<?xml version='1.0' encoding='utf-8'?>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.2.13 -->
<!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent">
<?rfc toc="yes"?>
<?rfc sortrefs="yes"?>
<?rfc symrefs="yes"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-pauly-add-resolver-discovery-01" category="std" obsoletes="" updates="" submissionType="IETF" xml:lang="en" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 2.39.0 -->
  <front>
    <title abbrev="ADNS Discovery">Adaptive DNS Resolver Discovery</title>
    <seriesInfo name="Internet-Draft" value="draft-pauly-add-resolver-discovery-01"/>
    <author initials="T." surname="Pauly" fullname="Tommy Pauly">
      <organization>Apple Inc.</organization>
      <address>
        <postal>
          <street>One Apple Park Way</street>
          <city>Cupertino, California 95014</city>
          <country>United States of America</country>
        </postal>
        <email>tpauly@apple.com</email>
      </address>
    </author>
    <author initials="E." surname="Kinnear" fullname="Eric Kinnear">
      <organization>Apple Inc.</organization>
      <address>
        <postal>
          <street>One Apple Park Way</street>
          <city>Cupertino, California 95014</city>
          <country>United States of America</country>
        </postal>
        <email>ekinnear@apple.com</email>
      </address>
    </author>
    <author initials="C.A." surname="Wood" fullname="Christopher A. Wood">
      <organization>Cloudflare</organization>
      <address>
        <postal>
          <street>101 Townsend St</street>
          <city>San Francisco</city>
          <country>United States of America</country>
        </postal>
        <email>caw@heapingbits.net</email>
      </address>
    </author>
    <author initials="P." surname="McManus" fullname="Patrick McManus">
      <organization>Fastly</organization>
      <address>
        <email>mcmanus@ducksong.com</email>
      </address>
    </author>
    <author initials="T." surname="Jensen" fullname="Tommy Jensen">
      <organization>Microsoft</organization>
      <address>
        <email>tojens@microsoft.com</email>
      </address>
    </author>
    <date year="2020" month="July" day="13"/>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <t>This document defines a method for dynamically discovering resolvers that support
encrypted transports, and introduces the concept of designating a resolver
to be used for a subset of client queries based on domain. This method is intended
to work both for locally-hosted resolvers and resolvers accessible over the broader
Internet.</t>
    </abstract>
  </front>
  <middle>
    <section anchor="introduction" numbered="true" toc="default">
      <name>Introduction</name>
      <t>When clients need to resolve names into addresses in order to establish networking connections,
they traditionally use by default the DNS resolver that is provisioned
by the local network along with their IP address <xref target="RFC2132" format="default"/> <xref target="RFC8106" format="default"/>. Alternatively, they
can use a resolver indicated by a tunneling service such as a VPN.</t>
      <t>However, privacy-sensitive clients might prefer to use an encrypted DNS service other
than the one locally provisioned in order to prevent interception,
profiling, or modification by entities other than the operator of the
name service for the name being resolved. Protocols that can improve the transport security
of a client when using DNS or creating TLS connections include DNS-over-TLS (DoT) <xref target="RFC7858" format="default"/>,
DNS-over-HTTPS (DoH) <xref target="RFC8484" format="default"/>, and Encrypted TLS Client Hellos <xref target="I-D.ietf-tls-esni" format="default"/>.</t>
      <t>This document defines a method for dynamically discovering resolvers that support
encrypted transports, and introduces the concept of designating a resolver
to be used for a subset of client queries based on domain. This method is intended
to work both for locally-hosted resolvers and resolvers accessible over the broader
Internet.</t>
      <section anchor="specification-of-requirements" numbered="true" toc="default">
        <name>Specification of Requirements</name>
