmUFrClQedTMMDpBuPSDW4EI4Uo9gZq85
0V812Cu4jaJyUgRa7BQaiXTNRlW1tuBxKP2y9UxWbplFsoEpQ0LuuWJEhKBX
8YBnIKWbc41RTcqTC3wx1XepDKvimjJdUXYjj/qQnlEoo3XSSQxFbmeDdyNd
MemA1JvnphMTIvPxY80Q8kBqH7VzHIoCkWl6GVHAvn6fQ0nQxyR9QKoUnYc1
YOICBFuEdDI/IiQrZmmzi93nJKv6q6T7Y6cd0m2zh+j3yqSKq2KyE8ZcRrWD
V3De42alC9Tfu4oDMckAKZeeA/t4EYmgBLNCLZ8iXkEcCG2xbhUfojFxnLfU
kdtTjxqWI4XkUZM+8x+k0oN98k4C0ToBteE1OqdSESmG4AzcpqzD/3k7ZG2z
ILhwn/0ZUp1uOAXB/KpkV7vo9FDt6QvX3rEAQJsE2TcEQxI7ig2acGoCNwne
at/qHTcR0MYWFjcB6UVhMlRxACug7KlcVDK/9WJ+Eue3Hr94/ukTBYJVSUUM
jDQF4aSsMNzfZYeMO6WIAjZDg/qw6QloWDKIhk4WkYTMMM3n85ERnVBvJNNQ
XYWU1sTqT6gryiqg2IxQ4REax5uF0ZowTYWZtDAHe/CfE1pvblYmy6QBma0d
4C2vot6xQwo1uJ4Rxw7cqQZFX4fJjEgQaHSN6IN0i48WCNFh0DvkqZh/oNU9
mCajEU6ThAMj9SLlAelTIELGlH2nK/2ZWJVht87rD3y/CpNXZZ4KHaJGbLYE
rWMriw3Zzj0H8xct7ZkctWhx8hrwTe08l/Qu0FJoiCFE47/AylVNcfsRlk5D
nfSm16U5K6tyt0FPeAvJ9Eh/KZ2l5G378XBGBTIeDY/ZU+LasZTAtwRDgqd8
V0sI4bcOhMZCJo8qBcDL8BceWBtMdKlHmmFqeHl73T0cs8jpyHScbAkEHqpz
+09BCrAfSsNQF08yNRJ1TWQflm4yEElFZrQMDBuurLiMx4nyERChO6/xnMbR
Eq9xPJeBViwzUb+SG1mINxXXN8IJpP21ns6fhrWef/fiKXggjCV5N5/Pc6IJ
/f44nE2YrOkcwySUnof7QD5QKQbQASDSB8o+8dYLdE6MDNVtuwDnoI8uzm+P
8WQDkiXd9JcvsOWOR2I8pnufYQFCfXIZhk/BaFhtOhJTca45iHYSZRs7tJfX
0agASsauM7OTe9PSB23a7fGk53Mo4PT4oIaaQijzMyCQ1XZgOEqsAhNFCovU
eOmGWFPL4XpgWnn0zGE804nBiCFEF5KmyXkhrob0PHbi3CkPVqHT8dnORYeQ
vjxoM8YPIPve2QcQvqKOI74+9MsGk+boNkmYPDOcWtuWWLsvEDnP1cd7MisQ
h4D78yoII2LcUUMiqCJoTe25z9W1knsDxoRCc+exaNeQOc3VucxXd2BhYEfL
tiZFo9zU44k7UP+G48S433Jhvp5ACLB+/oUkS4qOPdANIQMJ7W+BU6NDiS+8
HyvOzSFZAZBuy5yaz1OVdmLoXI2Xsh1SgUYQn5/F5/vOiJJjv64ZvQbbjAiJ
mt6oFJ1fBqcFYiE/mCCxb+dPOizGnvB4LlGxm9NEpTm/Ont3oe9MveJQiMO0
rjA154hUc65RSrhpqmxzkOsmsxLzOTysp8eOeHg5QUzZYucjArJlyhqmbMrD
oR3tcl0fdZt+Mn/GfjTONR9PFeZa3EKiIyCk+8u2FGzmh+kmZkNJTXhcxQS5
dqiPQgGKA0ApIQKwvrakbhfFLDw8KYyNZQiw1gxzINkvTXthTE9ni8LIjOlN
UvXHEHj4ZoNjAgDsWqoK4YgBSCUMG6dmgNF4mEr2TtKmeK2lhIZiHeUVPelA
Fr8vEurgWp6u1KAithgkHuDAPSIh7DTH8zMq4GH0CNQbHEU2iBU3YI9YeEKn
I54mYqMQ7+I7O9ArqsvoTPwHESiVaurIGc4aYkjyzZ4TobhoktPYqLqq0x8q
