<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<?rfc strict="yes"?>
<?rfc comments="yes"?>
<?rfc docmapping="yes"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-dnsop-structured-dns-error-24" category="std" consensus="true" submissionType="IETF" updates="8914" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Structured DNS Error">Structured Error Data for Filtered DNS</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-dnsop-structured-dns-error-24"/>
    <author fullname="Dan Wing">
      <organization abbrev="Citrix">Citrix Systems, Inc.</organization>
      <address>
        <postal>
          <country>United States of America</country>
        </postal>
        <email>danwing@gmail.com</email>
      </address>
    </author>
    <author fullname="Tirumaleswar Reddy">
      <organization>Nokia</organization>
      <address>
        <postal>
          <city>Bangalore</city>
          <region>Karnataka</region>
          <country>India</country>
        </postal>
        <email>kondtir@gmail.com</email>
      </address>
    </author>
    <author fullname="Neil Cook">
      <organization>Open-Xchange</organization>
      <address>
        <postal>
          <country>United Kingdom</country>
        </postal>
        <email>neil.cook@noware.co.uk</email>
      </address>
    </author>
    <author fullname="Mohamed Boucadair">
      <organization>Orange</organization>
      <address>
        <postal>
          <street>Rennes</street>
          <code>35000</code>
          <country>France</country>
        </postal>
        <email>mohamed.boucadair@orange.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Internet</area>
    <workgroup>DNS Operations Working Group</workgroup>
    <keyword>Customer experience</keyword>
    <keyword>Informed decision</keyword>
    <keyword>transparency</keyword>
    <keyword>enriched feedback</keyword>
    <abstract>
      <?line 82?>

<t>DNS filtering is widely deployed for various reasons, including
network security and policy enforcement. However, filtered DNS responses lack structured information
for end users to understand the reason for the filtering.
Existing mechanisms to provide explanatory details to end users cause harm
especially if the blocked DNS response is for HTTPS resources.</t>
      <t>This document updates RFC 8914 by signaling client support for structuring the EXTRA-TEXT field of
the Extended DNS Error to provide details on the DNS filtering. Such
details can be parsed by the client and displayed, logged, or used for
other purposes.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://ietf-wg-dnsop.github.io/draft-ietf-dnsop-structured-dns-error/draft-ietf-dnsop-structured-dns-error.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-dnsop-structured-dns-error/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        dnsop Working Group mailing list (<eref target="mailto:dnsop@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/dnsop/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/dnsop/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-structured-dns-error"/>.</t>
    </note>
  </front>
  <middle>
    <?line 95?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>DNS filters are deployed for a variety of reasons, e.g., endpoint
security, parental filtering, and filtering required by law
enforcement. Network-based security solutions such as firewalls and
Intrusion Prevention Systems (IPS) rely upon network traffic
inspection to implement perimeter-based security policies and operate
by filtering DNS responses. In a home network, DNS filtering is used for the
same reasons as above and additionally for parental control. Internet
Service Providers (ISPs) typically block access to some DNS domains due to a
requirement imposed by an external entity (e.g., law enforcement
agency) also performed using DNS-based content filtering.</t>
      <t>End users or network administrators leveraging DNS services that perform filtering may wish to receive more
explanatory information about such a filtering to resolve problems with the filter
-- for example, to contact the DNS service administrator to allowlist a DNS domain that
was erroneously filtered or to understand the reason a particular
domain was filtered. With that information, they can choose
to use another network, open a trouble ticket with the DNS service administrator to
resolve erroneous filtering, log the information, etc.</t>
      <t>For the DNS filtering mechanisms described in <xref target="existing-techniques"/>, the DNS
server can return extended error codes Blocked, Filtered, Censored, or
Forged Answer defined in <xref section="4" sectionFormat="of" target="RFC8914"/>. However, these codes
only explain that filtering occurred but lack detail for the user to
diagnose erroneous filtering.</t>
      <t>No matter which type of response is generated (forged IP address(es),
NXDOMAIN or empty answer, even with an extended error code), the end user
who triggered the DNS query has little chance to understand which
entity filtered the query, how to report a mistake in the filter, or
why the entity filtered it at all. This document describes a mechanism
to provide such detail.</t>
      <t>As noted in <xref section="6" sectionFormat="of" target="RFC7754"/>, promptly informing the endpoint that blocking has occurred provides necessary transparency to redress any errors, particularly as they relate to collateral damage introduced by errant filters.</t>
      <t>One of the other benefits of the approach described in this document is to eliminate the need to
"spoof" block pages for HTTPS resources. This is achieved since
clients implementing this approach would be able to display a
meaningful error message, and would not need to connect to such a
block page. This approach thus avoids the need to install a local root
certificate authority on those IT-managed devices.</t>
      <t>This document describes a format for machine-readable data in the
EXTRA-TEXT field of <xref target="RFC8914"/>. The document updates <xref section="2" sectionFormat="of" target="RFC8914"/>, which
says the information in EXTRA-TEXT field is intended for human
consumption (not automated parsing).</t>
      <t>This document does not recommend DNS filtering but provides a
mechanism for better transparency to explain to the end users why some DNS
queries are filtered.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>This document uses terms defined in DNS Terminology <xref target="RFC9499"/>.</t>
      <t>"Encrypted DNS" refers to any encrypted scheme to convey DNS messages,
for example, DNS over HTTPS (DoH) <xref target="RFC8484"/>, DNS over TLS (DoT) <xref target="RFC7858"/>, or
DNS over QUIC (DoQ) <xref target="RFC9250"/>.</t>
      <t>The document refers to an Extended DNS Error (EDE) using its purpose, not its
INFO-CODE as per Table 3 of <xref target="RFC8914"/>. "Forged Answer",
"Blocked", "Censored", and "Filtered" are thus used to refer to "Forged Answer (4)",
"Blocked (15)", "Censored (16)", and "Filtered (17)".</t>
      <t>In this document, "client security policy evaluation" refers to implementation-defined
decision-making performed by the DNS client or consuming application (e.g., web
browser) to
determine how, or whether, structured error information is used, displayed,
or acted upon.</t>
      <t>Structured DNS Error (SDE) is an EDNS(0) option indicating support for structured encoding of the EXTRA-TEXT field. See also <xref target="SDE"/>.</t>
      <t>"DNS administrator" refers to the party responsible for operating
and configuring the DNS server, including the definition of
filtering policies.</t>
      <t>"IT/InfoSec team" refers to the organizational team responsible
for receiving and handling end-user reports of misclassified DNS
filtering, including decisions on allowlisting domains or revising
filtering policies.</t>
    </section>
    <section anchor="existing-techniques">
      <name>DNS Filtering Techniques and Their Limitations</name>
      <t>DNS responses can be filtered by sending, e.g., a bogus (also called
"forged") response, NXDOMAIN error, or empty answer. Also, clients can be informed that filtering occurred by sending an
Extended DNS Error code defined in <xref target="RFC8914"/>. Each of these
methods have advantages and disadvantages that are discussed in the following subsections.</t>
      <section anchor="forged-responses">
        <name>Forged Responses</name>
        <t>The DNS response is forged to provide a list of IP addresses that
points to an HTTP(S) server alerting the end user about the reason for
blocking access to the requested domain (e.g., malware). If the host component <xref target="RFC3986"/>
of an HTTP URL is blocked, the network security device
(e.g., Customer Premises Equipment (CPE) or firewall) presents a block page instead of the HTTP
response from the content provider hosting that domain. This works successfully with HTTP.</t>
        <t>If this is an HTTPS URL, the network security device attempts to serve the block page over HTTPS.  In order to return a block page over HTTPS, the network security device uses a locally
generated root certificate and corresponding key pair. The local root certificate is
installed on the endpoint while the network security device stores a copy of the private key.
During the TLS handshake, the on-path network security device modifies the certificate
provided by the server and (re)signs it using the private key from the local root
certificate.</t>
        <t>Note that:</t>
        <ul spacing="normal">
          <li>
            <t>In deployments where DNSSEC is used, this approach becomes ineffective because DNSSEC
ensures the integrity and authenticity of DNS responses, preventing forged DNS
responses from being accepted.</t>
          </li>
          <li>
            <t>The HTTPS server hosted on the network security device will have access to the
client's IP address, the hostname, and the URL path component of the request. This information will be sensitive, as it will expose the end user's identity and the specific resource that an end user attempted to access.</t>
          </li>
          <li>
            <t>Configuring a local root certificate on endpoints is
not a viable option in several deployments like home networks,
schools, Small Office/Home Office (SOHO), or Small/Medium
Enterprise (SME). In these cases, the typical behavior is that
the filtered DNS response points to a server that will display
the block page. If the client is using HTTPS (via a web browser or
another application) this results in a certificate validation
error which gives no information to the end user about the reason
for the DNS filtering.</t>
          </li>
          <li>
            <t>Enterprise networks do not always assume that all the connected devices
are managed by the IT team or Mobile Device Management (MDM)
devices, especially in the quite common Bring Your Own Device
(BYOD) scenario. In addition, the local root certificate cannot
be installed on IoT devices without a device management tool.</t>
          </li>
          <li>
            <t>An end user does not know why the connection was prevented and,
consequently, may repeatedly try to reach the domain but with no
success. Frustrated, the end user may switch to an alternate
network that offers no DNS filtering against malware and
phishing, potentially compromising both security and
privacy. Furthermore, certificate errors train end users to click
through certificate errors, which is a bad security practice. To
eliminate the need for an end user to click through certificate
errors, an end user may manually install a local root certificate
on a host device. Doing so, however, is also a bad security
practice as it creates a security vulnerability that may be
exploited by a MITM attack. When a manually installed local root
certificate expires, the end user has to (again) manually install the
new local root certificate.</t>
          </li>
        </ul>
      </section>
      <section anchor="forged-nxdomain-answer">
        <name>Forged NXDOMAIN Answer</name>
        <t>The DNS response is forged to provide an NXDOMAIN answer, causing the DNS lookup to fail. This approach is incompatible with DNSSEC when the client performs validation, as the forged response will fail DNSSEC checks. However, in deployments where the client relies on the DNS server to perform DNSSEC validation, a filtering DNS server can forge an NXDOMAIN response for a valid domain, and the client will trust it. This undermines the integrity guarantees of DNSSEC, as the client has no way to distinguish between a genuine and a forged response. Further, the end user may not understand why a domain cannot be reached and may repeatedly attempt access without success. Frustrated, the end user may resort to using insecure methods to reach the domain, potentially compromising both security and privacy.</t>
      </section>
      <section anchor="extended-error-codes-edes">
        <name>Extended Error Codes (EDEs)</name>
        <t>The extended error codes Blocked and Filtered defined in
<xref section="4" sectionFormat="of" target="RFC8914"/> can be returned by a DNS server to provide
additional information about the cause of a DNS error.
These extended error codes do not suffer from the limitations
discussed in bullets (1) and (2), but the user still does not know the
exact reason nor is aware of the exact entity blocking the
access to the domain. For example, a DNS server may block access to a
domain based on the content category such as "Malware" to protect the
endpoint from malicious software, "Phishing" to prevent the end user from
revealing sensitive information to the attacker, etc. An end user may need to
know the contact details of the IT/InfoSec team to raise a complaint.
