<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-sahib-dnsop-survey-dcv-techniques-00" category="info" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Survey of Domain Control Validation">A Survey of Domain Control Validation Techniques using DNS</title>
    <seriesInfo name="Internet-Draft" value="draft-sahib-dnsop-survey-dcv-techniques-00"/>
    <author initials="S." surname="Sahib" fullname="Shivan Sahib">
      <organization>Brave Software</organization>
      <address>
        <email>shivankaulsahib@gmail.com</email>
      </address>
    </author>
    <author initials="S." surname="Huque" fullname="Shumon Huque">
      <organization>Salesforce</organization>
      <address>
        <email>shuque@gmail.com</email>
      </address>
    </author>
    <author initials="E." surname="Nygren" fullname="Erik Nygren">
      <organization>Akamai Technologies</organization>
      <address>
        <email>erik+ietf@nygren.org</email>
      </address>
    </author>
    <author initials="T." surname="Wicinski" fullname="Tim Wicinski">
      <organization>Cox Communications</organization>
      <address>
        <email>tjw.ietf@gmail.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 152?>

<t><xref target="I-D.draft-ietf-dnsop-domain-verification-techniques"/> describes best practices for using the DNS to verify ownership or control of a domain, a process generally referred to as "Domain Control Validation". This document is a companion survey that catalogs the DNS-based Domain Control Validation techniques in use today across a range of Application Service Providers and protocols.</t>
    </abstract>
    <note removeInRFC="true">
      <name>Discussion Venues</name>
      <t>Discussion of this document takes place on the
    Domain Name System Operations Working Group mailing list (dnsop@ietf.org),
    which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/dnsop/"/>.</t>
      <t>Source for this draft and an issue tracker can be found at
    <eref target="https://github.com/ShivanKaul/draft-sahib-survey-dcv-techniques"/>.</t>
    </note>
  </front>
  <middle>
    <?line 157?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Application Service Providers often need domain owners to prove control of a DNS domain before providing a service, such as a Certification Authority (CA) issuing a TLS certificate. DNS-based methods typically ask the requester to publish one or more DNS records, with content and placement specified by the Application Service Provider, that the provider can then query for.</t>
      <t>This document surveys such DNS-based Domain Control Validation techniques in use today, cataloging the record types (primarily TXT and CNAME), naming conventions, and token placement drawn from the publicly documented behavior of a range of Application Service Providers and protocols. It makes no recommendations; see <xref target="I-D.draft-ietf-dnsop-domain-verification-techniques"/> for best practices.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>This document uses the terminology defined in the "Conventions and Definitions" section of <xref target="I-D.draft-ietf-dnsop-domain-verification-techniques"/>, including "Application Service Provider", "DNS Administrator", "User", "Unique Token", and "Validation Record".</t>
    </section>
    <section anchor="txt-based">
      <name>TXT based</name>
      <t>A TXT record is usually the default option for domain control validation. The Application Service Provider asks the User to add a DNS TXT record (perhaps through their domain host or DNS provider) at the domain with a certain value. Then the Application Service Provider does a DNS TXT query for the domain being verified and checks that the correct value is present. For example, this is what a DNS TXT record could look like for an Application Service Provider <tt>Service</tt>:</t>
      <artwork><![CDATA[
example.com.   IN   TXT   "237943648324687364"
]]></artwork>
      <t>Here, the value "237943648324687364" serves as the randomly-generated TXT value being added to prove ownership of the domain to <tt>Service</tt> Application Service Provider. Note that in this construction Application Service Provider <tt>Service</tt> would have to query for all TXT records at "example.com" to get the Validation Record. Although the original DNS protocol specifications did not associate any semantics with the DNS TXT record, <xref target="RFC1464"/> describes how to use them to store attributes in the form of ASCII text key-value pairs for a particular domain. In practice, there is wide variation in the content of DNS TXT records used for domain control validation, and they often do not follow the key-value pair model. Even so, the RDATA <xref target="RFC1034"/> portion of the DNS TXT record has to contain the value being used to verify the domain. The value is usually a Unique Token in order to guarantee that the entity who requested that the domain be verified (i.e., the person managing the account at Application Service Provider <tt>Service</tt>) is the one who has (direct or delegated) access to DNS records for the domain. After a TXT record has been added, the Application Service Provider will usually take some time to verify that the DNS TXT record with the expected token exists for the domain. The generated token typically expires in a few days.</t>