        <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP 14
<xref target="RFC2119" format="default"/> <xref target="RFC8174" format="default"/> when, and only when,
they appear in all capitals, as shown here.</t>
      </section>
    </section>
    <section anchor="terminology" numbered="true" toc="default">
      <name>Terminology</name>
      <t>This document defines the following terms:</t>
      <dl newline="false" spacing="normal">
        <dt>Direct Resolver:</dt>
        <dd>
  A DNS resolver using any transport, encrypted or unencrypted, that is provisioned directly by a local router or a VPN.</dd>
        <dt>Designated Resolver:</dt>
        <dd>
  A DNS resolver that is designated as a responsible resolver for a given domain or zone. Designated resolvers use encrypted transports.</dd>
        <dt>Companion DoH Server:</dt>
        <dd>
  A DNS resolver that provides connectivity over HTTPS (DoH) that is designated as 
equivalent to querying a particular Direct Resolver.</dd>
      </dl>
    </section>
    <section anchor="designated-resolvers" numbered="true" toc="default">
      <name>Designated Resolvers</name>
      <t>An encrypted DNS resolver, such as a DoH or DoT server, can be designated for use in resolving names within one or more zones. This means that clients can learn about an explicit mapping from a given domain or zone to one or more Designated Resolvers, and use that mapping to select the best resolver for a given query.</t>
      <t>Designating a resolver MUST rely on agreement between the entity managing a zone (the Domain Owner) and the entity operating the resolver, such that clients can securely validate this designation. These entities can be one and the same, or a Domain Owner can choose to designate a third-party resolver to handle its traffic. Proof of this agreement asserts to clients that sending any query to the designated resolver exposes no more information than sending that query to the entity managing the corresponding zone.</t>
      <t>As an example with only one entity, a company that runs many sites within "enterprise.example.com" can provide its own DoH resolver, "doh.enterprise.example.com", and designate only that resolver for all names that fall within "enterprise.example.com". This means that no other resolver would be designated for those names, and clients would only resolve names with the same entity that would service TLS connections.</t>
      <t>As an example with several entities, the organization that operates sites within "example.org" may work with two different Content Delivery Networks (CDNs) to serve its sites. It might designate names under "example.com" to two different entities, "doh.cdn-a.net" and "doh.cdn-b.net". These are CDNs that have an existing relationship with the organization that runs "example.org", and have agreements with that organization about how data with information on names and users is handled.</t>
      <t>There are several methods that can be used to discover and validate a resolver designation:</t>
      <ul spacing="normal">
        <li>Discovery using SVCB DNS records (<xref target="svcb" format="default"/>), and validation using DNSSEC</li>
        <li>Discovery using information in a provisioning domain (PvD) file from the Designated DoH Resolver (<xref target="pvd" format="default"/>)</li>
        <li>Validation using a file hosted on a well-known HTTPS URI based on a zone apex (<xref target="confirm-zone-apex" format="default"/>)</li>
        <li>Validation using TLS certificates to confirm of domain name ownership (<xref target="confirm-cert-name" format="default"/>)</li>
      </ul>
      <t>Note that clients MUST NOT accept designations for effective top-level domains (eTLDs), such as ".com".</t>
      <section anchor="svcb" numbered="true" toc="default">
        <name>Designating with Service Binding DNS Records</name>
        <t>The primary source for discovering Designated DoH Server configurations is from properties stored in a
SVCB DNS resource record, or a SVCB-conformant resource record type, like HTTPS <xref target="I-D.ietf-dnsop-svcb-https" format="default"/>.
This record provides the URI Template of a DoH server that is designated for a specific domain.