Further, the information conveyed by <xref target="RFC8914"/> is intended for
diagnostic purposes and is not structured for automated processing,
localization, or extensibility.</t>
        <t>This document defines a structured,
machine-readable format for conveying such details in the EXTRA-TEXT
field, enabling clients to process the information programmatically
and present it to end users (e.g., with localization support), while
allowing for extensibility and more granular, client security
policy-driven handling of the information. This specification requires
that clients only act upon such information when it is received
over an integrity-protected DNS response.</t>
      </section>
    </section>
    <section anchor="name-spec">
      <name>I-JSON in EXTRA-TEXT Field</name>
      <section anchor="json-names">
        <name>JSON Names</name>
        <t>DNS servers that are compliant with this specification and have received an indication that the client also supports this specification as per <xref target="client-request"/> send data in the EXTRA-TEXT field <xref target="RFC8914"/> as a JSON object encoded using the Internet JSON (I-JSON) message format <xref target="RFC7493"/>.</t>
        <t>This document defines the following JSON names:</t>
        <dl>
          <dt>c: (contact)</dt>
          <dd>
            <t>The contact details of the IT/InfoSec team to report misclassified
DNS filtering. This information is important for transparency and also to ease unblocking a legitimate domain name that got blocked due to wrong classification.</t>
          </dd>
          <dt/>
          <dd>
            <t>The field is a JSON array of contact URIs. When multiple contact details are provided, each contact URI is
represented as a separate array element in the JSON array.</t>
          </dd>
          <dt/>
          <dd>
            <t>Contact URIs conveyed in the "c" field <bcp14>MUST</bcp14> use URI schemes registered in <xref target="IANA-Contact"/>.</t>
          </dd>
          <dt/>
          <dd>
            <t>This field is optional.</t>
          </dd>
          <dt>j: (justification)</dt>
          <dd>
            <t>'UTF-8'-encoded <xref target="RFC5198"/> human-readable explanation for the DNS
filtering decision.</t>
          </dd>
          <dt/>
          <dd>
            <t>This field is particularly useful when no applicable sub-error code
is defined or provided for the returned Extended DNS Error.</t>
          </dd>
          <dt/>
          <dd>
            <t>The information conveyed in this field <bcp14>MUST NOT</bcp14> be used as input to
automated processing that affects security policy enforcement or DNS
protocol behavior.</t>
          </dd>
          <dt/>
          <dd>
            <t>The DNS client determines, according to its client security policy,
whether the contents of this field are displayed to the end user,
logged, or ignored.</t>
          </dd>
          <dt/>
          <dd>
            <t>Returning non-UTF-8 data, syntactically invalid content, or
deliberately meaningless values (including empty strings) indicates that
a DNS server is misbehaving.</t>
          </dd>
          <dt/>
          <dd>
            <t>This field is optional.</t>
          </dd>
          <dt>s: (sub-error)</dt>
          <dd>
            <t>An integer representing the sub-error code for this particular DNS filtering case.</t>
          </dd>
          <dt/>
          <dd>
            <t>The integer values are defined in the IANA-managed registry for Extended DNS Sub-Error Codes in <xref target="IANA-SubError"/>.</t>
          </dd>
          <dt/>
          <dd>
            <t>This field is optional.</t>
          </dd>
          <dt/>
          <dd>
            <t>When multiple blocking causes apply simultaneously
(e.g., a domain is blocked for both malware and phishing reasons),
a single SDE response is returned. If "s" is supplied, then the "s" field <bcp14>MUST</bcp14> convey the
primary blocking cause. In such case, the "j" field <bcp14>MUST</bcp14> be used to provide
additional context describing all applicable causes.</t>
          </dd>
          <dt>o: (organization)</dt>
          <dd>
            <t>'UTF-8'-encoded human-friendly name of the organization that filtered this particular DNS query.</t>
          </dd>
          <dt/>
          <dd>
            <t>This field is optional.</t>
          </dd>
          <dt>l: (language)</dt>
          <dd>
            <t>The "l" field indicates the language used for the JSON-encoded "j" and "o" fields.  The value of this field <bcp14>MUST</bcp14> conform to the
language tag syntax specified in <xref section="2.1" sectionFormat="of" target="RFC5646"/>.</t>
          </dd>
          <dt/>
          <dd>
            <t>This field is <bcp14>REQUIRED</bcp14> when either the "j" or "o" fields are present.</t>
          </dd>
        </dl>
        <t>The text in the "j" and "o" names can include international
characters. The text will be in natural language, chosen by the DNS administrator
to match its expected audience.</t>
        <t>The "o" field <bcp14>MAY</bcp14> be displayed to end users, subject to the conditions described in <xref target="security"/>.</t>
        <t>To avoid exceeding the maximum EDNS0 size <xref target="RFC9715"/>, the generated JSON values <bcp14>SHOULD</bcp14> be as short as
possible: concise text in the values for the "j"
and "o" names, and minified JSON (that is, without spaces or line
breaks between JSON elements). Otherwise, there is a risk that the response will get fragmented.</t>
        <t>The JSON data can be parsed to display to the user, logged, or
otherwise used to assist troubleshooting and diagnosis of DNS filtering.</t>
        <t>The sub-error codes provide a structured way to communicate more detailed and precise description of the cause of an error (e.g., distinguishing between malware-related blocking and phishing-related blocking under the general blocked error).</t>
        <ul empty="true">
          <li>
            <t>An alternate design for conveying the sub-error would be to define new EDE codes for these errors. However, such design is suboptimal because it requires replicating an error code for each EDE code to which the sub-error applies (e.g., "Malware" sub-error in <xref target="reg"/> would consume three EDE codes).</t>
          </li>
        </ul>
      </section>
      <section anchor="future-json-names-requirements">
        <name>Future JSON Names Requirements</name>
        <t>New JSON names may be defined in the future. This section specifies the requirements to take into account for such names.</t>
        <t>New JSON names <bcp14>MUST</bcp14> consist only of lower-case ASCII characters, digits,
and hyphen-minus (that is, Unicode characters U+0061 through 007A,
U+0030 through U+0039, and U+002D). Also, these names <bcp14>MUST</bcp14> be 63
characters or shorter and it is <bcp14>RECOMMENDED</bcp14> they be as short as
possible to reduce contribution to exceeding maximum EDNS0 response
size. Refer to <xref target="RFC9715"/> for a discusson on IP fragmentation avoidance in DNS.</t>
      </section>
    </section>
    <section anchor="protocol-operation">
      <name>Protocol Operation</name>
      <section anchor="client-request">
        <name>Client Generating Request</name>
        <t>When generating a DNS query, a client that supports this specification
<bcp14>SHOULD</bcp14> include the Structured DNS Error (SDE) option defined in <xref target="SDE"/>, unless instructed by local policy otherwise.</t>
        <t>The presence of the SDE option indicates that the client desires the
DNS server to include an EDE option in the DNS response when DNS
filtering is performed and that any data conveyed in the EXTRA-TEXT
field of the EDE option is encoded in accordance with
this specification.</t>
      </section>
      <section anchor="server-response">
        <name>Server Generating Response</name>
        <t>When the DNS server filters its DNS response to a
query (e.g., A or AAAA resource record query), the DNS response <bcp14>MAY</bcp14> contain an empty answer, NXDOMAIN, or (less
ideally) forged response, as desired by the DNS
server.</t>
        <t>If the query contained the SDE EDNS option (<xref target="client-request"/>), and the DNS server returns an EDE code of "Blocked", "Filtered", "Censored", or "Blocked by Upstream DNS Server", the DNS server <bcp14>SHOULD</bcp14> include additional detail in the EXTRA-TEXT field encoded as structured and machine-readable data in accordance with the present specification, unless configured otherwise. If the DNS response is sent over UDP and including the additional detail would cause the response to exceed the EDNS0 size
<xref target="RFC9715"/> (and thus setting TC=1), the server <bcp14>MUST</bcp14> first attempt to reduce the response size by omitting the "j" and "o" fields before omitting the EXTRA-TEXT entirely. In deployments using DoT, DoH, or DoQ, transport size limitations are unlikely to necessitate omission of structured data in the EXTRA-TEXT field.</t>
        <t>If the SDE option was not present in the DNS request, the DNS server <bcp14>MUST</bcp14> process the request in accordance with <xref target="RFC8914"/> and <bcp14>MUST NOT</bcp14> assume that the client supports this specification. This preserves compatibility with clients and servers that implement <xref target="RFC8914"/> but do not support this specification.</t>
        <t>Servers <bcp14>MAY</bcp14> return small TTL values in filtered DNS
responses (e.g., 10 seconds) to handle domain category and reputation
updates. Short TTLs allow for quick adaptation to dynamic changes in domain filtering decisions,
but can result in increased query traffic. In cases where updates are less frequent,
TTL values of 30 to 60 seconds might provide a better balance, reducing server load while
still ensuring reasonable flexibility for updates.</t>
        <t>If the query includes the SDE option as per <xref target="client-request"/>, the server <bcp14>MUST
NOT</bcp14> return the "Forged Answer" extended error code because the client
can take advantage of EDE's more sophisticated error reporting (e.g.,
"Filtered" or "Blocked").  Continuing to send "Forged
Answer" even to an EDE-supporting client will cause the persistence of
the drawbacks described in <xref target="existing-techniques"/>.</t>
        <t>When the "Censored" extended error code is included in the DNS response,
the "c", "j", "o", and "l" fields may be conveyed in the EXTRA-TEXT field.
The sub-error codes defined in this specification are not applicable to
the "Censored" extended error code and <bcp14>MUST NOT</bcp14> be used in conjunction with it.
Future specifications may update this behavior by defining sub-error codes
applicable to "Censored".</t>
      </section>
      <section anchor="client-processing">
        <name>Client Processing Response</name>
        <t>On receipt of a DNS response with an EDE option from a
DNS server, the following ordered actions are performed on the EXTRA-TEXT
field:</t>
        <ol spacing="normal" type="1"><li>
            <t>If the integrity of the DNS response is not guaranteed, the
DNS client <bcp14>MUST NOT</bcp14> act upon data in the EXTRA-TEXT field, as the data
is vulnerable to
modification by an on-path attacker. An attacker can inject or
modify a structured DNS error response in transit without detection,
enabling fabrication of filtering information (e.g., misleading contact
information or false resolver identity information) that appears to