      <t>Some Application Service Providers use a prefix of <tt>_PROVIDER_NAME-challenge</tt> in the Name field of the TXT record challenge. For ACME, the full Host is <tt>_acme-challenge.&lt;YOUR_DOMAIN&gt;</tt>. Such patterns are useful for doing targeted domain control validation. The ACME protocol (<xref target="RFC8555"/>) has a challenge type <tt>DNS-01</tt> that lets a User prove domain ownership. In this challenge, an implementing CA asks you to create a TXT record with a randomly-generated token at <tt>_acme-challenge.&lt;YOUR_DOMAIN&gt;</tt>:</t>
      <artwork><![CDATA[
_acme-challenge.example.com.  IN  TXT "cE3A8qQpEzAIYq-T9DWNdLJ1_YRXamdxcjGTbzrOH5L"
]]></artwork>
      <t><xref target="RFC8555"/> (Section 8.4) places requirements on the Unique Token.</t>
      <section anchor="lets-encrypt">
        <name>Let's Encrypt</name>
        <t>The ACME example is implemented by Let's Encrypt <xref target="LETSENCRYPT-DNS01"/>.</t>
      </section>
      <section anchor="google-workspace">
        <name>Google Workspace</name>
        <t>Google Workspace <xref target="GOOGLE-WORKSPACE-TXT"/> asks the User to sign in with their administrative account and obtain their token as part of the setup process for Google Workspace. The verification token is a 68-character string that begins with "google-site-verification=", followed by 43 characters. Google recommends a TTL of 3600 seconds. The owner name of the TXT record is the domain or subdomain name being verified.</t>
      </section>
      <section anchor="the-at-protocol">
        <name>The AT Protocol</name>
        <t>The Authenticated Transfer (AT) Protocol supports DNS TXT records for resolving social media "handles" (human-readable identifiers) to the User's persistent account identifier <xref target="ATPROTO-HANDLE"/>. For example, this is how the handle <tt>bsky.app</tt> would be resolved:</t>
        <artwork><![CDATA[
_atproto.bsky.app.  IN  TXT "did=did:plc:z72i7hdynmk6r22z27h6tvur"
]]></artwork>
      </section>
      <section anchor="github">
        <name>GitHub</name>
        <t>To verify domains for organizations, GitHub asks the User to create a DNS TXT record under <tt>_github-challenge-ORGANIZATION.&lt;YOUR_DOMAIN&gt;</tt>, where ORGANIZATION stands for the GitHub organization name. The RDATA value for the provided TXT record is a string that expires in 7 days <xref target="GITHUB-ORG-VERIFY"/>.</t>
      </section>
      <section anchor="public-suffix-list">
        <name>Public Suffix List</name>
        <t>The Public Suffix List <xref target="PSL"/> asks owners of private domains to authenticate by creating a TXT record containing the pull request URL for adding the domain to the Public Suffix List. For example, to authenticate "example.com" submitted under pull request 100, a requestor would add:</t>
        <artwork><![CDATA[
_psl.example.com.  IN TXT "https://github.com/publicsuffix/list/pull/100"
]]></artwork>
      </section>
    </section>
    <section anchor="cname-based">
      <name>CNAME based</name>
      <section anchor="cname-for-domain-control-validation">
        <name>CNAME for Domain Control Validation</name>
        <section anchor="docusign">
          <name>DocuSign</name>
          <t>DocuSign <xref target="DOCUSIGN-CNAME"/> asks the User to add a CNAME record with the "Host Name" set to be a 32-digit random value pointing to <tt>verifydomain.docusign.net.</tt>.</t>
        </section>
        <section anchor="google-workspace-cname">
          <name>Google Workspace CNAME</name>
          <t>Google Workspace <xref target="GOOGLE-WORKSPACE-CNAME"/> lets you specify a CNAME record for verifying domain ownership. The User gets a unique 12-character string that is added as "Host", with TTL 3600 (or default) and Destination an 86-character string beginning with "gv-" and ending with ".domainverify.googlehosted.com.".</t>
        </section>
      </section>
      <section anchor="delegated-domain-control-validation">
        <name>Delegated Domain Control Validation</name>
        <section anchor="content-delivery-networks-cdns">
          <name>Content Delivery Networks (CDNs)</name>
          <t>In order to be issued a TLS cert from a Certification Authority like Let's Encrypt, the requester needs to prove that they control the domain. Often this is done via the DNS-01 challenge <xref target="LETSENCRYPT-DNS01"/>. Let's Encrypt only issues certs with a 90 day validity period for security reasons <xref target="LETSENCRYPT-90DAYS"/>. This means that after 90 days, the DNS-01 challenge has to be re-done and the Unique Token has to be replaced with a new one. Doing this manually is error-prone.</t>
          <t>Content Delivery Networks offer to automate this process using a CNAME record in the User's DNS that points to the Validation Record in the CDN's zone.</t>
        </section>
        <section anchor="aws-certificate-manager-acm">
          <name>AWS Certificate Manager (ACM)</name>
          <t>AWS Certificate Manager <xref target="ACM-CNAME"/> allows delegated domain control validation. The record name for the CNAME looks like:</t>
          <artwork><![CDATA[
_<random-token1>.example.com.  IN   CNAME _<random-token2>.acm-validations.aws.