A specific domain may have more than one such record.</t>
        <t>The rationale for using SVCB records for recolver discovery is discussed in <xref target="rationale" format="default"/>.</t>
        <t>In order to designate a DoH server for a domain, a SVCB record can
contain the "dohuri" (<xref target="iana" format="default"/>). The value stored in the parameter
is a URI, which is the DoH URI template <xref target="RFC8484" format="default"/>.</t>
        <t>The following example shows a record containing a DoH URI, as returned by a query for
the HTTPS variant of the SVCB record type on "foo.example.com".</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
   foo.example.com.  7200  IN HTTPS 1 . (
                           dohuri=https://doh.example.net/dns-query )
]]></artwork>
        <t>If this record is DNSSEC-signed <xref target="RFC4033" format="default"/>, clients can immediately create a mapping that indicates the server (doh.example.net) as a Designated Resolver for the name in the SVCB record (foo.example.com).</t>
        <t>Once a record that designated a DoH server has expired, the client SHOULD issue another SVCB/HTTPS query whenever issuing queries within the designated domain. This query SHOULD still be performed using the designated DoH server. If the response designates a different DoH server, the client should verify and use the new designation.</t>
        <t>If this record is not DNSSEC-signed, clients MUST perform other validation to determine that the zone designation is permitted, as described in <xref target="confirm-zone-apex" format="default"/>.</t>
      </section>
      <section anchor="pvd" numbered="true" toc="default">
        <name>Additional Designation with PvD JSON</name>
        <t>A provisioning domain (PvD) defines a coherent set of information that can be used to access a network and resolve names. Section 4.3 of <xref target="I-D.ietf-intarea-provisioning-domains" format="default"/> defines a JSON dictionary format that can be fetched over HTTPS at the well-known URI "/.well-known/pvd".</t>
        <t>Designated Resolvers that support DoH SHOULD provide a PvD JSON dictionary available at the well-known PvD URI with the path of the DoH server's URI template appended.</t>
        <t>For example, the PvD JSON for the DoH server "https://doh.example.net/dns-query" would be available at "https://doh.example.net/.well-known/pvd/dns-query".</t>
        <t>The key "dohTemplate" is defined within the JSON dictionary (<xref target="iana" format="default"/>) to point back to the DoH URI Template itself. This is used for confirming the DoH server when the PvD is discovered locally or during zone apex confirmation (<xref target="confirm-zone-apex" format="default"/>).</t>
        <t>Names that are listed in the "dnsZones" key in the JSON dictionary indicate a set of zones that designate the resolver. These are the zones that are available to resolve through the associated DoH server. Note that this list does not need to be exhaustive, but is the set of common zones managed by the resolver that all clients should be aware of. Before using  DNS results for these names, clients MUST validate the designation either with a DNSSEC-signed SVCB record (<xref target="svcb" format="default"/>), or the confirmation methods described in <xref target="confirm-zone-apex" format="default"/> and <xref target="confirm-cert-name" format="default"/>. DNS queries for validating records SHOULD be sent to the DoH resolver. In order to optimize the validation of these domains, servers MAY use HTTP Server Push to deliver the signed SVCB answers prior to requests being made.</t>
        <t>The "expires" key indicates a time after which the content of the PvD file is no longer valid. Clients SHOULD re-fetch PvD information if the expiration time has passed before using any designations that were based on the PvD content.</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
   {
         "identifier": "doh.example.net.",
         "dohTemplate": "https://doh.example.net/dns-query",
         "dnsZones": ["example.com"],
         "expires": "2020-08-23T06:00:00Z"
   }
]]></artwork>
      </section>
      <section anchor="confirm-zone-apex" numbered="true" toc="default">
        <name>Confirmation of Designation with Zone Apex PvD</name>
        <t>Designated DoH Resolvers that provide the PvD JSON described in <xref target="pvd" format="default"/> can also provide information to validate of zone's designation without DNSSEC.