originate from the resolver. The data <bcp14>MAY</bcp14> be retained for diagnostic or
client security policy evaluation purposes.</t>
          </li>
          <li>
            <t>The DNS response <bcp14>MUST</bcp14> also contain an EDE code of
"Blocked by Upstream DNS Server", "Blocked", "Censored", or "Filtered" <xref target="RFC8914"/>,
otherwise the EXTRA-TEXT field is discarded.</t>
          </li>
          <li>
            <t>Servers that do not support this specification might use plain text in the
EXTRA-TEXT field. To ensure compatibility with those, DNS clients <bcp14>SHOULD</bcp14> handle both plaintext and structured content. The client attempts to parse the EXTRA-TEXT field as I-JSON. If parsing fails or the content is not valid I-JSON, the client <bcp14>MUST</bcp14> treat the data as invalid and <bcp14>MUST NOT</bcp14> process it according to this specification. The client <bcp14>MAY</bcp14> instead process the EXTRA-TEXT field as unstructured text as specified in <xref target="RFC8914"/>.</t>
          </li>
          <li>
            <t>If the JSON object contains an "s" field and the sub-error code
is not defined as applicable to the accompanying Extended DNS Error
(EDE) code, the client <bcp14>MUST</bcp14> ignore the value of the "s" field
and continue processing the remaining fields in accordance with this
specification.</t>
          </li>
          <li>
            <t>If the EXTRA-TEXT field does not contain at least one of the JSON
names "c", "j", or "s", or if all of the fields that are present have
empty values, the entire JSON object <bcp14>MUST</bcp14> be discarded.</t>
          </li>
          <li>
            <t>If the JSON object contains a "c" field any of its Contact URIs
with schemes not registered in the <xref target="IANA-Contact"/> registry are
ignored. Remaining Contact URIs using registered schemes can be
processed.</t>
          </li>
          <li>
            <t>If the identity of the DNS server cannot be verified (e.g., when
using opportunistic privacy such as <xref section="5" sectionFormat="of" target="RFC8310"/> or opportunistic discovery <xref target="RFC9462"/>), the DNS client <bcp14>MUST</bcp14> ignore the "c", "j", and "o" fields, as these fields may influence end user behavior and are vulnerable to active attacks in the absence of resolver authentication. If the DNS response was received over an encrypted connection without server authentication, the client <bcp14>MAY</bcp14> process the "s" field and other parts of the response, as the "s" field is a registry-defined, enumerated value and does not contain free-form text.</t>
          </li>
          <li>
            <t>If the DNS client uses an authenticated connection to the DNS server (e.g., when
using a strict privacy profile for DoT (<xref section="5" sectionFormat="of" target="RFC8310"/>) or an authenticated DoH or DoQ connection), this mitigates both passive eavesdropping and client redirection (at the expense of providing no DNS service if such a connection is not available). In such cases, the DNS client <bcp14>MAY</bcp14> process the EXTRA-TEXT field of the DNS response.</t>
          </li>
          <li>
            <t>The DNS client <bcp14>MUST</bcp14> ignore any other JSON names that it does not support.</t>
          </li>
        </ol>
        <ul empty="true">
          <li>
            <t>Note that the strict and opportunistic privacy profiles as defined in <xref target="RFC8310"/> only apply to DoT; there has been
no such distinction made for DoH.</t>
          </li>
        </ul>
      </section>
      <section anchor="SDE">
        <name>Structured DNS Error (SDE) EDNS(0) Option Format</name>
        <t>The Structured DNS Error (SDE) EDNS(0) option is used by a client to
indicate support for I-JSON encoding in the EXTRA-TEXT field of an
Extended DNS Error (EDE) option.</t>
        <t>The SDE option has no OPTION-DATA. The OPTION-LENGTH field <bcp14>MUST</bcp14>
be set to 0. A server receiving an SDE option with a non-zero
OPTION-LENGTH <bcp14>MUST</bcp14> silently ignore the OPTION-DATA.</t>
        <t>The presence of the SDE option in a query indicates that the client
supports processing the EXTRA-TEXT field in accordance with this
specification.</t>
      </section>
    </section>
    <section anchor="new-sub-error-codes-definition">
      <name>New Sub-Error Codes Definition</name>
      <t>The document defines the following new IANA-registered Sub-Error codes. See <xref target="IANA-SubError"/>.</t>
      <section anchor="policy-reserved">
        <name>Reserved</name>
        <t>This sub-error code value <bcp14>MUST NOT</bcp14> be sent. If received, it has no meaning.</t>
      </section>
      <section anchor="policy-network">
        <name>Network Operator Policy</name>
        <t>The code indicates that the request was filtered according to a policy imposed by the operator of the local network (where local network is a relative term, e.g., it may refer to a Local Area Network or to the network of the ISP selected by the end user).</t>
      </section>
      <section anchor="policy-dns">
        <name>DNS Operator Policy</name>
        <t>The code indicates that the request was filtered according to policy determined by the operator of the DNS server. This is different from the "Network Operator Policy" code when a third-party DNS resolver is used.</t>
      </section>
    </section>
    <section anchor="new-extended-dns-errors">
      <name>New Extended DNS Errors</name>
      <t>This document defines an addition to the EDE codes defined in <xref target="RFC8914"/>.</t>
      <section anchor="extended-dns-error-code-tba1-blocked-by-upstream-dns-server">
        <name>Extended DNS Error Code TBA1 - Blocked by Upstream DNS Server</name>
        <t>The DNS server is unable to respond to the request
because the domain is on a blocklist due to an internal security policy
imposed by an upstream DNS server. This error code
is useful in deployments where a network-provided DNS forwarder
is configured to use an external resolver that filters malicious
domains. When the DNS forwarder receives a Blocked (15) error code
from the upstream DNS server, it can replace it with
"Blocked by Upstream DNS Server" (TBA1) before forwarding
the reply to the DNS client. Additionally, the EXTRA-TEXT field may
be forwarded to the DNS client.</t>
        <t>Implementations should ensure that the communication channel with the
upstream DNS server provides adequate integrity protection to mitigate
the threats described in step 1 of <xref target="client-processing"/>.</t>
      </section>
    </section>
    <section anchor="examples">
      <name>Examples</name>
      <t>An example showing the nameserver at 'ns.example.net' that filtered a
DNS "A" record query for 'example.org' is provided in <xref target="example-json"/>.</t>
      <figure anchor="example-json">
        <name>JSON Returned in EXTRA-TEXT Field of Extended DNS Error Response</name>
        <artwork><![CDATA[
{
  "c": [
    "tel:+358-555-1234567"
  ],
  "j": "malware present for 23 days",
  "s": 1,
  "o": "example-org",
  "l": "en"
}
]]></artwork>
      </figure>
      <t>In <xref target="example-json-minified"/> the same content is shown with minified JSON (no
whitespace, no blank lines) with <tt>'\'</tt> line wrapping per <xref target="RFC8792"/>.</t>
      <figure anchor="example-json-minified">
        <name>Minified Response</name>
        <artwork><![CDATA[
{ "c":["tel:+358-555-1234567"],\
"j":"malware present for 23 days",\
"s":1,\
"o":"example-org",\
"l":"en" }
]]></artwork>
      </figure>
      <t><xref target="example-dig"/> shows how the SDE and EDE options appear in a <tt>dig</tt> response for the same query.</t>
      <figure anchor="example-dig">
        <name>dig Response Showing SDE and EDE Options</name>
        <artwork><![CDATA[
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12345
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=TBD1 (Structured DNS Error): (no data)
; EDE: 15 (Blocked): ({"c":["tel:+358-555-1234567"],\
  "j":"malware present for 23 days",\
  "s":1,"o":"example-org","l":"en"})
]]></artwork>
      </figure>
    </section>
    <section anchor="operational-considerations">
      <name>Operational Considerations</name>
      <t>When a forwarder receives an EDE option, whether or not (and how) to pass along JSON information in the
EXTRA-TEXT field to its client is implementation-dependent <xref target="RFC5625"/> and depends on operator policy. Implementations <bcp14>MAY</bcp14> choose not to
forward the JSON information, or they <bcp14>MAY</bcp14> choose to create a new EDE option that conveys the information in the
"c", "s", and "j" fields encoded in the JSON object.</t>
      <t>The application that triggered the DNS request may have a client security policy to override the contact information (e.g., redirect all complaint calls to a single contact point). In such cases, the content of the "c" attribute <bcp14>MAY</bcp14> be ignored.</t>
      <section anchor="backward-compatibility">
        <name>Backward Compatibility</name>
        <t>Future extensions <bcp14>MUST NOT</bcp14> introduce mandatory JSON attributes, as existing implementations are required to ignore unknown JSON names (see <xref target="client-processing"/>).</t>
      </section>
      <section anchor="client-updates">
        <name>Client Updates</name>
        <t>The specification relies on several IANA-maintained registries. In particular, since the content of these registries may change with time, clients that implement this extension have to periodically update the list of supported values in the "Contact URI Schemes" registry <xref target="IANA-Contact"/> to avoid discarding a recently-added Contact URI.</t>
      </section>
    </section>
    <section anchor="security">
      <name>Security Considerations</name>
      <section anchor="authentication-and-confidentiality">
        <name>Authentication and Confidentiality</name>
        <t>Security considerations in <xref section="6" sectionFormat="of" target="RFC8914"/> apply to this
document. <xref target="RFC8914"/> cautions against relying on EDE information because it may be unauthenticated and transmitted in cleartext. This specification assumes the use of authenticated, integrity-protected DNS transports (e.g., DoT, DoH, or DoQ). Such transports <bcp14>MUST</bcp14> be based on TLS 1.3 <xref target="RFC8446"/> or later.  Under these conditions, EDE information is integrity-protected, reducing the risks associated with relying on structured EDE content.</t>
        <t>To minimize impact of active on-path attacks on the DNS channel, the
client validates the response as described in <xref target="client-processing"/>.</t>
      </section>
      <section anchor="restrictions-on-display-of-c-o-and-j-fields">
        <name>Restrictions on Display of "c", "o", and "j" Fields</name>
        <t>A client might choose to display the information in the "c" field
to the end user if and only if the encrypted resolver has sufficient
reputation, according to some client security policy (e.g.,
administrative configuration, or a built-in list of respectable
resolvers). This limits the ability of a malicious encrypted resolver
to cause harm. For example, an end user can use the details in the "c" field to contact an attacker
to solve the problem of being unable to reach a domain. The attacker can mislead the end user to
install malware or spyware to compromise the device security posture or mislead the end user to reveal
personal data.
If the client decides not to display all of the
information in the EXTRA-TEXT field, it can be logged for diagnostics