]]></artwork>
          <t>The CNAME points to:</t>
          <artwork><![CDATA[
_<random-token2>.acm-validations.aws.  IN   TXT "<random-token3>"
]]></artwork>
          <t>Here, the random tokens are used for the following:</t>
          <ul spacing="normal">
            <li>
              <t><tt>&lt;random-token1&gt;</tt>: Unique sub-domain, so there are no clashes when looking up the Validation Record.</t>
            </li>
            <li>
              <t><tt>&lt;random-token2&gt;</tt>: Proves to ACM that the requester controls the DNS for the requested domain at the time the CNAME is created.</t>
            </li>
            <li>
              <t><tt>&lt;random-token3&gt;</tt>: The actual token being verified.</t>
            </li>
          </ul>
          <t>Note that if there are more than 5 CNAMEs being chained, then this method does not work.</t>
        </section>
        <section anchor="akamai">
          <name>Akamai</name>
          <t>Akamai <xref target="AKAMAI-DCV"/> uses a CNAME record:</t>
          <artwork><![CDATA[
_acme-challenge.domain.com. IN CNAME validation.validate-akdv.net.
]]></artwork>
        </section>
        <section anchor="digicert">
          <name>DigiCert</name>
          <t>DigiCert is switching to use a static prefix <tt>_dnsauth</tt> CNAME record configuration <xref target="DIGICERT-DCV"/>:</t>
          <artwork><![CDATA[
_dnsauth.example.com. IN CNAME [random_value].dcv.digicert.com.
]]></artwork>
        </section>
        <section anchor="fastly">
          <name>Fastly</name>
          <t>Fastly <xref target="FASTLY-TLS"/> uses a CNAME record:</t>
          <artwork><![CDATA[
_acme-challenge.domain.com. IN CNAME token.fastly-validations.com.
]]></artwork>
        </section>
        <section anchor="cloudflare">
          <name>Cloudflare</name>
          <t>Cloudflare <xref target="CLOUDFLARE-DCV"/> uses a CNAME record at <tt>_acme-challenge.domain.com.</tt> pointing to a Cloudflare validation target, for partial DNS setups.</t>
        </section>
        <section anchor="f5-distributed-cloud">
          <name>F5 Distributed Cloud</name>
          <t>Customers create a CNAME record for</t>
          <artwork><![CDATA[
_acme-challenge.demo.f5lab.com.
]]></artwork>
          <t>with the value provided by F5 Distributed Cloud <xref target="F5-ACME"/>.</t>
        </section>
        <section anchor="google-cloud-certificate-manager">
          <name>Google Cloud Certificate Manager</name>
          <t>Google's Certificate Manager <xref target="GOOGLE-CERT-MANAGER"/> uses DNS authorization where customers add CNAME records like</t>
          <artwork><![CDATA[
_acme-challenge.myorg.example.com.
]]></artwork>
          <t>pointing to Google's validation domains for certificate provisioning.</t>
        </section>
        <section anchor="certify-dns">
          <name>Certify DNS</name>
          <t>Certify DNS <xref target="CERTIFY-DNS"/> is a cloud hosted version of the acme-dns protocol that uses CNAME delegation of ACME challenge TXT records to a dedicated challenge response service.</t>
        </section>
        <section anchor="acme-dns-open-source">
          <name>acme-dns (open source)</name>
          <t>acme-dns <xref target="ACME-DNS"/> is an open source limited DNS server with a RESTful HTTP API where customers create CNAME records like</t>
          <artwork><![CDATA[
_acme-challenge.domainiwantcertfor.tld. IN  CNAME a097455b-52cc-4569-90c8-7a4b97c6eba8.auth.example.org.