In order to confirm the designation, the client requests a well-known HTTPS URI based on a zone apex name, and checks a PvD file to ensure that
it matches the DoH resolver. This ensures that a DoH resolver cannot claim a designation for a given zone without cooperation from the entity that owns
the certificate for the apex of that zone.</t>
        <t>In order to enumerate the zone apex names that confirm designation in this manner, the DoH resolver's PvD JSON dictionary can contain
an array of strings, with the key "trustedNames". Clients can validate the resolver designation by checking a resource hosted by a
name indicated in "trustedNames". The client first issues an HTTP GET request by appending "/.well-known/pvd" to the trusted name,
using the "https" scheme. In order to validate the designation, the PvD JSON MUST contain a "dohTemplate" key pointing to the correct DoH
resolver. The client's query for the IP addresses of the trusted name MAY use the DoH resolver prior to fully validating the designation,
since the validation uses HTTPS to authenticate the designation.</t>
        <t>Note that the names listed in "trustedNames" are only useful for confirming a designation that was indicated either by a non-DNSSEC-signed
SVCB designation (<xref target="svcb" format="default"/>), or an additional designation provided by the DoH resolver's PvD (<xref target="pvd" format="default"/>). A trusted name MUST be an exact match of
a designating name, or else a parent of a designating name.</t>
        <t>If a name has more specific sub-domains that should not be allowed to designate a given DoH resolver, this method of confirmation MUST NOT be used.</t>
        <t>As an example of this process, the JSON dictionary for the DoH server "https://doh.example.net/dns-query", which is retrieved from "https://doh.example.net/.well-known/pvd/dns-query", could contain the following contents:</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
   {
     "identifier": "doh.example.net.",
     "dohTemplate": "https://doh.example.net/dns-query",
     "dnsZones": ["example.com"],
     "trustedNames": ["example.com"],
     "expires": "2020-08-23T06:00:00Z"
   }
]]></artwork>
        <t>This indicates that "example.com" should be treated as a designated domain, and that it can be validated by checking with the "example.com" server rather than using DNSSEC.</t>
        <t>In this example, the well-known URI used for validation is "https://example.com/.well-known/pvd". In order to trust the designation, this request must return valid JSON with the "dohTemplate" key matching the original DoH resolver. For example, this dictionary could contain the following contents:</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
   {
     "identifier": "example.com.",
     "dohTemplate": "https://doh.example.net/dns-query",
     "expires": "2020-08-23T06:00:00Z"
   }
]]></artwork>
        <t>A client MUST NOT trust a designation if the JSON content is not present, does not contain a "dohTemplate" key, or the value in the "dohTemplate" key does not match. The following result would not be acceptable for the example above:</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
   {
     "identifier": "example.com.",
     "dohTemplate": "https://not-the-doh-youre-looking-for.example.net/dns-query"
     "expires": "2020-08-23T06:00:00Z"
   }
]]></artwork>
        <t>Note that the domains listed in "trustedNames" may be broader than the zones that designate the resolver. In the following example, names under "foo.example.com" and "bar.example.com" designate the DoH server "https://doh.example.net/dns-query", and use the PvD JSON from "example.com" to validate the designation. However, the client would not designate the DoH server for all names under "example.com".</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
   {
     "identifier": "doh.example.net.",
     "dohTemplate": "https://doh.example.net/dns-query",
     "dnsZones": ["foo.example.com", "bar.example.com"],
     "trustedNames": ["example.com"],
     "expires": "2020-08-23T06:00:00Z"
   }
]]></artwork>
      </section>
      <section anchor="confirm-cert-name" numbered="true" toc="default">
        <name>Confirmation of Designation with TLS Certificates</name>
        <t>A DoH server designation can also be validated by checking the SubjectAlternativeName field in the DoH
server's own TLS certificate. When a client wants to confirm the validity of the 
designation in this situation, it can check the TLS certificate of the DoH server for the name of the domain 
which triggered the original designation query.</t>