jxU2nYTbX59XpfpFFHR/kZiTohB5vnpZG9/UbUbVXKqA0uB0LOJjOIPFuShp
6oWDL6giSlVoFtcRjfvBpxl49BYzOrp+jDUKh6bo5JB9UphQ0RFkZivT7dM0
E9VLwhpnqJVn8K+bn2GZ09IZnaDJQE1UDw/0yzycHPMxfkQ2FX/uwdJufpLC
zCB7TXPz+H48+8R9/mIfV2zmMux48vgpHmnEd0i//vmLJ3BBzqHSTxSIc6e4
JTzl/fGZDS5uph4p4jpZDGtpLnOo+ATxOPxMlsbVuC6tEqYhaWU/oWptlYEp
zNkJSqo/+M0MHoQYBnJqem0T38kLo9kQPsLTE9TmoIg441wQj/kDg77gXqlS
LjX/bZxvY+hYycFqfK2VWSa4yFwDU6VWFk216cseBRwXKLCmPFbdYRg+xxVP
RBhPo2MLQWcsHedlDgQET8aLA4xKvbJLwb6hYiz+WJKs5IV0eg3sb1Yt+UCw
NMHTk2EKX+r2yAcejQ7g8BgFn1EM84C7ztD2cKrAKGq+ETtxxs4WMsUrqRgy
N5hYbJIXu6nC+iQ+LibFo4rcu+oZ5oFz+3hmkqZrmkrRCW9A0ZYKEDwxZ4oZ
NxB8053JItS0lUr6lrjeoD4wzgxHTaUEFkcP4hkGpCeAlIu0C0o2+f5V9Uap
7no8y+jTsZsZjvfM7t7expzr25c4dR2/4t85khnoZy+f4Ze0PKTU965q/d6t
4ezlk6eg8FraDaHFxiUYFTQptIKkAoBt0jaeY4fk656qhAcSJmLNZ7OmOKiT
Jo4nYJX7VbckeZzIIRE7xrfY4gJrbDN25rlpTILuWFdG3MoEp+9AJDJ8LzOU
CEf3D50mQU4Grcdya3VEWIuB6IQPvYZdPov7Iykcx+jIFTAZVeiWx67Qzzt2
CI7iN+ouNoMQjODn0fmo/cRVctVgNok8DPkFpIr8AsBbQdA0JAEYPa8eQCHg
TZvxMtkkkzq6dEq6Hxnh/JRGPygDqJKzp66JQwehi1Ymv8tjE2DVO7LDrQKu
T0z2SyYnJ6rP3X+hS0/DUOG0amwDMPv5ge6EE9dABUD7tl4aBMH9IJ7+NpCS
0jz+VhUN8nSg2yzATkNlUIbdIVNZheZd6KdH/9wd+5XKG5cBxDF37jhGGrXp
1kNZcGhpBmXgiJFq5z+cKvVrfUcqd/j0A89AS6WDfyuhLQv3wXLoxBFlArRK
M1LZUOpHjjPGewqUOU0fhLPNvd/S6bt2WCm0oqj/HwuzB0XtwvHbZq4vuFnn
YZXwixxdNxKMAbumdGBoxnMpQG4GgFXX8mNP3c2EeHS3aXJt1AjvlS96v1ET
xuLXDhIEiyawxRQblgltYWoL4u9J8CRl7/dpzMjZJwGppLjpzyaJw9N6ARJd
1QRCjnq/H0XYm4tOMjHc/WzVcRwix4aYjqsuIKH54HlMdhkbh2nNyjfVNjmX
0RvqgIX63QA6vSjuQQw9ZHkYZjCM4W/49PqS4KRgHWyt07q8Adl+SPpMOu0Q
f9gAnZPjdiL11kSACZnJ5COC1W7oKk44hvHB3uEwPdLFkWrbr+k47Y6bYVKF
CLCiCU06+vGH3pCfHJsgG8JfKDwg9t7vK7Ek4qwPq9XHj/3B0U8B5Y5MFsp2
CQ/Fw5d6bNJQ/yuThrBU/PWn3qgh/Sra2dXZYGih/7tI0nTwfC9p7wpxYt13
dWRWuwAOJ3LORF3HIxZ/tjvfO2DusWJMa9W79OA++L9f9BUfdocP6O57/37R
7+TU8Jf//aLPOcycc+ArYE24eGOpcJnJyr+oX2byL35I/o1dO/Rv9N7BRXgh
HuJnCodahgRyDhxPQY1Pn9Lz+Oudg20f9fKM41/k9/DQK6HczzJ0s2DKK0oH
1MdTPi9j899CMll4O/kEevD+1Xt4c7gTQuX/AvkdG9TJVAAA

-->

</rfc>