]]></artwork>
        </section>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>This document is a survey of existing Domain Control Validation techniques and does not itself define a new protocol. The techniques surveyed here have varying security properties; some of the operational and security considerations that apply to them, including the construction of tokens and the placement of Validation Records, are discussed in <xref target="I-D.draft-ietf-dnsop-domain-verification-techniques"/>.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC1034">
          <front>
            <title>Domain names - concepts and facilities</title>
            <author fullname="P. Mockapetris" initials="P." surname="Mockapetris"/>
            <date month="November" year="1987"/>
            <abstract>
              <t>This RFC is the revised basic definition of The Domain Name System. It obsoletes RFC-882. This memo describes the domain style names and their used for host address look up and electronic mail forwarding. It discusses the clients and servers in the domain name system and the protocol used between them.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="13"/>
          <seriesInfo name="RFC" value="1034"/>
          <seriesInfo name="DOI" value="10.17487/RFC1034"/>
        </reference>
        <reference anchor="RFC1464">
          <front>
            <title>Using the Domain Name System To Store Arbitrary String Attributes</title>
            <author fullname="R. Rosenbaum" initials="R." surname="Rosenbaum"/>
            <date month="May" year="1993"/>
            <abstract>
              <t>This paper describes a simple means to associate arbitrary string information (ASCII text) with attributes that have not been defined by the DNS. This memo defines an Experimental Protocol for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="1464"/>
          <seriesInfo name="DOI" value="10.17487/RFC1464"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC8555">
          <front>
            <title>Automatic Certificate Management Environment (ACME)</title>
            <author fullname="R. Barnes" initials="R." surname="Barnes"/>
            <author fullname="J. Hoffman-Andrews" initials="J." surname="Hoffman-Andrews"/>
            <author fullname="D. McCarney" initials="D." surname="McCarney"/>
            <author fullname="J. Kasten" initials="J." surname="Kasten"/>
            <date month="March" year="2019"/>
            <abstract>
              <t>Public Key Infrastructure using X.509 (PKIX) certificates are used for a number of purposes, the most significant of which is the authentication of domain names. Thus, certification authorities (CAs) in the Web PKI are trusted to verify that an applicant for a certificate legitimately represents the domain name(s) in the certificate. As of this writing, this verification is done through a collection of ad hoc mechanisms. This document describes a protocol that a CA and an applicant can use to automate the process of verification and certificate issuance. The protocol also provides facilities for other certificate management functions, such as certificate revocation.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8555"/>
          <seriesInfo name="DOI" value="10.17487/RFC8555"/>
        </reference>
        <reference anchor="I-D.draft-ietf-dnsop-domain-verification-techniques">
          <front>
            <title>Domain Control Validation using DNS</title>