        <t>The following example shows an HTTPS variant of the SVCB record type for "foo.example.com". If this record was
received without DNSSEC, the client can confirm its validity by establishing a connection to "doh.example.net" 
and verifying the TLS certificate contains an exact match for the "foo.example.com" name. If the queried domain 
is not present in the TLS certificate of the designated DoH server, the client may confirm the validity by an 
alternate method such as zone apex confirmation (<xref target="confirm-zone-apex" format="default"/>) but MUST NOT use the record until otherwise validated.</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
   foo.example.com.  7200  IN HTTPS 1 . (
                           dohuri=https://doh.example.net/dns-query )
]]></artwork>
      </section>
    </section>
    <section anchor="local-discovery" numbered="true" toc="default">
      <name>Explicit Discovery of Local Resolvers</name>
      <t>If the local network provides configuration with an Explicit Provisioning Domain (PvD), as
defined by <xref target="I-D.ietf-intarea-provisioning-domains" format="default"/>, clients can learn about domains
for which the local network's resolver is authoritative. The keys for DoH resolvers described in <xref target="pvd" format="default"/> also allow this local PvD to be used for resolver discovery.</t>
      <t>If an RA provided by the router on the network defines an Explicit PvD that has additional
information, and this additional information JSON dictionary contains the key "dohTemplate",
then the client SHOULD add this DoH server to its list of known DoH configurations. The
domains that the DoH server claims authority for are listed in the "dnsZones" key.</t>
      <t>Local deployments that want to designate a resolver for a private name that is not easily
signed with DNSSEC MUST provide an alternate method of validating a designation, such as described
in <xref target="confirm-zone-apex" format="default"/> or <xref target="confirm-cert-name" format="default"/>.</t>
    </section>
    <section anchor="direct" numbered="true" toc="default">
      <name>Discovery of DoH Capabilities for Direct Resolvers</name>
      <t>Direct Resolvers can advertise a Companion DoH server that offers equivalent services and is controlled 
by the same entity. To do this, a DNS server returns an SVCB record for "dns://resolver.arpa"
with "ipv4hint" and/or "ipv6hint" set to a valid IP address and the "dohuri" key set to a valid DoH URI 
template as with the Designated DoH Server SVCB record. The TLS certificate used with the
DoH URI MUST have the IP addresses for each of its DNS endpoints, classic or DoH, within the 
SubjectAlternativeName field to allow the client to verify ownership.</t>
      <t>Once a client is configured to query a Direct Resolver, it SHOULD query the resolver for SVCB records 
for "dns://resolver.arpa" before making other queries. This will help the client avoid leaking queries that 
could go over DoH once the Companion DoH Server is discovered. If an SVCB record is returned, its "dohip" field 
designates an IP address the client can send DoH queries to in lieu of sending classic DNS queries to the Direct 
Resolver. The "dohuri" field contains the DoH URI similarly to the SVCB record for a Designated 
DoH Server.</t>
      <t>To validate the Companion DoH Server and the resolver that advertised it are related, the client MUST 
check the SubjectAlternativeName field of the Companion DoH Server's TLS certificate for the original 
resolver's IP address and the advertised IP address for the Companion DoH server. If both are present, the
discovered Companion DoH Server MUST be used whenever the original Direct Resolver would be used. Otherwise, 
the client SHOULD suppress queries for Companion DoH Servers against this resolver for the TTL of the negative 
or invalid response and continue to use the original Direct Resolver.</t>
      <t>The following example shows a record containing a Companion DoH URI, as returned by a query for an SVCB record 
for "dns://resolver.arpa":</t>
      <artwork name="" type="" align="left" alt=""><![CDATA[
   _dns.resolver.arpa  7200  IN SVCB 1 doh.example.net (
                        ipv4hint=x.y.z.w
                        dohuri=https://doh.example.net/dns-query )
]]></artwork>
      <t>A DNS resolver MAY return more than one SVCB record of this form to advertise multiple Companion 
DoH Servers that are valid as a replacement for itself. Any or all of these servers may have the same IP 
address as the DNS resolver itself. In this case, clients will only have one IP address to check for when 
verifying ownership of the Companion DoH server.</t>