purpose and the client can only display the resolver hostname that
blocked the domain, error description for the EDE code and the
sub-error description for the "s" field to the end user.</t>
        <t>The same client security policy considerations apply to the display of the "j" field, as it
contains free-form, human-readable text that may influence end user behavior.</t>
        <t>When displaying the free-form text of "o", the client <bcp14>MUST
NOT</bcp14> make any of those elements into actionable (clickable) links and these
fields need to be rendered as text, not as HTML. The contact details of "c" can be made
into clickable links to provide a convenient way for end users to initiate, e.g., voice calls. The client might
choose to display the contact details only when the identity of the DNS server is verified.</t>
        <t>Clients <bcp14>MUST NOT</bcp14> automatically initiate connections to URIs derived from the EXTRA-TEXT field. Doing so could allow a resolver to silently report client activity to third parties, enable denial-of-service reflection attacks, or be used to entrap a client. The restriction of Contact URI schemes to "tel" and "mailto" is intentional, as these schemes do not result in automatic HTTP connections.</t>
        <t>Furthermore, clients <bcp14>MUST NOT</bcp14> display the value of the <tt>"o"</tt> field to the end user unless one of the following
conditions is met:</t>
        <ul spacing="normal">
          <li>
            <t>The value matches a registered organization name in a trust list maintained by the client, OR</t>
          </li>
          <li>
            <t>The value consists solely of an organization name and does not contain any additional free-form content (e.g., URLs), as determined by client security policy or heuristics.</t>
          </li>
        </ul>
        <t>If the organization name cannot be verified through registry checks or heuristics, the client <bcp14>MUST NOT</bcp14> display the "o" field to the end user.</t>
        <t>It is beyond the scope of this document to describe how the trust list is created and updated, and how the structured DNS error response interacts with the trust list to influence user experience or user interface elements.</t>
        <t>DNS clients <bcp14>MAY</bcp14> keep all fields conveyed in the EXTRA-TEXT field for evaluation according to the client security  policy. Such data <bcp14>MUST NOT</bcp14> be automatically trusted, displayed to end users, or used to influence security decisions without appropriate validation.</t>
      </section>
      <section anchor="security-risks-from-legacy-dns-forwarders">
        <name>Security Risks from Legacy DNS Forwarders</name>
        <t>An attacker might inject (or modify) the EDE EXTRA-TEXT field with a
DNS proxy or DNS forwarder that is unaware of EDE. Such a DNS proxy or
DNS forwarder will forward that attacker-controlled EDE option.  To
prevent such an attack, clients can be configured to process EDE only from
explicitly configured DNS servers or utilize RESINFO
<xref target="RFC9606"/>.</t>
      </section>
      <section anchor="privacy-considerations">
        <name>Privacy Considerations</name>
        <t>The EXTRA-TEXT field may reveal details about the filtering organization and its policies. Clients <bcp14>MUST NOT</bcp14> log or transmit the contents of the EXTRA-TEXT field to third parties without the end user's knowledge.</t>
        <t>This specification requires the use of an encrypted DNS transport (e.g., DoT, DoH, or DoQ), which protects both the DNS query and the structured error response from passive observers.</t>
      </section>
    </section>
    <section anchor="IANA">
      <name>IANA Considerations</name>
      <t>This document requests five IANA actions as described in the following subsections.</t>
      <ul empty="true">
        <li>
          <t>Notes to the RFC Editor: Please replace RFCXXXX with the RFC number assigned to this document and "TBA1" with the value assigned by IANA, and replace "TBD1" in <xref target="example-dig"/> with the value assigned by IANA.</t>
        </li>
      </ul>
      <section anchor="structured-dns-error-edns-option">
        <name>Structured DNS Error EDNS Option</name>
        <t>IANA is requested to register the following new EDNS(0) Option Code in the
"DNS EDNS0 Option Codes (OPT)" registry under the "Domain Name System (DNS) Parameters" registry group <xref target="IANA-DNS"/>:</t>
        <dl>
          <dt>Value:</dt>
          <dd>
            <t>TBD</t>
          </dd>
          <dt>Name:</dt>
          <dd>
            <t>Structured DNS Error</t>
          </dd>
          <dt>Status:</dt>
          <dd>
            <t>Standard</t>
          </dd>
          <dt>Reference:</dt>
          <dd>
            <t>RFC XXXX</t>
          </dd>
        </dl>
      </section>
      <section anchor="IANA-Names">
        <name>New Registry for JSON Names</name>
        <t>This document requests IANA to create a new registry, entitled "EXTRA-TEXT JSON Names"
under "Extended DNS Error Codes" registry, which is under the "Domain Name System (DNS) Parameters" registry group <xref target="IANA-DNS"/>. The registration request for a new JSON name must include the following fields:</t>
        <dl>
          <dt>JSON Name:</dt>
          <dd>
            <t>Specifies the name of an attribute that is present in the JSON data enclosed in EXTRA-TEXT field. The name must follow the guidelines in <xref target="name-spec"/>.</t>
          </dd>
          <dt>Field Meaning:</dt>
          <dd>
            <t>Provides a brief, human-readable label summarizing the purpose of the JSON attribute.</t>
          </dd>
          <dt>Short description:</dt>
          <dd>
            <t>Includes a short description of the requested JSON name.</t>
          </dd>
          <dt>Specification:</dt>
          <dd>
            <t>Provides a pointer to the reference document that specifies the attribute.</t>
          </dd>
        </dl>
        <t>The registry is initially populated with the following values:</t>
        <table anchor="reg-names">
          <name>Initial JSON Names Registry</name>
          <thead>
            <tr>
              <th align="center">JSON Name</th>
              <th align="left">Field Meaning</th>
              <th align="left">Description</th>
              <th align="center">Specification</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="center">c</td>
              <td align="left">contact</td>
              <td align="left">The contact details of the IT/InfoSec team to report misclassified DNS filtering</td>
              <td align="center">
                <xref target="name-spec"/> of RFCXXXX</td>
            </tr>
            <tr>
              <td align="center">j</td>
              <td align="left">justification</td>
              <td align="left">UTF-8-encoded <xref target="RFC5198"/> textual justification for a particular DNS filtering</td>
              <td align="center">
                <xref target="name-spec"/> of RFCXXXX</td>
            </tr>
            <tr>
              <td align="center">s</td>
              <td align="left">sub-error</td>
              <td align="left">Integer representing the sub-error code for this DNS filtering case</td>
              <td align="center">
                <xref target="name-spec"/> of RFCXXXX</td>
            </tr>
            <tr>
              <td align="center">o</td>
              <td align="left">organization</td>
              <td align="left">UTF-8-encoded human-friendly name of the organization that filtered this particular DNS query</td>
              <td align="center">
                <xref target="name-spec"/> of RFCXXXX</td>
            </tr>
            <tr>
              <td align="center">l</td>
              <td align="left">language</td>
              <td align="left">Indicates the language of the "j" and "o" fields as defined in <xref target="RFC5646"/></td>
              <td align="center">
                <xref target="name-spec"/> of RFCXXXX</td>
            </tr>
          </tbody>
        </table>
        <t>New JSON names are registered via IETF Review (<xref section="4.8" sectionFormat="of" target="RFC8126"/>) and their formatting
constraints are described in <xref target="name-spec"/>.</t>
      </section>
      <section anchor="IANA-Contact">
        <name>New Registry for Contact URI Scheme</name>
        <t>This document requests IANA to create a new registry, entitled "Contact URI Schemes"
under "Extended DNS Error Codes"
registry, which is under the "Domain Name System (DNS) Parameters" registry group <xref target="IANA-DNS"/>. The registration request for a new Contact URI scheme has to include the
following fields:</t>
        <ul spacing="normal">
          <li>
            <t>Name: URI scheme name.</t>
          </li>
          <li>
            <t>Meaning: Provides a short description of the scheme.</t>
          </li>
          <li>
            <t>Reference: Provides a pointer to an IETF-approved specification that defines
the URI scheme.</t>
          </li>
        </ul>
        <t>The Contact URI scheme registry is initially populated with the
following schemes:</t>
        <table>
          <thead>
            <tr>
              <th align="center">Name</th>
              <th align="left">Meaning</th>
              <th align="center">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="center">tel</td>
              <td align="left">Telephone Number</td>
              <td align="center">
                <xref target="RFC3966"/></td>
            </tr>
            <tr>
              <td align="center">mailto</td>
              <td align="left">Internet mail</td>
              <td align="center">
                <xref target="RFC6068"/></td>
            </tr>
          </tbody>
        </table>
        <t>The registration procedure for adding new Contact URI schemes to the "Contact URI Schemes" registry is "IETF
Review" as defined in <xref section="4.8" sectionFormat="of" target="RFC8126"/>.</t>
      </section>
      <section anchor="IANA-SubError">
        <name>New Registry for Extended DNS Sub-Error Codes</name>
        <t>This document requests IANA to create a new registry, entitled "Extended DNS Sub-Error Codes"
under "Extended DNS Error Codes" registry, which is under the "Domain Name System (DNS) Parameters" registry group <xref target="IANA-DNS"/>. The registration request for a new sub-error code must include the
following fields:</t>
        <ul spacing="normal">
          <li>
            <t>Number: Is the wire format sub-error code (range 0-255).</t>
          </li>
          <li>
            <t>Meaning: Provides a short description of the sub-error.</t>
          </li>
          <li>
            <t>EDE Codes Applicability: Indicates which Extended DNS Error (EDE) Codes apply to this sub-error code.</t>
          </li>
          <li>
            <t>Reference: Provides a pointer to an IETF-approved specification that registered
the code and/or an authoritative specification that describes the
meaning of this code.</t>
          </li>
        </ul>
        <t>The Sub-Error Code registry is initially populated with the
following values:</t>
        <table anchor="reg">
          <name>Initial Sub-Error Code Registry</name>
          <thead>
            <tr>
              <th align="center">Number</th>
              <th align="left">Meaning</th>
              <th align="left">EDE Codes Applicability</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="center">0</td>