            <author fullname="Shivan Kaul Sahib" initials="S. K." surname="Sahib">
              <organization>Brave Software</organization>
            </author>
            <author fullname="Shumon Huque" initials="S." surname="Huque">
              <organization>Salesforce</organization>
            </author>
            <author fullname="Paul Wouters" initials="P." surname="Wouters">
              <organization>Aiven</organization>
            </author>
            <author fullname="Erik Nygren" initials="E." surname="Nygren">
              <organization>Akamai Technologies</organization>
            </author>
            <author fullname="Tim Wicinski" initials="T." surname="Wicinski">
              <organization>Cox Communications</organization>
            </author>
            <date day="21" month="June" year="2026"/>
            <abstract>
              <t>   Many application services on the Internet need to verify ownership or
   control of a domain in the Domain Name System (DNS).  The general
   term for this process is "Domain Control Validation", and it can be
   done using a variety of methods such as email, HTTP/HTTPS, or the DNS
   itself.  This document focuses only on DNS-based methods, which
   typically involve the Application Service Provider requesting a DNS
   record with a specific format and content to be visible in the domain
   to be verified.  There is wide variation in the details of these
   methods today.  This document provides some best practices to avoid
   known problems.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-dnsop-domain-verification-techniques-13"/>
        </reference>
        <reference anchor="LETSENCRYPT-DNS01" target="https://letsencrypt.org/docs/challenge-types/#dns-01-challenge">
          <front>
            <title>Challenge Types</title>
            <author initials="" surname="Internet Security Research Group (ISRG)">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="LETSENCRYPT-90DAYS" target="https://letsencrypt.org/2015/11/09/why-90-days.html">
          <front>
            <title>Why ninety-day lifetimes for certificates?</title>
            <author initials="J." surname="Aas">
              <organization/>
            </author>
            <date year="2015"/>
          </front>
        </reference>
        <reference anchor="GOOGLE-WORKSPACE-TXT" target="https://support.google.com/a/answer/2716802">
          <front>
            <title>TXT record values</title>
            <author initials="" surname="Google">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="GOOGLE-WORKSPACE-CNAME" target="https://support.google.com/a/answer/112038">
          <front>
            <title>CNAME record values</title>
            <author initials="" surname="Google">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="ATPROTO-HANDLE" target="https://atproto.com/specs/handle#dns-txt-method">
          <front>
            <title>Handle</title>
            <author initials="" surname="Bluesky">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="GITHUB-ORG-VERIFY" target="https://docs.github.com/en/github/setting-up-and-managing-organizations-and-teams/verifying-your-organizations-domain">
          <front>
            <title>Verifying your organization's domain</title>
            <author initials="" surname="GitHub">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="PSL" target="https://publicsuffix.org/">
          <front>
            <title>Public Suffix List</title>