    </section>
    <section anchor="server-deployment-considerations" numbered="true" toc="default">
      <name>Server Deployment Considerations</name>
      <t>When servers designate DoH servers for their names, the specific deployment
model can impact the effective privacy and performance characteristics.</t>
      <section anchor="single-content-provider" numbered="true" toc="default">
        <name>Single Content Provider</name>
        <t>If a name always resolves to server IP addresses that are hosted by a single
content provider, the name ought to designate a single DoH server. This
DoH server will be most optimal when it is designated by many or all names
that are hosted by the same content provider. This ensures that clients
can increase connection reuse to reduce latency in connection setup.</t>
        <t>A DoH server that corresponds to the content provider that hosts content has an
opportunity to tune the responses provided to a client based on the location
inferred by the client IP address.</t>
      </section>
      <section anchor="multiple-content-providers" numbered="true" toc="default">
        <name>Multiple Content Providers</name>
        <t>Some hostnames may resolve to server IP addresses that are hosted by multiple
content providers. In such scenarios, the deployment may want to be able to
control the percentage of traffic that flows to each content provider.</t>
        <t>In these scenarios, there can either be:</t>
        <ul spacing="normal">
          <li>multiple designated DoH servers that are advertised via SVCB DNS Records; or,</li>
          <li>a single designated DoH server that can be referenced by one or more SVCB DNS Records,
operated by a party that is aware of both content providers and can manage
splitting the traffic.</li>
        </ul>
        <t>If a server deployment wants to easily control the split of traffic between different
content providers, it ought to use the latter model of using a single designated DoH server
that can better control which IP addresses are provided to clients. Otherwise, if a
client is aware of multiple DoH servers, it might use a single resolver exclusively,
which may lead to inconsistent behavior between clients that choose different resolvers.</t>
      </section>
      <section anchor="avoid-narrow-deployments" numbered="true" toc="default">
        <name>Avoid Narrow Deployments</name>
        <t>Using designated DoH servers can improve the privacy of name resolution whenever
a DoH server is designated by many different names within one or more domains.
This limits the amount of information leaked to an attacker observing traffic between a
client and a DoH server: the attacker only learns that the client might be resolving
one of the many names for which the server is designated.</t>
        <t>However, if a deployment designates a given DoH server for only one name, or a
very small set of names, then it becomes easier for an attacker to infer that a specific
name is being accessed by a client. For this reason, deployments are encouraged
to avoid deploying a DoH server that is only designated by a small number of names.
Clients can also choose to only allow DoH servers that are associated with
many names.</t>
        <t>Beyond the benefits to privacy, having a larger number of names designate
a given DoH server improves the opportunity for DoH connection reuse, which
can improve the performance of name resolutions.</t>
      </section>
    </section>
    <section anchor="security-considerations" numbered="true" toc="default">
      <name>Security Considerations</name>
      <t>In order to avoid interception and modification of the information sent between clients
and Designated Resolvers, all exchanges between clients and servers are performed over encrypted
connections, e.g., TLS.</t>
      <t>Malicious adversaries may block client connections to a Designated Resolver as a
Denial-of-Service (DoS) measure. Clients which cannot connect these resolvers may be forced
to, if local policy allows, fall back to unencrypted DNS if this occurs.</t>
    </section>
    <section anchor="privacy-considerations" numbered="true" toc="default">
      <name>Privacy Considerations</name>
      <t>Clients must be careful in determining to which DoH servers they send queries
directly. A malicious resolver that can direct queries to itself
can track or profile client activity. In order to avoid the possibility of a spoofed SVCB
record designating a malicious DoH server for a name, clients MUST ensure that
such records validate using DNSSEC (<xref target="svcb" format="default"/>), using zone apex confirmation (<xref target="confirm-zone-apex" format="default"/>),