              <td align="left">Reserved</td>
              <td align="left">Not used</td>
              <td align="left">
                <xref target="policy-reserved"/> of this document</td>
            </tr>
            <tr>
              <td align="center">1</td>
              <td align="left">Malware</td>
              <td align="left">"Blocked", "Blocked by Upstream DNS Server", "Filtered"</td>
              <td align="left">Section 5.5 of <xref target="RFC5901"/></td>
            </tr>
            <tr>
              <td align="center">2</td>
              <td align="left">Phishing</td>
              <td align="left">"Blocked", "Blocked by Upstream DNS Server", "Filtered"</td>
              <td align="left">Section 5.5 of <xref target="RFC5901"/></td>
            </tr>
            <tr>
              <td align="center">3</td>
              <td align="left">Spam</td>
              <td align="left">"Blocked", "Blocked by Upstream DNS Server", "Filtered"</td>
              <td align="left">Page 289 of <xref target="RFC4949"/></td>
            </tr>
            <tr>
              <td align="center">4</td>
              <td align="left">Spyware</td>
              <td align="left">"Blocked", "Blocked by Upstream DNS Server", "Filtered"</td>
              <td align="left">Page 291 of <xref target="RFC4949"/></td>
            </tr>
            <tr>
              <td align="center">5</td>
              <td align="left">Network operator policy</td>
              <td align="left">"Blocked"</td>
              <td align="left">
                <xref target="policy-network"/> of this document</td>
            </tr>
            <tr>
              <td align="center">6</td>
              <td align="left">DNS operator policy</td>
              <td align="left">"Blocked"</td>
              <td align="left">
                <xref target="policy-dns"/> of this document</td>
            </tr>
          </tbody>
        </table>
        <t>The registration procedure to add new Sub-Error Codes is IETF Review as defined in <xref section="4.8" sectionFormat="of" target="RFC8126"/>.</t>
      </section>
      <section anchor="new-extended-dns-error-code">
        <name>New Extended DNS Error Code</name>
        <t>IANA is requested to assign the following Extended DNS Error code from the "Extended DNS Error Codes"
registry under the "Domain Name System (DNS) Parameters" registry group <xref target="IANA-DNS"/>:</t>
        <table anchor="reg-ede">
          <name>New DNS Error Code</name>
          <thead>
            <tr>
              <th align="center">INFO-CODE</th>
              <th align="left">Purpose</th>
              <th align="center">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="center">TBA1</td>
              <td align="left">Blocked by Upstream DNS Server</td>
              <td align="center">RFCXXXX</td>
            </tr>
          </tbody>
        </table>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC8914">
          <front>
            <title>Extended DNS Errors</title>
            <author fullname="W. Kumari" initials="W." surname="Kumari"/>
            <author fullname="E. Hunt" initials="E." surname="Hunt"/>
            <author fullname="R. Arends" initials="R." surname="Arends"/>
            <author fullname="W. Hardaker" initials="W." surname="Hardaker"/>
            <author fullname="D. Lawrence" initials="D." surname="Lawrence"/>
            <date month="October" year="2020"/>
            <abstract>
              <t>This document defines an extensible method to return additional information about the cause of DNS errors. Though created primarily to extend SERVFAIL to provide additional information about the cause of DNS and DNSSEC failures, the Extended DNS Errors option defined in this document allows all response types to contain extended error information. Extended DNS Error information does not change the processing of RCODEs.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8914"/>
          <seriesInfo name="DOI" value="10.17487/RFC8914"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC9499">
          <front>
            <title>DNS Terminology</title>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <author fullname="K. Fujiwara" initials="K." surname="Fujiwara"/>
            <date month="March" year="2024"/>
            <abstract>
              <t>The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document.</t>
              <t>This document updates RFC 2308 by clarifying the definitions of "forwarder" and "QNAME". It obsoletes RFC 8499 by adding multiple terms and clarifications. Comprehensive lists of changed and new definitions can be found in Appendices A and B.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="219"/>
          <seriesInfo name="RFC" value="9499"/>
          <seriesInfo name="DOI" value="10.17487/RFC9499"/>
        </reference>
        <reference anchor="RFC7493">
          <front>
            <title>The I-JSON Message Format</title>
            <author fullname="T. Bray" initials="T." role="editor" surname="Bray"/>
            <date month="March" year="2015"/>
            <abstract>
              <t>I-JSON (short for "Internet JSON") is a restricted profile of JSON designed to maximize interoperability and increase confidence that software can process it successfully with predictable results.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7493"/>
          <seriesInfo name="DOI" value="10.17487/RFC7493"/>
        </reference>
        <reference anchor="RFC5198">
          <front>
            <title>Unicode Format for Network Interchange</title>
            <author fullname="J. Klensin" initials="J." surname="Klensin"/>
            <author fullname="M. Padlipsky" initials="M." surname="Padlipsky"/>
            <date month="March" year="2008"/>
            <abstract>
              <t>The Internet today is in need of a standardized form for the transmission of internationalized "text" information, paralleling the specifications for the use of ASCII that date from the early days of the ARPANET. This document specifies that format, using UTF-8 with normalization and specific line-ending sequences. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5198"/>
          <seriesInfo name="DOI" value="10.17487/RFC5198"/>
        </reference>
        <reference anchor="RFC5646">
          <front>
            <title>Tags for Identifying Languages</title>
            <author fullname="A. Phillips" initials="A." role="editor" surname="Phillips"/>
            <author fullname="M. Davis" initials="M." role="editor" surname="Davis"/>
            <date month="September" year="2009"/>
            <abstract>
              <t>This document describes the structure, content, construction, and semantics of language tags for use in cases where it is desirable to indicate the language used in an information object. It also describes how to register values for use in language tags and the creation of user-defined extensions for private interchange. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="47"/>
          <seriesInfo name="RFC" value="5646"/>
          <seriesInfo name="DOI" value="10.17487/RFC5646"/>
        </reference>
        <reference anchor="RFC8310">
          <front>
            <title>Usage Profiles for DNS over TLS and DNS over DTLS</title>
            <author fullname="S. Dickinson" initials="S." surname="Dickinson"/>
            <author fullname="D. Gillmor" initials="D." surname="Gillmor"/>
            <author fullname="T. Reddy" initials="T." surname="Reddy"/>
            <date month="March" year="2018"/>
            <abstract>
              <t>This document discusses usage profiles, based on one or more authentication mechanisms, which can be used for DNS over Transport Layer Security (TLS) or Datagram TLS (DTLS). These profiles can increase the privacy of DNS transactions compared to using only cleartext DNS. This document also specifies new authentication mechanisms -- it describes several ways that a DNS client can use an authentication domain name to authenticate a (D)TLS connection to a DNS server. Additionally, it defines (D)TLS protocol profiles for DNS clients and servers implementing DNS over (D)TLS. This document updates RFC 7858.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8310"/>
          <seriesInfo name="DOI" value="10.17487/RFC8310"/>
        </reference>
        <reference anchor="RFC8446">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC8126">
          <front>
            <title>Guidelines for Writing an IANA Considerations Section in RFCs</title>
            <author fullname="M. Cotton" initials="M." surname="Cotton"/>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <author fullname="T. Narten" initials="T." surname="Narten"/>
            <date month="June" year="2017"/>
            <abstract>
              <t>Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t>
              <t>To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t>
              <t>This is the third edition of this document; it obsoletes RFC 5226.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="26"/>
          <seriesInfo name="RFC" value="8126"/>
          <seriesInfo name="DOI" value="10.17487/RFC8126"/>
        </reference>
        <reference anchor="RFC3966">
          <front>
            <title>The tel URI for Telephone Numbers</title>
            <author fullname="H. Schulzrinne" initials="H." surname="Schulzrinne"/>
            <date month="December" year="2004"/>
            <abstract>
              <t>This document specifies the URI (Uniform Resource Identifier) scheme "tel". The "tel" URI describes resources identified by telephone numbers. This document obsoletes RFC 2806. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="3966"/>
          <seriesInfo name="DOI" value="10.17487/RFC3966"/>
        </reference>
        <reference anchor="RFC6068">
          <front>
            <title>The 'mailto' URI Scheme</title>
            <author fullname="M. Duerst" initials="M." surname="Duerst"/>
            <author fullname="L. Masinter" initials="L." surname="Masinter"/>
            <author fullname="J. Zawinski" initials="J." surname="Zawinski"/>
            <date month="October" year="2010"/>
            <abstract>
              <t>This document defines the format of Uniform Resource Identifiers (URIs) to identify resources that are reached using Internet mail. It adds better internationalization and compatibility with Internationalized Resource Identifiers (IRIs; RFC 3987) to the previous syntax of 'mailto' URIs (RFC 2368). [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6068"/>
          <seriesInfo name="DOI" value="10.17487/RFC6068"/>
        </reference>
        <reference anchor="RFC5901">
          <front>
            <title>Extensions to the IODEF-Document Class for Reporting Phishing</title>
            <author fullname="P. Cain" initials="P." surname="Cain"/>
            <author fullname="D. Jevans" initials="D." surname="Jevans"/>
            <date month="July" year="2010"/>
            <abstract>
              <t>This document extends the Incident Object Description Exchange Format (IODEF) defined in RFC 5070 to support the reporting of phishing events, which is a particular type of fraud. These extensions are flexible enough to support information gleaned from activities throughout the entire electronic fraud cycle -- from receipt of the phishing lure to the disablement of the collection site. Both simple reporting and complete forensic reporting are possible, as is consolidating multiple incidents. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5901"/>