            <author initials="" surname="Mozilla Foundation">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="DOCUSIGN-CNAME" target="https://support.docusign.com/s/document-item?bundleId=rrf1583359212854&amp;topicId=gso1583359141256_1.html">
          <front>
            <title>Verify a domain with a CNAME record</title>
            <author initials="" surname="DocuSign">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="ACM-CNAME" target="https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html">
          <front>
            <title>AWS Certificate Manager DNS validation</title>
            <author initials="" surname="Amazon Web Services">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="AKAMAI-DCV" target="https://techdocs.akamai.com/property-mgr/docs/add-hn-with-default-cert-la">
          <front>
            <title>Add a hostname with a default certificate</title>
            <author initials="" surname="Akamai Technologies">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="DIGICERT-DCV" target="https://docs.digicert.com/en/whats-new/change-log/certcentral-change-log.html">
          <front>
            <title>CertCentral change log</title>
            <author initials="" surname="DigiCert">
              <organization/>
            </author>
            <date year="2025"/>
          </front>
        </reference>
        <reference anchor="FASTLY-TLS" target="https://docs.fastly.com/en/guides/setting-up-tls-with-certificates-fastly-manages">
          <front>
            <title>Setting up TLS with certificates Fastly manages</title>
            <author initials="" surname="Fastly">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="CLOUDFLARE-DCV" target="https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/">
          <front>
            <title>Delegated DCV</title>
            <author initials="" surname="Cloudflare">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="F5-ACME" target="https://f5cloud.zendesk.com/hc/en-us/articles/24624288087959-What-is-an-ACME-challenge-and-how-should-I-enter-these-records-in-my-DNS-zone">
          <front>
            <title>What is an ACME challenge and how should I enter these records in my DNS zone?</title>
            <author initials="" surname="F5, Inc">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="GOOGLE-CERT-MANAGER" target="https://cloud.google.com/certificate-manager/docs/deploy-google-managed-dns-auth">
          <front>
            <title>Deploy a global Google-managed certificate with DNS authorization</title>
            <author initials="" surname="Google">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="CERTIFY-DNS" target="https://docs.certifytheweb.com/docs/dns/providers/certifydns/">
          <front>
            <title>Certify DNS</title>
            <author initials="" surname="Certify The Web">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="ACME-DNS" target="https://github.com/acme-dns/acme-dns">
          <front>
            <title>acme-dns</title>
            <author initials="J." surname="Hoikkala">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
      </references>
    </references>
    <?line 302?>

<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>This survey is derived from material originally developed as part of the Domain Control Validation using DNS work in the DNS Operations Working Group. Thanks to the contributors and reviewers of that document.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA71b+3PbRpL+HX/FFF21K90JJEW9dZtkGUmWuStLPpGO17e1