or using domain names in TLS certificates (<xref target="confirm-cert-name" format="default"/>).</t>
      <t>Even servers that are validly designated can risk leaking or logging information
about client lookups. Such risk can be mitigated by further restricting the list of
resolvers that are allowed for direct use based on client policy.</t>
      <t>An adversary able to see traffic on each path segment of a DoH query (e.g., from client to
a Designated Resolver, and the Designated Resolver to an authoritative DNS server) can link queries to specific
clients with high probability. Failure to observe traffic on any one of these path segments
makes this linkability increasingly difficult. For example, if an adversary can only
observe traffic between a client and proxy and egress traffic from a target, then it may
be difficult identify a specific client's query among the recursive queries generated by the target.</t>
    </section>
    <section anchor="iana" numbered="true" toc="default">
      <name>IANA Considerations</name>
      <section anchor="doh-template-pvd-key" numbered="true" toc="default">
        <name>DoH Template PvD Key</name>
        <t>This document adds a key to the "Additional Information PvD Keys" registry <xref target="I-D.ietf-intarea-provisioning-domains" format="default"/>.</t>
        <table align="center">
          <thead>
            <tr>
              <th align="left">JSON key</th>
              <th align="left">Description</th>
              <th align="left">Type</th>
              <th align="left">Example</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">dohTemplate</td>
              <td align="left">DoH URI Template <xref target="RFC8484" format="default"/></td>
              <td align="left">String</td>
              <td align="left">"https://dnsserver.example.net/dns-query{?dns}"</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="trusted-names-pvd-key" numbered="true" toc="default">
        <name>Trusted Names PvD Key</name>
        <t>This document adds a key to the "Additional Information PvD Keys" registry <xref target="I-D.ietf-intarea-provisioning-domains" format="default"/>.</t>
        <table align="center">
          <thead>
            <tr>
              <th align="left">JSON key</th>
              <th align="left">Description</th>
              <th align="left">Type</th>
              <th align="left">Example</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">trustedNames</td>
              <td align="left">Names of servers that can validate resolver designation.</td>
              <td align="left">Array of Strings</td>
              <td align="left">[ "example.com" ]</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="doh-uri-template-dns-service-parameter" numbered="true" toc="default">
        <name>DoH URI Template DNS Service Parameter</name>
        <t>This document adds a parameter to the "Service Binding (SVCB) Parameter" registry.
The allocation request is 32768, taken from the to the First Come First Served range.</t>
        <t>If present, this parameters indicates the URI template of a DoH server that is designated
for use with the name being resolved. This is a string encoded as UTF-8 characters.</t>
        <dl newline="false" spacing="normal">
          <dt>Name:</dt>
          <dd>
  dohuri</dd>
          <dt>SvcParamKey:</dt>
          <dd>
  32768</dd>
          <dt>Meaning:</dt>
          <dd>
  URI template for a designated DoH server</dd>
          <dt>Reference:</dt>
          <dd>
  This document.</dd>
        </dl>
      </section>
      <section anchor="special-use-domain-name-resolverarpa" numbered="true" toc="default">
        <name>Special Use Domain Name "resolver.arpa"</name>
        <t>This document calls for the creation of the "resolver.arpa" SUDN. This will allow resolvers to respond to 
queries directed at themselves rather than a specific domain name. While this document uses "resolver.arpa"
to return SVCB records indicating DoH capability, the name is generic enough to allow future reuse for
other purposes where the resolver wishes to provide information about itself to the client.</t>
      </section>
    </section>
    <section anchor="acknowledgments" numbered="true" toc="default">
      <name>Acknowledgments</name>
      <t>Thanks to Erik Nygren, Lorenzo Colitti, Mikael Abrahamsson,
Ben Schwartz, Ask Hansen, Leif Hedstrom, Tim McCoy, Stuart Cheshire, Miguel Vega,
Joey Deng, Ted Lemon, and Elliot Briggs for their feedback and input on this document.</t>
    </section>
  </middle>
  <back>
    <references>
      <name>References</name>