          <seriesInfo name="DOI" value="10.17487/RFC5901"/>
        </reference>
        <reference anchor="RFC4949">
          <front>
            <title>Internet Security Glossary, Version 2</title>
            <author fullname="R. Shirey" initials="R." surname="Shirey"/>
            <date month="August" year="2007"/>
            <abstract>
              <t>This Glossary provides definitions, abbreviations, and explanations of terminology for information system security. The 334 pages of entries offer recommendations to improve the comprehensibility of written material that is generated in the Internet Standards Process (RFC 2026). The recommendations follow the principles that such writing should (a) use the same term or definition whenever the same concept is mentioned; (b) use terms in their plainest, dictionary sense; (c) use terms that are already well-established in open publications; and (d) avoid terms that either favor a particular vendor or favor a particular technology or mechanism over other, competing techniques that already exist or could be developed. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="FYI" value="36"/>
          <seriesInfo name="RFC" value="4949"/>
          <seriesInfo name="DOI" value="10.17487/RFC4949"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="IANA-DNS" target="https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#extended-dns-error-codes">
          <front>
            <title>Domain Name System (DNS) Parameters, Extended DNS Error Codes</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="RPZ" target="https://dnsrpz.info">
          <front>
            <title>Response Policy Zone</title>
            <author>
              <organization/>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="Impl-1" target="https://datatracker.ietf.org/meeting/116/materials/slides-116-dnsop-dns-errors-implementation-proposal-slides-116-dnsop-update-on-dns-errors-implementation-00">
          <front>
            <title>Use of DNS Errors To improve Browsing User Experience With network based malware protection</title>
            <author>
              <organization/>
            </author>
            <date year="2023" month="March"/>
          </front>
        </reference>
        <reference anchor="RFC7754">
          <front>
            <title>Technical Considerations for Internet Service Blocking and Filtering</title>
            <author fullname="R. Barnes" initials="R." surname="Barnes"/>
            <author fullname="A. Cooper" initials="A." surname="Cooper"/>
            <author fullname="O. Kolkman" initials="O." surname="Kolkman"/>
            <author fullname="D. Thaler" initials="D." surname="Thaler"/>
            <author fullname="E. Nordmark" initials="E." surname="Nordmark"/>
            <date month="March" year="2016"/>
            <abstract>
              <t>The Internet is structured to be an open communications medium. This openness is one of the key underpinnings of Internet innovation, but it can also allow communications that may be viewed as undesirable by certain parties. Thus, as the Internet has grown, so have mechanisms to limit the extent and impact of abusive or objectionable communications. Recently, there has been an increasing emphasis on "blocking" and "filtering", the active prevention of such communications. This document examines several technical approaches to Internet blocking and filtering in terms of their alignment with the overall Internet architecture. When it is possible to do so, the approach to blocking and filtering that is most coherent with the Internet architecture is to inform endpoints about potentially undesirable services, so that the communicants can avoid engaging in abusive or objectionable communications. We observe that certain filtering and blocking approaches can cause unintended consequences to third parties, and we discuss the limits of efficacy of various approaches.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7754"/>
          <seriesInfo name="DOI" value="10.17487/RFC7754"/>
        </reference>
        <reference anchor="RFC8484">
          <front>
            <title>DNS Queries over HTTPS (DoH)</title>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <author fullname="P. McManus" initials="P." surname="McManus"/>
            <date month="October" year="2018"/>
            <abstract>
              <t>This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS. Each DNS query-response pair is mapped into an HTTP exchange.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8484"/>
          <seriesInfo name="DOI" value="10.17487/RFC8484"/>
        </reference>
        <reference anchor="RFC7858">
          <front>
            <title>Specification for DNS over Transport Layer Security (TLS)</title>
            <author fullname="Z. Hu" initials="Z." surname="Hu"/>
            <author fullname="L. Zhu" initials="L." surname="Zhu"/>
            <author fullname="J. Heidemann" initials="J." surname="Heidemann"/>
            <author fullname="A. Mankin" initials="A." surname="Mankin"/>
            <author fullname="D. Wessels" initials="D." surname="Wessels"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="May" year="2016"/>
            <abstract>
              <t>This document describes the use of Transport Layer Security (TLS) to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626. In addition, this document specifies two usage profiles for DNS over TLS and provides advice on performance considerations to minimize overhead from using TCP and TLS with DNS.</t>
              <t>This document focuses on securing stub-to-recursive traffic, as per the charter of the DPRIVE Working Group. It does not prevent future applications of the protocol to recursive-to-authoritative traffic.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7858"/>
          <seriesInfo name="DOI" value="10.17487/RFC7858"/>
        </reference>
        <reference anchor="RFC9250">
          <front>
            <title>DNS over Dedicated QUIC Connections</title>
            <author fullname="C. Huitema" initials="C." surname="Huitema"/>
            <author fullname="S. Dickinson" initials="S." surname="Dickinson"/>
            <author fullname="A. Mankin" initials="A." surname="Mankin"/>
            <date month="May" year="2022"/>
            <abstract>
              <t>This document describes the use of QUIC to provide transport confidentiality for DNS. The encryption provided by QUIC has similar properties to those provided by TLS, while QUIC transport eliminates the head-of-line blocking issues inherent with TCP and provides more efficient packet-loss recovery than UDP. DNS over QUIC (DoQ) has privacy properties similar to DNS over TLS (DoT) specified in RFC 7858, and latency characteristics similar to classic DNS over UDP. This specification describes the use of DoQ as a general-purpose transport for DNS and includes the use of DoQ for stub to recursive, recursive to authoritative, and zone transfer scenarios.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9250"/>
          <seriesInfo name="DOI" value="10.17487/RFC9250"/>
        </reference>
        <reference anchor="RFC3986">
          <front>
            <title>Uniform Resource Identifier (URI): Generic Syntax</title>
            <author fullname="T. Berners-Lee" initials="T." surname="Berners-Lee"/>
            <author fullname="R. Fielding" initials="R." surname="Fielding"/>
            <author fullname="L. Masinter" initials="L." surname="Masinter"/>
            <date month="January" year="2005"/>
            <abstract>
              <t>A Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource. This specification defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet. The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier. This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="66"/>
          <seriesInfo name="RFC" value="3986"/>
          <seriesInfo name="DOI" value="10.17487/RFC3986"/>
        </reference>
        <reference anchor="RFC9715">
          <front>
            <title>IP Fragmentation Avoidance in DNS over UDP</title>
            <author fullname="K. Fujiwara" initials="K." surname="Fujiwara"/>
            <author fullname="P. Vixie" initials="P." surname="Vixie"/>
            <date month="January" year="2025"/>
            <abstract>
              <t>The widely deployed Extension Mechanisms for DNS (EDNS(0)) feature in the DNS enables a DNS receiver to indicate its received UDP message size capacity, which supports the sending of large UDP responses by a DNS server. Large DNS/UDP messages are more likely to be fragmented, and IP fragmentation has exposed weaknesses in application protocols. It is possible to avoid IP fragmentation in DNS by limiting the response size where possible and signaling the need to upgrade from UDP to TCP transport where necessary. This document describes techniques to avoid IP fragmentation in DNS.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9715"/>
          <seriesInfo name="DOI" value="10.17487/RFC9715"/>
        </reference>
        <reference anchor="RFC9462">
          <front>
            <title>Discovery of Designated Resolvers</title>
            <author fullname="T. Pauly" initials="T." surname="Pauly"/>
            <author fullname="E. Kinnear" initials="E." surname="Kinnear"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <author fullname="P. McManus" initials="P." surname="McManus"/>
            <author fullname="T. Jensen" initials="T." surname="Jensen"/>
            <date month="November" year="2023"/>
            <abstract>
              <t>This document defines Discovery of Designated Resolvers (DDR), a set of mechanisms for DNS clients to use DNS records to discover a resolver's encrypted DNS configuration. An Encrypted DNS Resolver discovered in this manner is referred to as a "Designated Resolver". These mechanisms can be used to move from unencrypted DNS to encrypted DNS when only the IP address of a resolver is known. These mechanisms are designed to be limited to cases where Unencrypted DNS Resolvers and their Designated Resolvers are operated by the same entity or cooperating entities. It can also be used to discover support for encrypted DNS protocols when the name of an Encrypted DNS Resolver is known.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9462"/>
          <seriesInfo name="DOI" value="10.17487/RFC9462"/>
        </reference>
        <reference anchor="RFC8792">
          <front>
            <title>Handling Long Lines in Content of Internet-Drafts and RFCs</title>
            <author fullname="K. Watsen" initials="K." surname="Watsen"/>
            <author fullname="E. Auerswald" initials="E." surname="Auerswald"/>
            <author fullname="A. Farrel" initials="A." surname="Farrel"/>
            <author fullname="Q. Wu" initials="Q." surname="Wu"/>
            <date month="June" year="2020"/>
            <abstract>
              <t>This document defines two strategies for handling long lines in width-bounded text content. One strategy, called the "single backslash" strategy, is based on the historical use of a single backslash ('\') character to indicate where line-folding has occurred, with the continuation occurring with the first character that is not a space character (' ') on the next line. The second strategy, called the "double backslash" strategy, extends the first strategy by adding a second backslash character to identify where the continuation begins and is thereby able to handle cases not supported by the first strategy. Both strategies use a self-describing header enabling automated reconstitution of the original content.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8792"/>