JQ2BIYklCDAYgDSd8v++X/cMXnzIqqTqVJFDAvPod3/dM3Jd10mDNFSXotEV
/SxZqJWIR+I6nskgEldxlCZxKH6RYeDLNIgjMVDeJAp+zZQWmQ6isbi+7zcc
ORwmaoFFXrFEw/FjL5Iz7OkncpS6Wk6CoetHOp67mue7vrdw02Int912PJmq
cZysLkUQjWLHCebJpUiTTKeddvui3XGmarWME/9S9KJUJZFK3Wta3XF0KiP/
SYZxhB1XSuNBouQMA28Gbx09k0n69GsWp0pfiih25sGl+GcaewdCxwlGjjQ+
rWb04V+OI7N0EieXjnAdgZ8gwqR+U/SJBX5iGOtPgoWMKo/jZCyj4CsL4FL8
nMiFEv14lC5loniAgrTCS6F54lRmIUvlr2N63PTimbO+5bsMoqltmc2gn/Jx
fcu+DJUexYm3th0N37XLTVPcr8aJiirb3CTBtPq0vkt3KrGUMZI4jMcBxF3Z
TmHyfwcqHf014hWamF3fctAUnwIPH6dBZdNBMKs/ru96FX/B72yWRYHHj2qb
pv9eNnnPCpdRnMwwcqGgSfH49uqwfXScfzw+xUeHrKwyhl+dn5ycmC8997pp
jJdWtrbrs8W7C3A5soRUjNhMvLsZ9G/urx4/fxi48Jz2oXlMP7kfXk1kGKpo
rMRgNVe6UQwobK/4cY3QcosXfeVlSZCuxKPSSibeRNwmcTYXe73+4+1+uZNM
xiq9FJM0nevLVitUqVaRl6zmKWmkBf/ULS8nw02JjNYbMOm2D93iubPB0EX7
uvu5v8nRp8lKRAEIhGPLlQiDkUqDGSIIRCw8laRGXkr/VDKLWIGpnfbhyff5
/1tTdKV+NXu0aOvwsNW+aC0nK1BNVOnmJJ2Fhqfbh4fbuxv308Pj3/sfulc3
7uAfg02u8FAkykPMEQsZZq/S1G0cj0O1k1KdzecIOs0xDyNTbcmWjPRSJa3O
2eHpOeLcdgqv7rvvb7bYEj3+/6Ty8LDTPjo3RHYHHx4fBg/uu+799d0W4t4h
LofqFfT8THRPVzsJkuk8idOYKdFzBeOd8NJssumX1J0prOxb0fUG7z7+7D48
3rq/3Dz23n7eJOwX8uAVJbdVnCW1YPNnLYybv0aMQfouG+6kmrysOQ7SSTZk
ylXUMt9aWqUpdnezuQs+3JmM5Ji+VwnR/CpFItOtRU6vS/SuDTPkGt4/9O82
uf2QDcPAQ/IfjYIv4i7Q6St4ex9/DcJQirdxFpm0vpPPOa+veXn2P0PL9cPV
x37v9n6X6RolCGnlLZaQDb5VLfoVdF7HXtYPxrupy40Z2gCeGUfGiEg52UxF
iO+pmv00zMicev4PSTI6PDk/Ojq56Bx2zk+O/5TG88DDi7GO7YvD48POyenT
YSWedK/e7+Ky+6kvrsoIKN6TrlVCqIr8tYBM32W0O5Nfkf4/qSGyQLIIPLU7
ILLlySV+eZLxYG/WCikGp61Mq2ScBb5qkf+UVFQ5+nv3fRdJ8OqXLSz5PvQ0
iXVKyTvXm69GADVpNdy/hqsdeGIbV5RqDWc8iblCXJhjw5U7GycmrUnfdyeR
S1S5liaXaHJDae2yd9u7unkcbGeOdHUFu0hkKJAJKUuDrM201XlF2roOxgGt
97KefIwiAvMYsZzIVLuRWrbM/i72b9EAz5Dllo8rCnvb7Q/uPruDuy3puW/C
jQBQwHujsGpWFm+lTsOV4Dj0qgRiJrzM14jHFJGP7E1XI18aaqOlKimumeVa
UgxvV3cPH6/f3nUfb7br7FqFaozZvsDrV1B/FcaZPwpzZL6VA7VQIZmWbnrF
aBM6dNhSPuRfJduoihijwsZko5b5H0JNTh69tMHx7YmLoLElXnyC9kWgBYoL
GiAKNIYnPpxuCUgfZ6EvekIRKhTpBFDQxksN/sRsxcEFfq9+eo0qTw6AL73m
TlGMTlgCza8qgganLISJB526GbwNMvBQeLQ6x6ed4875efv87OLkwiU23IBy
GPNZgkrOamDDNWy4PZfZcJkN17LhAmXPVoSfXWKjBonYdd9377u3N4/bTGEe
xpRUxmE8hAsbpGPNya9avXEDkpQRjc2nfxw9GWlVsFNlU0uIDVU+E+uOazRS
reHS3tb2wS4wDMlie7CiHMol+vfN3o4eTBSlkZe91xC9glqWysAXQ3KkKeYu
4MyJtpyt6GGRCG+2k4r0o4i1V9AJtP8uDqZTiYi9i8YKrMpXLj44juO6rpBD
jXDppY7z22+/o5z79g0pTXtJMESAxG8q5rQa5V0ua0xzBPJhG0pjYUCaiJcR
RDMJ5oJqH9sciUcFzjnAJ0gQy2gxVhgLx1jBf0cqSWChWEhq2PHO5koT+gsI
pBr8wrEC+8zmgITAB6a/AroQRsCTRJbQOZXuUGoKkjt7PyX3FEgAE0AOFXTS
S2JN+yScEMFNdz4PrcxyOCI+5HbBoYoRuxeHumn1MQt8YCzHeUPlbBL7mceo
0nl5qXiUqkhECnRbnGgETIIiQ1R1GZMu7LihgpqUMNZKupJCm+UPICWUzpI4
KrEZ7d81oQAF9t5Vdx+y1ZmZSXmz4sfNijhtmBeoovGOlCn1lEWeKBIlB2kQ
SyhZTwTiGVnGjGgjam3IO7BpGcyQVlmCofQU65hqHuyMzYYrXvklmR0Y5dOw
3FNhCRE9iAQISlZkv9BK3Y6M4Wgjmj9gLAe52eXuYYtTbjKIvXkSzGQSQEpU
XhObDJz3D6gTRFMggQXoodLmgN+n8RSEl8KAHy8jMUrimeGRqw+sl3NCUlIT
uQggZbaJ32W0opcCD01BchQzCzOsbTjX/wNDUuL3RhUKHvV40iSnuCr5ZlKu
1SiIAtPsWlMVZG18GqYFmRFuXhH+DiLwHrCmkRt2r9cA/ex8JJTfycYBNvLC
jB2r8ZJgGweIZrDzrg9SAwrJacwPP2rz8iMvKQak5oZReaNiZo+mEmQZkcmw
WSJqiEp7JqBedca+R7znpUg85xVI4DYm5LGiUvNwOnyJAXJnI26imAM0F0DE
VIWGPYDFiZzTyCTOxhOaERQbU7VEbk+Tcq/cF9ZN6wUwhRn6yt0cJi/6rs9j
CaUrNBVuXl1/qEhZRqMwFBK0N1EeM2cpASdgJzV7k1jnCWBZlDbFW6ylvsjZ
PFQUYPAK/1GpsikJj/FpGMdTEQZTxWQQnH2J/mf75PnSAAm7FSX4Jr727vEP
bSFEo3N0dnF8dHp8fgTMeX6GTw3HeacSpktZ0reN4vBPYjLaRFiAYFBrmCxM
cYN2MPONrKBok5JNpqmk9lFVsBhQ0P8im01xHwN5srjZTyFDmCScwiTDV8pI
LFnCEzpjwN6lsuEBFUVosq9GRZINGg0YxbRvuFhTdENkMmu6MFbUpREgtDVZ
jot5JrJdeOEHPuIjbEDr2AsIVctoBTkDyyKyaWPSOUYqKTtA1LGd+BrMovIG
JHIumagZfdYpJUqZphiRpSbX0ILUvOeY3r/q9RAIv6Riqlau0d5cBolBacBa
XKJkqN+suhDaoyL2ss0kbOpLCBnaTwIjFLtPnpDpwKvGA4UcGMeLwcUmsAkf
mBGO8WMW1ygOQ2IV69eJBixAtdgUNwjdQsfGoh+vu4OulVj7iCRGDS0bvjeF
C7tgdETkSMtF1aiZ7BKvlnZsQmHh+nlElaIaoUku2MQEwnEm4UWpUmUEoZQD
+LScxAX88cu3RSQqw9Be0FRNwyiV2+Aqb4fyM+khnBAgSl/pHITajAEDaBEZ
JI49P+C4RsrKq/F9WptQOBipALG1qAmvGBGCk+sSHioIgwPEwffD8zKAZxYp
CrACyp1BasFM1VRhxbSm0MKL1Be4HwuUVaG+IJ9uEkxaLGOaGVqCU6wBWbAf
STFSS8FnI47TJ4JeRkjkl1S8KOojw/aenz48PvzSu755fCIMVxb5z7n33FOD
EGpGtLK2Ws0T+XCTXah2NKIcZZDWO8qYUOXzE9d15eC/fH74+Ph0/fC+27v/
8bkp+gRY54gQKiGoA2cGnVjCuiYbElePZQmxEwZQx6WIdXvscnQm+O3bPutc
VtoxhGfFMwHl9uGzUR2dQ5G7EEwwGaNWsiBxcOwxYT9fiGKECChEE7Yjaq+6
BnKs4oz9OFEcWDcsQm5LYUbdIOY7crN5dn1QPe9S2qVdG97NUff81/+d33zt
9j7/6g4urj/d+3d/O3z6/PgPOfO/eP++HQy/Jg/vTu4aVG8XchN7fQs1z5vH
+wbFa44MMEJiGBWeMZVqkCGw90bcqfTPWtyYgz3CwFZBlkYyjkJupjSqzUDE
3DiM/fbNLG1aOOJTnEz1HCQ5zvoTzN52SgiONuAgnSqIHL8Z1CdLsBssKkEM
2SAe5lE5SHJtac5SuYtolWbzokdAVrxOnI3UFWxuV+JmwOk5KZQSHOgDDSaU
wiSGCmHVJuWG7TrpIFU1lP8DMLjJT0amx0eiWA1lkSWlqIhow8Hgjmg/Om23
qbKI8dRQyHbPR/xb3N+G6dxFQGo2tF94Rh2uGr2xDQwoJLGLWqPIqLRNuTAH
hoNT6BG23esO9ouRwh4D6Y0sTvJFPIzDBW3HMCZETe8HUjTMKSPqpb1Jhqzk
whN9OSTT82lD0JXofTKB3BxgfZTEoHku4q3ay9GwqvqhKQxyO7SeWHxgSBDP
Qz1dNeV8noO/obJUK79wZXtKmg+tOjCA2g/4vZyH3uXXs05wNvFX0Wx6mnQ6
Xztnk9N0kSUN4xrmUNMZFGnJKMVIqnb0eGAHb7pEEbPWMlkWca5+Mu27Slf4
4fG2e9/7v+6g93C/FqkOkMUJolWHCL7zU6Y+S0eVOjYiY4YGQBlgk8+wRZi/
ZpGy5jCVXHnGeZKiwvrxch5TNo9ZjXluPscqH/p3eSix/Sw4yDwJFiS2XOBU
alZsm7yRBWtbUtWKi6FejpnmlD8t+hIfH+8MEvb9/H1ZtqRb6Vs3yTUy6iUF
vHYWpOR5Rrm1zQ/bbep32q9Y1BgvaMmNdq7DzaTDJrul1Vs9aW6FoLRFu7Ww
S4NbKHx0bBsEb/LvxPzOLhaNe1MeIjv5J6iofn69LfCbPkDtCkYB1RqMXwj/
UN2Z0vAhOcRRx6UDv9TmbmuVc8AUViuVksbtLJorjq0jlTafm4bejWTFNLwu
ieXcMFghiGFKutU6JyS24t7BFiAzyAUxNqgnM/n7sLMj+ZBzcTlN7W0STsO2
PCl7cOrYY3TOrZt927LSEIrxZoCk89PNpTmlseHbrLZwGzwXqal82jTkG3bs
0Qx1ZJBWyOYaxoErx4gvm8uVrQkxAdkdtfe9Spckc7F3dX2v9x2nVymShor7
yMR50UY27cvd3Wfum9TQzMFaR5k64pUmeF46rApsW60IHrj4zFOLT5XRAvkt
PxZoH1Zw7XbUtAat4giVBHOlmR+dI9KLNsVJA6yJEWTDIDbGpPO7awhhmpoH
9Z3M3TLaipudMyUj25iSXICZlfXBdqptzctZ0WUGbeVdL16rwxiLFlA6QiWE
aU3o3pgs0SAjU7Hhs0qSOHEhbIxxnN0WEI9GNjhkKaTP3R7uoxk0Z06N1lzN
FksWQPBxEvHNQUHnYXqjX5NPg8lh1ldDGJnnrisne0DPsM1drwFN8mssFOwI
AeqyWv5e6WRZYeSW51jDJDUCNVt0HvP/YmKfy5j18MctRYedWh/Z+bGJaqVy
X8XccTFZ1kwoRLZ1qx0LVNqLjdr4ox9rnUUbsflVUWj6BbcGNEO92Pu/xPMa
k8+XuSUiYbr5UaCObf+JVouAm0KpJ4oaqzBWEpy9trG9YbexTYe2oXpdsdlA
n2VPoQwdVoXFsWDBQdmwscq2U02bohAyVa+M77ZQcEQUDLhvk8J3bFmyAeUr
bdBRRQJ8KIbHkTgxe2k7FY5OhxsH5hDLOCcfu5nGN/XUyP1yB+D7QbB0c7kI
hl3cZoJl8+lJ3QN3FMM2fLJZwkTMjIrh24/KlVN/wQnawon83o+TfyKZaUQa
b2KTvGmlAMUCU+UdlecnP9KEtJ7r4QH6GgXjLDG6BzCpXGD69i2n3c6tO1NB
9T+Nkp4Ybvyr6XuL2r0jS7i91uPY+0C//VbeKvrjgmNTsLeCaj5Y7l+5mOOU
n0FH/QbQdlq2Nj0qlDzXUJasbFbRqW0VHbBPcOvYdsC5KNe5nE6gY21b0r5Z
CRRngLgzwvJF+bOOqHaIS83i5ugklEMriwJFWnSY1yooALZtTYoy94lsLVIg
RPN6S7TPsSIyx/ZcsOW2TS72jTsztkDzCv4JGFdZN+F/O/OzFaq2mtU6TlVR
BZ0VJVUr0uqVHhaUxgjMzU2qvCIDDZVfyKjKqzVgzdyjYHkZaEjxSle67Pn1
krJByAGMRWKYtcnSzlm7vlXtObD9QaG2ZVEOQrE5h0uo/KaCZaLYei+e88FA
lngKqbx4zrn7psIJKChHQvoo0QjXsiEnC+5IM+x5vOkPqFf6bjD4ILofehuq
tKb8Wm0azQRLGaWkGLpokIY+RwG7hmxfnB2fnAzdk47nuccnpxeAft65eyaP
hxdn3qkayvNmLZKRfVB5V/zxA9CXpo603Ho6bqr44s+UuEnOf8f0mpsMhBqL
lBKkWoUje7JuMWKufIN6KjPNjhAyC5DP5hYy4eKpQL72tmqg6ApBXHbF6CmT
gmBDFBQTvBqnFg7P53SIwMhhVj2Gt8dV5WkirW7BigXD5S0KvNsAFHThArT7
gYb+tblL8DuvB7DCeogb31EWAXLgHh4pPZMP7H2hofSmtErXm0bxMlT+mPvF
zm+XUTYbQsj+D42RDLVqfLOrWqXT+qBrQdiMyixC4QnF8fxIky6L2Pud/nrz
dbeVFH8Nx1AjR9/0/WFeaIhKbxrGf5ZDNiKjaQHhGXhR4I7tdZNELQK1tN0f
Vm4umKbzH6FppKy6NwAA

-->

</rfc>