          <seriesInfo name="DOI" value="10.17487/RFC8792"/>
        </reference>
        <reference anchor="RFC5625">
          <front>
            <title>DNS Proxy Implementation Guidelines</title>
            <author fullname="R. Bellis" initials="R." surname="Bellis"/>
            <date month="August" year="2009"/>
            <abstract>
              <t>This document provides guidelines for the implementation of DNS proxies, as found in broadband gateways and other similar network devices. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="152"/>
          <seriesInfo name="RFC" value="5625"/>
          <seriesInfo name="DOI" value="10.17487/RFC5625"/>
        </reference>
        <reference anchor="RFC9606">
          <front>
            <title>DNS Resolver Information</title>
            <author fullname="T. Reddy.K" initials="T." surname="Reddy.K"/>
            <author fullname="M. Boucadair" initials="M." surname="Boucadair"/>
            <date month="June" year="2024"/>
            <abstract>
              <t>This document specifies a method for DNS resolvers to publish information about themselves. DNS clients can use the resolver information to identify the capabilities of DNS resolvers. How DNS clients use such information is beyond the scope of this document.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9606"/>
          <seriesInfo name="DOI" value="10.17487/RFC9606"/>
        </reference>
      </references>
    </references>
    <?line 772?>

<section anchor="interoperation-with-rpz-servers">
      <name>Interoperation with RPZ Servers</name>
      <t>This appendix provides a non-normative guidance for operation with a Response Policy Zones (RPZ) server <xref target="RPZ"/> that
indicates filtering with a NXDOMAIN response with the Recursion
Available bit cleared (RA=0). This guidance is provided to ease interoperation with RPZ.</t>
      <t>When a DNS client supports this specification, it includes the
SDE option in its DNS query.</t>
      <t>If the server does not support this specification and is performing
RPZ filtering, the server ignores the SDE option in the DNS query and
replies with NXDOMAIN and RA=0. The DNS client can continue to accept
such responses.</t>
      <t>If the server does support this specification and is performing RPZ
filtering, the server can use the SDE option in the query to identify
an SDE-aware client and respond appropriately (that is, by generating
a response described in <xref target="server-response"/>) as NXDOMAIN and RA=0
are not necessary when generating a response to such a client.</t>
    </section>
    <section anchor="implementation-status">
      <name>Implementation Status</name>
      <ul empty="true">
        <li>
          <t>Note to the RFC Editor: please remove this appendix prior publication.</t>
        </li>
      </ul>
      <t>At IETF#116, Gianpaolo Scalone (Vodafone) and Ralf Weber (Akamai) presented an implementation of this specification. More details can be found at <xref target="Impl-1"/>.</t>
    </section>
    <section numbered="false" anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>Thanks to Vittorio Bertola, Wes Hardaker, Ben Schwartz, Erid Orth,
Viktor Dukhovni, Warren Kumari, Paul Wouters, John Levine, Bob
Harold, Mukund Sivaraman, Gianpaolo Angelo Scalone, Mark Nottingham, Stephane Bortzmeyer, Daniel Migault, Lars Eggert, and Stephen Farrell for the comments.</t>
      <t>Thanks to Ralf Weber and Gianpaolo Scalone for sharing details about their implementation.</t>
      <t>Thanks Petr Špaček, Di Ma and Matt Brown for the DNSDIR reviews, Joseph Salowey for the SECDIR review, and Paul Kyzivat for the ARTART reviews.</t>
      <t>Thanks to Éric Vyncke for the AD review.</t>
      <t>Thanks to Mike Bishop for the IESG review.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA9V9W3fb2LHmO37FPvSDxRyStnxrW53kRLbkWCe2pUhyOpeT
NQ2SoIQWCDAAKFnt9rzPw/yH81vm8r+mvqraNxCUnaRnrRmtXm0SBPauXbt2
3aswHo+TNm+LbM8Mztp6PWvXdTY3h3Vd1eYgbVOzoA+v86LNcP3g/dkgSafT
OruOH6Af5KFBMkvb7KKqb/dM086T9WpO35s98/zF7pMkmVezMl3SbPM6XbTj
PGsX43nZVKtx4wbDhXGGwcaPniTNerrMmyavyvZ2RQ8eHZ6/Tsr1cprVewnG
3ktmVdlkZbOmWWiQLCHYHidpnaUE41FJkJdZO0huqvrqoq7WK7oKcI9XWZ22
NG5jvqOf8vLC/BY/D5Kr7JZunu8lZmxerZu2Wma1yT7S/XlWzjJcPioJL0ta
+Dyb5QAOF9s6LZsVTVzObvE9K+t8dkk3LbJsPk1nV0lynZVrgtgYCwkvfkAX
ZHWDDijGLNO8sPf9BviaVPUFfkjr2SX9cNm2q2bvwQPch0v5dTaxtz3AhQfT
urppsgc8wgM8eZG3l+spPcvov7mQHXjwVVuC5wvsaBvMHY0zkeEnefV1I37d
XZPLdlkMkqRp03L+X9KiKglbt1mTrPI985e2mo1MU9VtnS0a+nS71A8t7UA7
MrNquczKlq4QAS7T1YpQ/NckSdftZVVjn2lVxizWRSHUeZCW5ju6hy8TItMy
/5FpZc+8ymnMj+bstmmzJQ14VM4mfJs9FnIDX5pV67LFSfhQ5i3RwVkLzJlq
YfaJpPJZyndldovT8obm/M0Fvk8I5MEmYOd5vV6mRdbcpLU5zebz2x4Q31dX
uQw9y1ua/WVaXhDG6oyv1dkF3/W7tC7pgF+lMahH5TyP4bqqynmb13fC9T7L
C/Oqqq56wKGDVo7/OLskKLJetPyOVj2vltGkZcZzVVe/KStaa0afJ+urnpnf
VZcpDuLLaj1L52le90FQu7mJIrKMaPc0K0uiHgFnTuM8fvrw4cMYvNf02CyL
wFrKbJOpne03FY8taEmSkrgCTXpNZzzJmUfYb8Yc7b/fHxPn2eMRjbLdg4qG
Ls17GlaJyuzQTUNzktZ0jbgXEdnhxzYr5yGfJWTPFX7jyFj+xvZDFw0DQDDQ
2dP6AniwR/jm5maSp2UqbIP47UXJJwZsY7xyoHS+Tj7iWN7LFLyAc888eMyk
zSItmgxoOD35c4yB06xZgYObk6rIZ7fmz3S2+4Gk4evVjxMgtnfoo+WqGO/G
ow8+0Mh04hzmGnNemXy5qqvrzLwEbwS/pbtqQrPl8XT620tDcgNSw0zThnBP
5w6UaOjJNpsBpVtwSVClJAtmV1ntWfGSyI4merC7+4x4NSEvJ6gfNEVOeBrT
ReV9DoPNmGAsMmwCb9+Ypl1VTVqMN54RGTume7Y/rbStGHv8cPzw8fjRw0eP
k2Q8HhPvagBwmyRA04LFPbCSN+aGJituSc6tiuoWsoxo7zqt82rdECtJG9q5
kcnLWbGeg2FalDXZbF0T9zHErs1KNjbDgZgxUBPzprrJrrN6pLMpbddKCw0J
mdmV8ZLAuNNEshYwEMGZNW1aY9rKrIn6ahYNpr3MFC4GFV/deibJ4ce8wTaY
ZQaGlDdLfh7EQOuEkC/oELSkvtCKWzrz/LOfa5bSv+YyrZcJQUqyPy0IOfmC
55kWFe15vBCgEHC8OT8/4avVmlDQTJLk/JJ+InG0Bj6M6knm9PUrVpXM9Nbg
EKYFoJ0VOW5q1qsVCTke0KIGP2Pywz+en+6Pz+kfWm9WzInmE76+yTqCBdtF
ErZwc7T7E3O2nl0m9pYZycQpUX9a4zAQeHhAAQPi53lDyCMSGZmiurjAvzTX
uhGaSSq6vTardU1EzOsH3S3z+bygo3uPxE5bV/M1H6uQChuDIxdRX8r0lxFt
0bF2JJhNLiYj7NSqyss2sfQ3MqyQtWnhFzZieD2V19nf1nktiyrSmySi0/dC
0GPhAY6sm6pYi/LYEJJMSrtMQ9wQOTQYPcF61lAMzQlpBTQSPqrSYHaOTojB
1zhXa6ISx2foDC4W+YwkB2iLH2mZV8lJNuBOzHi70PAByzOe2lSs2GYJrcav
MTpcE0I3ofGSFFs798hsnHy7ddjopIF8UmRjtekU7BPTpfN5DlD5JOB2h3DS
y2lTC8wmSnhyltXXOXHXEyG/Gqg4O2mG0H5JHcIIfIhMOqNDwmevAZCAbc6C
ko7MOsP1NNFtY8wQjiolSyJTyCNSbgoDvBN6doQ4aG9DHpSkF9DUh4YYcQXc
qkq/bhRhimUsA3MEbCQ5dByBFmy3L50vc2IptIstxEwB/pZeWOw3snZa1GXa
2ukCjC/TW2K2zSUWV2ezjNQGs4TSFjKlgAtiC9atkl8wDj9O5HnNkmpagOBu
IM08K6SzxzuVfUxBWyM8g1WSBHBsQMGNF8WIL4rqpqArNKvfF15VckOUAflT
ZiQeilvP2+XRfjadgmLafLYm+yXR0W74QMnDExHGjLZg/SOMcctsaXZZ0e4n
mKEBUQqvcZRNBwKzEC2uCR2kGBCXbj1O7lptYlHpVhWyEeJzPEIEVdaSQZC8
VtkTn6pA6pAIn9X5lCWb+fQpU8E0JtXissz/ts6az59HdogE8NGSsNg6I64v
NM58neU9K7GNeSkSaOQs9pF5RZZxVQs3BlTEmM1+2dzQaPNskZcWgDNlOE/A
Vf+FxBCk0OfPgaAmWAi7othVJe0uE6ZufbDIakZcidkpkSeLcREhTh7j4AC3
ZGhclLRxfcglFL6v6Ey09NXcXJIdzRaysHwvWukEM7Obm52FrO3oBByJ7ml2
smY4St7/8eD43f7Re5BgtlyxRoLV00YRWxYqSHvRORT0W+Gf3FxWREM5iTYs
zm4u7RSdy0ui1yJvSeM02OFZ1iF3XkGi7MidCozBz4+IF9/IyWUBn5JkpAev
QFrBueU9vLm8VbjiwXJ6rMXpnJhYtbCU1mBYS4BJoAQwC5E9IrTvN4YOUJcs
ngHz/0Zk8c03T5+AMulhwmZhWZJVQ6wAFqJgZo6fgB9HFzovzZOBy6eEv9B1
InjgLaSduZUdaUYBl6BZ00aOPwlR2n5hYAU+1sT25+mSeDtBJjqFyAUaJnVc
HArIccnkBKiFYUyJmBZ529ir6YogTRk3wVltI+TmoiAWOWGAAbmESMXeVsmA
6LRaDFSkrQikfl1Q9ov+o7lyokoS7DkMT1GuGq8ACJJxo4XsplqTqkdqWcqc
rbJaGInHZUYbXV6Qpaw0vQSuLzLRfuRB2mgLLQQA7UfLMpdlSuLhVhDdtO0l
ndX0usrnTbhiQg9RbVEQodGjtBF1VbXJLKN9I7UG6BFTFXTLGicO/9H5eEni
7YKdaSwhN5TjkIKF0zIel8BXmY1Jjsx5/TC89MQkPfowkXPI2M4J8A3921P8
o5gRjvQMN+lt02X6mHNjPmxpqUwF0F6uaZnsq1zTwcFTO0A/YaRaMgeDZk0b
NtxcfpXxmYRawI6seUesgNG6Q4Wd10PO804z5qHdE+aYdxVxOdIVLm+d0pWA
O7FeWWdeHicJNPZXVal6raidB5AmrAk2WEBmruh4wo/amMG7D2fng5H8a94f
8+fTw99/ODo9PMDnszf7b9+6D4necfbm+MPbA//JP/nq+N27w/cH8jBdNdGl
ZPBu/08DofPB8cn50fH7/beDzbOLRdHyp8wpsnpFkpW2IW2S6Ly/fHXyP/6T
DDIhnke7uy8+f7aUtPsNUQZhLCtlNhaL8hXcKaEDk6U1RsGpmKWrnI4HsTLi
Xg1x/NIQ28kIn7/4CzDz1z3zy+lstfvk13oBC44uWpxFFxlnm1c2HhYk9lzq
mcZhM7rewXQM7/6fou8W78HFX/4bGbOZGe8+/7dfJxsGMIx+2gVWjZxeAjo/
zyBeKlK2bhXvL568oE0gvA0Oy1l9u2o1NEEHZKEeARYc7sdmdkkMVLncNdEl
xlV+2IySSBfGTxWULWHTOwfVmyHNC9n3/Mlz5gTulvO3fMO5veGb50+f4wYS
0+4e2rFXuOn39qYXj54+ZOgjBhSC3me07xweHA7VNoGMUkt6xIyBLiRH718f
j18dHxyCulYAjnni403GN4jUQJwX1Rtxmqy+aM+P1SQHclzA+NkwZCG9YEWu
M6DZeTIMBjU7u0+H4ch04dmwOzxd/GY4IKQcdU4pPWi9H5G1S9t7nRZr5r/h
xnf8XkpLiY3TkKxhhcSbe+rJAKZ1Itb/wKZxIx3hArKLGbbYkTfZNJGgSj1k
PRYm+RKkTWeavR7EAqBRjEIHlgjhSGoIKkeB6ySBf2MGkoVjgNDRF2MzO2eg
BQhkIhW6vPNwSEaOSqI5Q0uQ93mLAEdJyi3r6Ytex9HEnGWZ2MQkDA8O5aBh
8sg4CnGOYaCd3VrdPAflYV7xRcAxiN0mrC7yC++zspYXMOVciPzL3AkT+LG8
pLOODoB0dP4AYTiS18Q30mUXoND3TaoIbgnB40MvdjZvM4FHQnPO7jY6e2M2
UkQdZ4WQFPJZAcc4IYn3IgkMQQ+8pTN2qTlTmX9R/wVPe53jIPcv7B7j5bX7
6dxZhAwlcY28Nm9J4Ww1fPnpXp/1KF4071BV/52zF+BgpIUy/ELXqZlWF3S+
d3jz4Y6hgzMQu2owdEONjLOpmKZHXdNqYvZpgJGx+qvOnNuY6VZ70UFEAyU9
PBBWWWy1hmztEJqpEHWTkRJE6iXpHpcp/FTza9L9WQFXV2VwhcFhLyNt8bpp
rJoPCsYGylmaNqIX8g7dM8rxbOxCVZ4ez++F8Epra5FmDNcJgekNVYUhYcPJ
igBIn52zoZ4PIiVo0d7IEiNaXECxyztxRpd3oskdIAuwFvWxKDfTsMZwYo6E
IZBW3iJiSqsANxSh9fjF82efPycEt8JmPpy+xRKn1uUgdkDH+y8afaJTuWD6
SZ3ReaJ1H/5tna9Y/u28OiGeRpts/ahDwhltJDCSBiYU2xik8Fv2BVgSh/MF
WaXimFanneK95lUJ/tJWMaBWDSBmNy6whcDirXgFMDIE0kIEkrBbUQpo7Xcu
2MBvQSdCPJjYQR8gkFV4DWNi4I0lPVlkqbp30v6b756VdSi1vYrbxDtHYIeZ
yA5jblwL3vjEQVtfpXktdpE336LH8iZREw8+vTK2+Mk+KrI74aPdrxnCWbW6
tRu4qvNrjE0ATJIDLxygW4EjN5fpVSbrRhQsDeJy3fGXJNgWeSb2WQB3olTg
hL09VISFHSJ9BFoaOFBEvepA5Ymq36hlVxWb/mnLgV7zC+yoxCw4iAp9oGbu
cHb4yov92JSfwrjLYDRmiwV4DRENXeOAkzwpETxkutSZtUHb7MKF2WBcwyKb
5RIbifg/PDYSiKAVKl+CFDOSE2ClBK91mln2Ae15oms619NmZTYfKU8H2zbl
JifTR7hwyI9kYhER95uAG44cE0KAX9REXAG/4d33rEkpSDmb9aMEGhbPPcV+
k9AHRtn0ylv5gUxgOCBCjkqQEJ2IZ81OzHE+2mrnsVGJUQZ8WI67sHpZpsXa
q0DnSbedq6p0xwiMRnDD3gFznbMa79Q7Wsu1OLkC+iryqywK55BRw2M0cI3D
4jxbwgI9Rngpe/AGd8pn0iWP3xwPWYbzPQ/eZfN8LckY5lDsYmLVdN+7wyEH
jtQPnDJRAUEavCFE0zbnUHJVoEl0/DLrj/GaQN5ZkmLM8uaoTuzHCL1RKqlU
X+cDBfyqxUYooxFJSzeqpcMek0wJDQ0ESv1QjiEBtS6AfLDecGvIyMjnEnaW
48eaiHikL4ii4JmJaK7jUNmQ0TLMoi8+YGkmQLvdTxJZQhAkrG8RgSPzxBIi
YUtFHhx43o+maybOYx1syv6OzkUdJhjeVVNw7QM5q+/4PpHH7w7eDTVnQIYj
NTEIeZfqvc7bjNOraOUvmcj/RGfEHN+UOqYMsfPyT8cHpMzMshK5AxKA1MDh
qMNbI/ST7kjLlkGmmYmkz1F1bmFjiQ08p04W+KW0dAQsaveDU+v8aldldWOs
X13RyOwDlrRwTTiGyrmeKk44JJ5TtsXtiAN3ZChkkLQFXNnqwRZHaWbVLTjp
WK8oNXlFNY6JeV2v2aiyWpQDECM39MzsUpXCtODAZqtYdXFjkEG1YOuHqDF2
DqYXMDtal76C6DQ/vSK6v2T1f1VBV5KNBXclGcD2CdkDBG+YyqFPQjjObgny
dY3zhDDlKNo28dnD6ZiXcaoGndnZlT3VdbW+uOx5UJ2trHOZaRpGupGmQvtL
zF7R2ON75yyBYKPttH0zBqcajrkyxj5R0VrpfdOzvTlMJWH1plUqnJiDis2H
iiM8EkfDomBgxSuzmJXlqZia1Rl7pVOPgOt1Aa2OTi2+8c4D0KldyEeSCpxV
h1C4eXd0/g7SKZ1dTcx3lxwH7a6J7g0UGyHwcEc+rkgjbzqkiYAOoXWHqWu4
iScn4cvsZgvKIkPKmZTiQ/pqc6r0T9q4HlSm0MNQVNXVeoWnFohwdUIZrDGA
6Il7Q9DyEVVNDZ7cUNCo06gJhMJII1EWNgcuCzFMaAebXWazqyaIp+Z9OmIw
W02UnUWpOVZIumwFO3YETyfrIwgdM4wRzrzhpIk1NI4yLK95KTy8ImS1wN+o
aOQQJ1xfXX30Yp0i3JZJuquA6XClA4KGiF2RQNPIFXTTNVIgpsTYMiZWsmHW
8KyxfttFsmNAPXwTfD0KwOI4KCsWoQJ5wlxaeHuXj6tOZ7VWK2C+jmtDVaw5
lqYe25IPMIkldUv0SIi/hw87FsxnyLlKgtRQdhg3QzlIdyUL8HDODeu9K8nW
nADr0BFT1bKaDoHKAU18dlBP7grTAhs48CvwCJLsDaCbLWCrItSsIe8C28w7
xJLIkTMliz6j87WzOxSD7xFpu1OdnTeM6A4KZ6QNgH9lH5EQo56VUvTalGWo
Gh5yg5oLzu2CR2PXi3U3vA7jDBHGmIV3Mp9SmwwjaUjKB6xjw5ZZuPyzwTsR
8ANFf5tJNk/iDHTGFakBZCAi16KpFi0eGJnBiaoC+ixrPDFR49kEP0hCojOo
+lRfkTecYtHOJpHKxSdTw+MWzy71yCUjLlRLjfy7fGRS6MQpHw5EL9tJEnGA
EBiJ9Ah1ho7CbmDWpqGQ2HXpiUwouZBD4DpnJunjtXWFrYIGlbCEU2ez+ENB
uk0uYronoL1gnpkGo4+SjXh2EOuW1Ygr0mVrNFYN9z78hH34SISkEXzqqM1y
FdrqYIquX9TpEt/EcSQMhp1v0EKiDFgbA4GYDFdtww3DkTiCktT6ThdddAi3
JZ3R0LQlEjpGphPjSSTGM54TmyM54DzzShoB9CqIrJEusGhqYJOwfmRRwNFZ
EBonXTIeI2cBpH3O5qTm382TStxEXrCN9WR1bFl22x+N//3s+H0nGeA1JwN8
ugdnxhhQfmaWzXci6b8RP73wgcAZzSSep6VLVNtYpIQsrjMHrQA6t7/zUGGS
LpRO3aWmd0CJG376JA+M1a9CRwZu+TC7YjPbITphyA+VFVbTHzJmkeDd88C/
ZlNC5bYdQd3QxmQt5cuo3zx58VgDpn2HKPbU83hAdrOXJLM9s6PcZZjssQfr
72A2kosVBX7i/Pgej1PO6Tr0HOcaVZ28C9ZisA04UsTVSUPx3npTZBfEU8Fc
rKKCdcg+XlStyy/XDNibuuLzLbDJHk50lS4FRfchreuUfYJ2+R9Ojxq1CJbr
os1XxSZqtNiBPafEUaCtBI/DT0UoEjbBeRNspqA4BA5mnjDTxGWlGg8K4HwV
gOK5td46mA10EZwIAR0Bc0ogv+Eipkbz3hAH4toaHRCksic749Ag7rMUboAf
iCZ+INXN4QyUcf/D+evx8/tjS6hCeE93XzwncubMHc+VbT5uHpQYRPFAFwTc
hCPKYaNFITuL+Q7pweqUwhTNejr2Ok+S+5wI5FdbZ7ad3OlhmyEzSw+9gtEm
xAR4RobHNJMIP0zQcgVFqUr6pJ7yKnZWN5vReZ9oDaCBILDOalZ5R6GFLoi9
u1g6jPHZrKrnmtOMnIf+RIBRouH2UD/Sg+1Wp/E9CbN3fXSQ365iISdlgLOc
UJkExAKAsirHTCLMBVFhyKSmOet5KYaTzs35H3Oy3qYcfqEbNBevgPRF1gLU
cx8zltgpahXLi2ZoWbiNCkZ6Iq2H+JHgD/7CO+i8ITp3dAQa31cxJnFtObeW
HccEp5QV0WvHqwT3rycuGVVXJgUbLkjL3BXH0zoh5ezWUiwQkewZQRGaMP5o
0y/8w91ne6/D0BxvZSODjf4CZTW4IdUcdRubdMahj2lK+hxMr8B35txmthpi
OKItanh3zdnBYeSwsCeTPdaDZoBrkMBEx2I1KrNrImanOUrQ3cnMWyI/Nl4J
u09Zf8E2iOo7+CEawx7iflOMCfWjS6xk8QPnludAgjEio4rIKEyl6OOWwiAX
KJ2D5cxSy2bWBo+GgX9OA9gkMM6GvpOsC4KH2O/FmmjJyvRBYdcenh2yCfW+
qJSFpZADHWjjRKRKhyCpyGMyMXeYiN0ddr24MJabpU0vhDF8tIpVN4v60WTX
mtJPnz151kfNNsVPxEKWO8YGSGkFHlCVz3yONZuMN9VK0GBlrA+x2S5cRzMe
S02OSWaXKRyPyIs2bhwbPGM9hOiY6MYudYSSC5o3TJ6KsoOQXk7yAho2sWLU
zrPKnBLDQ3mlguvWYt7t/wlTRRza2RwjsKcfNDdZebyQ8kYZhRUNoi5WkqNM
88/I5rS8bpl+JA6w5Myph3Ryf8xsYt43u09t0YWPnbPSoqxN8yWnmWZwIlW/
IVul4ZSiPQA2g4Ua7oM+aqmPtiWJtkX8bMAd04vow1Ls0oy822mVIsxBgyCH
MpkS87lqnJ+MH1JlqxlOzDGo5iZX3lBnognWeXPlrYLYU3mRwT+QXixZmdP9
4WFZ7Y+L/4I8c90RlqJB3Z+U+wECx4agpjatrcIh5FWtTbxSCzy3vsIoIna+
IZ6aIJsmsM7Vj4hg1LoU3zUbmaLOqqOLzgvvkNDNSjPMOp6oUh1OKhoCzyQ7
4xTpKhTGUoIw9zw6lBKbv7JTMqCxwokbkdS05F9DVrtYD2AlpaTjBoiltqsD
wNaw7GXH+yHJI8GYkl9jIyyBH1odCjwHy6cp2O2SA7qCk7x1FjVUh8JmGDpE
OaWBjQQ7KxspUroTActiJnOuBO+48rfwYSZFAdnVvDRJyIQxVGeZX9dQgwhr
kEBgVJPq5ooDycJ+T7jwhqEGTLpKyoIHsf4E5diWkTcu08COyqQvJToS9Efb
AEm2BEJ5psnG1FaE8FlghwQRHJmuWT2GLDf7Z6+Ojoznx6A+sgqbETONy9sV
SYUxMQuk6Tkm8YHIHfj2j5kP//rw4bNdF/B6+PCb/VGCi48fuov89YXwH3x+
dDC0qXtCKgHIhK5njwM5AU7EDFDTaMRvEiSHY4jbbZxSS3zWM9HXiYGvrQPR
8+qYT1t2lYBhT2h/Nfc4ZN0axVD3L052icQSy9fUywGRwCVakl/OrpsTa5q4
rjBMV6/E4PitCAMAdSo+EfPpXsdJkiSse174W1Ov0UC9VOOFN+0OL0yiMsYK
apDdHUnAmhcSl/IhaXdEjIbtDUTk8Lh4QiUUpzaaY9LKZkWZmDnlDepsnFds
0yUDtxI4h+YjJXEMwC6Bs5SDkZzK4EUQUBfb0HkT5GhLJIqTbm5VIHX8BV0P
qMtuDiZunB8KWR5sXDIdQMYmmzshrOVMlhORgEL96Z6sdWzXYYmgE6+zlexQ
haJls5NfCgiVF+7jXO3Tn082QtFPPRc6Go42cQfVid0yWFTZqXG0gT62bHdA
DwnJTRitw24wjaNzsplhUryWntpESC1YtDNqESMI5ZArHrSyadOHOPTxxAA1
YiA1lkSYi9HOhQUJrgAhLk6AKmwjWATthxU6u6RLsSN58MGoO1vnaAUGkVao
bvNuWroBL/NnUYKGW2rQOvTF41qfekRm7qDa7Hh4edzBtKlO3VA4j8Pe6Q8H
J8KBowT6zbWpHGWBHul/junqgbFacRKx1h3ZPcSNspbPwfmrX+0qQSp+WVIs
8hq14Ro99Yw+mpO1btq2apm3zgmxaYuR/FhAhYtuC3YHHgy0UZh0Ey61hr86
H9H/3jC1HFS/H6k3FtKIIQiChmxN0U7kV3DYENhSnIqfeX5uQQbaDAjgLo+4
PzABF71JJabkgishL+SDskGzjNMwcqM39tFY7IQvA59emC8W8O475JDqQQxp
jTQ3myMhIRyezwZWMFUUwPAtKyKQEHV14VspTullu2c6Flib5kM3nL94fv7W
2lO0/DCr0KWAO7Vy9yGUOLIU0V6ikhBS5jMANHoK0EmlXQsV2HZ1E3PGKgvN
10gVB6sWpPwhQjtPV60LeM5vSUvKZ0b6WzFcOsemP5i0OKBAqviRb4i76dzC
k5Qpi7dNQJikOclSM0NshSrolPnFopYctFESoIUIFBpeZZ655ZNteXHZBjaT
VoRO0wKkM5IDKlFdJrmiSucaxJPQOKcce5eXxCaL7KMlBuDGYq4jJ5TXNt2T
sDXWtMFQUA1qqYC5RFy91pck4AwXT+oJkM7quqv8AK5I6NxvxExsKthsLWs5
djAJAWHlQlRJUA4XCKAB6c0czsiRrHIhSf9c3cagJg5UxDK1wu/gcKxnIGjw
w6a4B50wBDtBVTJu5zOv0xu0Evy6BhKTQCHxwrMXZZIHhb2a96loo0SjMiOw
6RF4tFbwFY5Zq1m1XTWznLHPpI+Msc3QJG0Qp796D2VbJV+xrIgLWqdozkGQ
H9alpnmCl+WcS8BmZDS1LEuoWyBzac7TW61TkwKhcDlJBGgA5CS0K058LCVQ
KvVE+EDLZ/QqkCjvqvWpMoEDR3pYBLoup3qkgT4+6oRJud4EOszMSz+vb1f9
SvVekuw6jcTnelX9Kgr2y6WBibsbKYFBsMeLJxuUv0uiuvQx3ISRaA6bDSn0
QNekBESpRroB2aoRm5bCGSn2izpF2bsoWeI8wm3sWnKZScECS1Em8tb56BC7
YnRymrDLwFik09pCRKgKTJwgKGeLsfKmIE2SWYJEM3mhwY2okEK/O9vkp/YF
C8FtQzWXuP68UdxUdX4hmbIua8oOot0QgH11xdaZ6vdg7kGKjCDpiyW5Yaev
RxMX5fNWC7Ze6gy97RKYAJjky/r9lsJlsGbPqEMVhHfG+yZ7lX1EW/NmltIJ
gRb3eGLOQt3miwqMylswcW2x4L3BmH6z4Pa80qqePiWLu2SMgmPj3NCq0nCE
StKhMBErY550NSYpW2AzQYLqNHbp9iOCjpvkZfCZ1/YUnNPK7p8g2mqPu4RB
5aFRqGjydmMDW3eCJb4sT0Rc2iq7eRtHgPt1VD8F0a2tDQz15b5lrcsAQ4K1
phuzCUpLk+SJY3thWouSLpuvPobn6obiIL4wLGDJirq0ieWZGG4zpoGSnbyb
AX0MI60AMOgmjiV67QMPljk78BIugxG6IHUliwP6OPdQXnmjRar32rJSo9TV
2586LG0g3WVXuuPekhabshPUAQncYlzxO3plA+e5kX/zBUcq9QEF0SVNWbsK
aVHMg9kZIqqxzdKFxRjtovVvhof+2Rf2O8hPgUuKwIFzJ8xowfSMLJuyIg1c
wrQVDN9NXfHR8VT69dp0BNIQ7MZEiTNi6QYD2/kkZJNwUQHvMC/sGy+/rdgI
xLfPFdf8aPomR8Km/ZE2iSFl1opZ4LrMJXlSUpJdQqoPez51+cOPdx/SGrkx
QPgoUA9nxq115z559ohdRhawLSTuSST2G1hVoclC3ZTkIxECqNjlozpdjjOz
aNRIoWDt6NomtLpsy3TqvKROCLvaS2VMfW4bWP8uV89mFvomJWHhkY36aZ1q
NHh86InrhdwuZkPadDOtfVOryN0XPyFBQqU/2zkDqaTrpcZChaVwyK57nska
zcYSGCd+SpT2PEKCgitpGGW4onjlygUDYuylvFRbezuiIxwscm06cVCdwwO5
hfq4yHwDhIPqjTqJAmiGWqO7zNv8go1vkbUIZaInIHGZZl5X3E5cmKqt3JgT
k5HZd1TkIQZeSnxRLHFJK4q6DxJz03aOAUZUaKTXaPBOdDmMsz+azUPSIYm+
Tlhd2qT9ejHp5mKFp425HFNTEMwSX0/QoEqVIg5huppoEYayXdKftI9r6AY2
4oXutnhQvsEJvJzEQ3RC2/ythrdRSTLNiEBKbV4mIVtB4DKdW7p4oz797fEU
207lWOyo15qHeg8xFQmSfMXDPuCwtk1JXfinSmwoJWrQornDrjnLNk80h6f7
emOIUiAzazgncLdoqY00ZRof7J/vy27rhbeH7397/ibIckm4aJrdtw/JXvLu
et8vJfJrsgXKWXI/ZnWVxMMyHTW0uSX3C/TsOwTnKyJQNIN1Km0JRiXOodnR
ajaV/C1azUYEyCCA201M873OOl2c+nOSEYpnMR+IaT8kOwyk605Pthvo9VR8
sEgj17x49crOiSY1Xh0n8AmjDh0fnCUEjmwl0AgnV+lC8xNlNu14rKFQGlH7
srvJtexUz4N4jzZ3xPqpw1ausUKfWrMx6N6LJys7sRKBxCxtseuOuEPjiyq6
Cu62z23EbFObvNWCLI0Xp+YtP7lPxohbqrSnxVx2QJsWfnZCmCsyGz4VFVKU
B8098O8S6UHVvGz+aTQpklxm7FY8eaHpW0rOc5RJZbb6hwX+lg0eCIw3UiVK
p6Gej6Wrk0oKdTcIV3NnY5MXNVvLXXzRt8W3z1CJmH5oe4UFbvH7D8z5y/1d
MzZ3+wl8LalPol2XqUtD4BYonS45SehB9omhlWvMwl18bCvq0qbTFV2PSBI3
pl6H0EVbFWd7a2Z4b4Voaml07BLBOWWqqm9gvdR4PggluqbIviu228ogH7Px
hWFadmbLAyxluQksB8GRC3u8hWtwxNazYj6TEgNZFeksM+pCS77k7zE72O+h
DQoqQOijJTunekGsDpH0ChqUj/qlAXEISDy7xHnPMElyFHWW46yWNceG2XPj
JZHLP+Nk+0uypbLCxYCTHoQEvTvnRH7caMc5V/3bJgCU1UR5xciFSttOJIDE
y8rsStO/TU8ynyc6TlyDSOcUtXnyhRtSWnHJ6p3aHq25T7Sgd02I9u6bOI9X
3MyD/UGUqsBazX37WFVf3OeUDkuyGrPgX8c/NFXJoP1X/CWfSM8ny27P/IVL
yAdtVuz96+Onz8dPnz4d7z56/OTps2/w6o2/wptH1h/ey+LezSEOAEz+6LGZ
p7fNgO9q6K5d/lThfjsz3qXEVwu+Wg6SzxaIPXMvhE/eJ/KrAatpp7bioq/W
C2GlTX5lHfyDz9zjMF782KZ/kpLL2jIyqAPfmjQLZRrqJIqWVXJzmZNEQX4o
mkESe0rLK84SbYbyyPfff3//P+7T//mquanlBUgagOPGlt+8eBRuAKP/L/2I
/+voPxIg/W6c0z2E8l38SwiP8U3XClwrB2Ybth1CLNrf2e8hHj0S5zlSBYGm
Rlppq+4Ie8OHRRoTNGQ139ND38cV8A73moeu0H37rRn/+tdvDvcPDk9/+csx
jSbvDPr9h8PTP6HJY9ri5WM+2SafE7UBX3h0UaQX9OvfiHHOTZ1+K4+BHM3+
+7PvDk/3zEP6+OH8zfHp0bn+cHBwJP1T6WuCUUhXNidnhx8Ojs8OX+GnveRb
Njj24KRBdJmHkcm+Nev5ikF4lPCjvzp/ebBLVkqP7TLcAxWxS3bIQx7Sg0/N
jjJj/PzpC+Qgp/BLBCGncHe0SRCWHD4Pe8iBdskSAT66QNmZ8qtwm8Vqa0Ab
93wqX4pXU5UN2sBpgXiirTD6ZFoYRxvZTp78mgcycDkLhiYeiuscHcqLylYd
djpCt31dqONKprzZ7Fe6AudwffeePnv0VJM55CdWQpzmJ1rGxHRlEyeF8VsR
GGyyOnWp3qcZvbRAaP82fA6p1Nx+hDWOmzC6KFW1HObt7YWNlYtrrrGuuR9c
lDjIwev4V9UGDDuuilTdaLpvlWZo9tJabFtEilYBT1udayqlLWDsib1Zr430
arYV5twH0zapkiofOwZX1fe7Yyzvtt732QBORM5zzWyEzRWaQcN9mc6ueH9e
hRGgxIaktX6at9Yada69PbqvzOX9IFJhaWcSP6jNDOiQmsR83btvQJhima9L
VOaXoaNnp2HjtEefGEYB7Q+SBKJJ+52SbNvNxDYw06Kw3CYSqucx1/fT+Mqg
kfTD70Esh0HtU0wNkoaj6laO/nGuAD5OTGLHnkOrUJE0Vsmrudb1uah/5rp2
qoPB+kKdT3gQOOXNmbjgB96Zv+Hmb21tikYdxKkJLgQnyZjMpGweOvpZbzuz
xB2zM05E1boX3o39yF/MB5Db0M2luwgTlhtrFo+1+daHMKds5XTsHHaC2HeT
OMuLDCelL+08hQw9DhcIaw2PXlBhoNkjZJlFjlmOpiHQjhRAzd0oSIazl7mv
9l9S3YQv2YKOcMTR1mJ+lxzocsi6CYRDeSdWeKeNHrkmHehbuTt5bHHyBGVe
XLeDl1NMjPlg6z+asJBptIEabVPRATTI1mKjJ2+uuBtcNcsZXUz4AcKDOKeY
2hIN5uIo6FhLpEHSqQCZAVMS8IhTJqIeRGrQSDqHMl1tP+SKJFRCpxtJSlsM
EvZwsYM4187JB1pehFzgWZRuRIKE1WwYL5bpS8Ddyy1XnNQrmnzsLun26kN0
0bbx15e6+fiMM5vhNEP7GTRsLtvEpw92Spb5LQpb5JLmkwVFc8C7tdu9VE7N
dE2G1phAtyyo5jZ8LRwY9vVENYq++CxwRmujYSrJIuCEId/2ZXNBQIN/sV23
TU3QvQVGu3OKxB1IfDw0eJdU6vNsEsZHoY1w9cVUAE16jYb+mJQjIL5FbxYn
62iKTLxx7FaXzmNWC0WByur2Rl/y4NopWeilIa3flYblLN4q0j++keY3CXLy
JK2aFOZJEneiRKLnXGMh4ctYXMQ66SHHzTwn9Y9MM62o6+TgNIkm13Q7dM04
2wlvawwOgCdbbanKkjCxRWfewTVSB05YGmeNIpeZozMm3t/cd7uPKXZOmK3n
S7efjI48CkSOqw91apXVKrWta+IC9C4aOep2b+BsD9c2746QsM2d1Dktx43j
nMygqsFGHgYnrS453bRUcPlFV1qiaWvG2DoBVDvcn5DDezDSrxqL6CZLVG+2
79jh3KxSs/cahkJeAkFf3py/ezvZ1uYER1TJCiGxhGFw8+q0UatyVvFLyUxN
xaMT9XLkGAjxfetrJ4UGFV1QmKPUHObPST9/3gDUvkLlS0kKyP7T7ATaqleq
5fmUQulY4To0CKRBYJVXwCkUhEsOyTun5WaGlm3jiJcDI7bOKeFp4EmtfIBL
+8bYXCtIVG7VWIlPXRRbbqcqe09LJKVsXC3GNg5cZ4tCNTCVwCwLgpp+GrlO
V87sEWzXXogCX6FGapNCkItKZrzWWeClxm01cB2xxFgOkifsY5rz5pPWHXal
F3yAVbz7LuoK2t2YcPOjFKXv6SB93882bIlMkCvkomtJUA2OWH0mTbh/EVTx
cyV65rMb9JWEQWcC5ou5vCUQDQ5Z1ga2SfS605E5Pu3MoBWdaKpWZFLUCV68
MUVv6gRYRFCv4zmMNXZUG/1w+rYZaplWGAvawkjxzqmMrrDI8Hn5m0D1pPvY
ElFnwEj3ynjMzeyz7v76Av9NOXDE7o9pdlvZfLlZtfIdF1zwiCuaRYt0rr1g
kxDtYDeFmApiss1FWbS3fymTF2+NQw8bV6gVjM9szgoJpsXMvyW6qlVvxBAL
xDIsh59IWy9H/WTyX2XZilUBZehfypMXfuszajvJkJsC1HmD2EaRZN4gAhxz
RF5i9PKZTs+FqnbcxiMgaO5u33PiOi+jo+qqzuOm2baIUh87ZXuFGe3b7AJ5
H/yuE+uGk4iEU/dEr9fs7B3oZpybPXQqyQbKJBGBUU/QfLzV1kOBo0+LpqFx
2laONJLiTBLr7ZNJ/KR0dHVutLR1gI71TbdFFnqb0UikSmw3RUnssYvbeDlK
HLGz6Ts8GAQit19E4yk09+fuoO72sHsc9qwlrZ9sutPDM7wRyhbxPXv4zNpa
J5px0/WJnm+JjKnm69uCud6dwTtcQqYi9eCNf6eN2ZDOeHOqbY62zFunCfjO
TT2wdCWoI72Qs9xvuIEnbcVFZlvG9TcHjDwEYSJe5AvY6gqwParVNNfcMKuk
SAzMpQJ3XwMVv7DEJpRVU91IaSe4/35/09ODq5+7AXb1hyKD4Fq6LfnCjo4R
HmemxO+1kaQt17YU7yI/JLFU1XvmpOB+dTZkSz/9kf48x8S95Xo5RcSwQSsJ
G0SNXrgHpQMx3IF/UFMK7TMkzgD+yBbm8WwDRC8GccxQIj5fGOaOdK9DyduQ
HB7GGPdrsu/IYYNPdIWeZJ5Oltgrye0QvzdPwUW0wa+N2Tk+OR8GHkHfBmRw
IPkFaFyhrwg3OzTA0Jykdcrv+w5diRckmVfWoUi3ff5M+s4fsPw9NBN6eZAk
GAlf+haOV4pxuIp/h+O4nicJt1MAh8dl7CV2N2HscZLHadizK2izIfQ45i/b
qZLR240n2AWNpIEueOcgOPJ+kkEiuBpsyQIJkBP0jf8Z8Wu16wt11CgPQQBC
Gk6UYY8Ps+QO2UH7Bk87Ivlpv9zqeBuiHiO2e5bICg0ZWKnVKRz2DXpo74qq
2YhI2wITOy7DJvDwABfrHI3qSttszXcphbCQePY7SQ4DpCcuUcFMSQVabFjX
RTrNCuIqy2Va5z+6l+mouyJI8/drQ70vF9sGjgTMdWQrR1PtH9LTssefV4d+
vJ30LOT3Hbg5aJO5fK/aEn6gcHKHjmhPQmADWrgVyynXlt2rarUuvBc23noJ
F9DW/+RJ2/xkIhQbunAQrLL37ydjovWZn5Kf9sb2by/4LH8bFzb/+m7Zo2HN
jGZTA/2nn6F7aqeH4E8xwWEwK1cw+Q90Q9Sok75z47n+Lp1whKxJTYkfkQO6
tY3hF0Bo6Abv6fqJu9b+Xf0TN5smfmnKim6ItKnuon/mZntfgqegG1yHO6G/
o/4me4FTrtPFoS+lW/rf3T070gDoqI0125yTAO4fyXmLmz3Jcbz/eaPfksQ4
ndGPVwMdHZ6/pkeuc7ozKBN4Mnnuol27j56hUEDVt7zWfsStuhsafq9Ja1td
RiGOmIPeu7cpPjcjhVaM2vDgPy9I+6KRXxSjyf8DYnTTaWVfNRJI1KRHov5C
xGn4oIqDXzgJFsqBrTJFHubnvFa0RYKQjAY1jdn25Re3R5xZ6kUl+TWRt1h5
8FSU9Cz4a6VLgAZ11LF44Q3So+oESyA+3Krk+93SY1M6sGBoScrb8c6zIltd
wjX3XgwAw6f6X/itkc/4kNMT4mu0DESbf+OiHUaeIDv1OT/hDr+KHH/we2g7
4gAbVMbW9Hxd61tO5nOrxm/xkH5FPJ92ZoCdT4SPDDZY3FausoUp3NkHV9mD
Kwv4GRTtO6b7/0Pf7kjcrtK9hUUwgZJuKaLrJq9dq/nOeDs155E8HD96+nT4
DzAROxo/CjeO7OS+1vtyZHYvkKSCx611PfJ0lH7RgfjnY1heXCrPsoG/B75w
rqq5b9J1N8tHOZ5IROkJZ2x1iXPtKrjY5Jj0/hHOF+jVyn481/tpG+YjLug5
YMD+tmvN4S9gbA95MCnH+QkOFHGbgqF1i3U+b3q3McIuQNao9U9RT4MvN0Dw
bQ5+Mq7gcfLUv/T96YuHu8qCH9E99k0v/1cneox7VjTEPzPJCXTKR89f+Bme
vHjyQmd4wjPc/tMok0le7PZO8pRucBVCccZlOGm41bY0astOP4OBx23yvmo0
VA/1jqSysasSd07TVwpFsIX5nJnqRgP2JtKW/wEht0WGbHG5if+uYzlvexG4
L2j6skb7M7vbSIV5//p4/OqY2AsRkbo3tv71c5tt+tZ2fsOqF9c86bB3E7vM
rNaUCeypDDJSSAd7FGMN1EJzGXSZYjc0ZEdlc6mFBZ+e/Nk2RVFdBIn1JMw+
BrUsXA5aSrbLtbiauNhyweX/0XipT+vWCro/V/BJ7dBE7hXonz7RNy6QSNvE
V9J581qH2ny5nfdSIw6FsFWyb8upzRTZNsgoRBnT6f6vHtpUKgdwWLdiX9yS
92Nl4lLLgzrqO7rsca5P2CMtiStebctQW4+gMVzFSLfuumcC+yYr7e0EAxab
55AWtVuTBOCNXm1BOzAX1ki4D7TGYMJ3MM4NcLhRS44wl2s5Iv2SsxXqdWeX
bp+a/gX+PYvDHiT9iwuT1zYXp733Ks04WeAlWLhtLFFCm8xR2n6p8zDeSTqK
b8ZMZ9E3AU5ST4Ubrerj3rHwNzSbmExs6zPpR4mXQdxsNBoOe3naDgK2bO1e
pzjAiP/fl+hvBntWNtizrK616VlwvtEuY7WeFr5Ier9lMXFvd/fZyPw2T8tV
WhUVmU0ojiBd+g/VPF3QJ/GonKbFwnyXQVXb2b9KiRkPTfAaobKTp+7kX6f1
zzvf291FURfVGjuD4gkserzLoohQsD9zQUFpCf5pT6JV2fxXA+6nNWAhmWoO
1B/yljCRV+ZlVrdVkY4I4Ma8Set5yi+2e0k7QFYh0Ub744iYZz43x3V7OUr+
kF9Brh+sry6r6zKn59KaGL/53Roe8RHJmHVhvqvW0tv736vL0rwl4VpmNGY1
TWiGCuls79ZXWMlZfg2ZlJYhWvfJMPHYpXtT0k9oK0ELl+lyRBtM9nhKiH9J
x+bHZXYLiA9IJSaj/V1+QRC0I/MWfcEOUVfRSrCNnyJIXwNgiXSr9r+0GQ0e
P8Ee4tnNPec+6Jeptr/sBI7zurPHfuyTrK3N//7PVfq//nt2RVDntDxpD5W2
rXlZozAheOnSwdEpwtOknDA2G1qCOUvRT/3W3XZ2+MrfJmvlXfjd7Y+E3tbd
t396Tv/Z4aLl/s//Vucz84fbkqStv/9A741ufYdXsb8kJbtauTuPDs9+6+79
P4YTNzRzowAA

-->

</rfc>