      <references>
        <name>Normative References</name>
        <reference anchor="RFC7858" target="https://www.rfc-editor.org/info/rfc7858">
          <front>
            <title>Specification for DNS over Transport Layer Security (TLS)</title>
            <seriesInfo name="DOI" value="10.17487/RFC7858"/>
            <seriesInfo name="RFC" value="7858"/>
            <author initials="Z." surname="Hu" fullname="Z. Hu">
              <organization/>
            </author>
            <author initials="L." surname="Zhu" fullname="L. Zhu">
              <organization/>
            </author>
            <author initials="J." surname="Heidemann" fullname="J. Heidemann">
              <organization/>
            </author>
            <author initials="A." surname="Mankin" fullname="A. Mankin">
              <organization/>
            </author>
            <author initials="D." surname="Wessels" fullname="D. Wessels">
              <organization/>
            </author>
            <author initials="P." surname="Hoffman" fullname="P. Hoffman">
              <organization/>
            </author>
            <date year="2016" month="May"/>
            <abstract>
              <t>This document describes the use of Transport Layer Security (TLS) to provide privacy for DNS.  Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626.  In addition, this document specifies two usage profiles for DNS over TLS and provides advice on performance considerations to minimize overhead from using TCP and TLS with DNS.</t>
              <t>This document focuses on securing stub-to-recursive traffic, as per the charter of the DPRIVE Working Group.  It does not prevent future applications of the protocol to recursive-to-authoritative traffic.</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="RFC8484" target="https://www.rfc-editor.org/info/rfc8484">
          <front>
            <title>DNS Queries over HTTPS (DoH)</title>
            <seriesInfo name="DOI" value="10.17487/RFC8484"/>
            <seriesInfo name="RFC" value="8484"/>
            <author initials="P." surname="Hoffman" fullname="P. Hoffman">
              <organization/>
            </author>
            <author initials="P." surname="McManus" fullname="P. McManus">
              <organization/>
            </author>
            <date year="2018" month="October"/>
            <abstract>
              <t>This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS.  Each DNS query-response pair is mapped into an HTTP exchange.</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="I-D.ietf-tls-esni" target="http://www.ietf.org/internet-drafts/draft-ietf-tls-esni-07.txt">
          <front>
            <title>TLS Encrypted Client Hello</title>
            <seriesInfo name="Internet-Draft" value="draft-ietf-tls-esni-07"/>
            <author initials="E" surname="Rescorla" fullname="Eric Rescorla">
              <organization/>
            </author>
            <author initials="K" surname="Oku" fullname="Kazuho Oku">
              <organization/>
            </author>
            <author initials="N" surname="Sullivan" fullname="Nick Sullivan">
              <organization/>
            </author>
            <author initials="C" surname="Wood" fullname="Christopher Wood">
              <organization/>
            </author>
            <date month="June" day="1" year="2020"/>
            <abstract>
              <t>This document describes a mechanism in Transport Layer Security (TLS) for encrypting a ClientHello message under a server public key.</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="I-D.ietf-dnsop-svcb-https" target="http://www.ietf.org/internet-drafts/draft-ietf-dnsop-svcb-https-00.txt">
          <front>
            <title>Service binding and parameter specification via the DNS (DNS SVCB and HTTPS RRs)</title>
            <seriesInfo name="Internet-Draft" value="draft-ietf-dnsop-svcb-https-00"/>
            <author initials="B" surname="Schwartz" fullname="Benjamin Schwartz">
              <organization/>
            </author>
            <author initials="M" surname="Bishop" fullname="Mike Bishop">
              <organization/>
            </author>
            <author initials="E" surname="Nygren" fullname="Erik Nygren">
              <organization/>
            </author>
            <date month="June" day="12" year="2020"/>
            <abstract>
              <t>This document specifies the "SVCB" and "HTTPS" DNS resource record (RR) types to facilitate the lookup of information needed to make connections for origin resources, such as for HTTPS URLs.  SVCB records allow an origin to be served from multiple network locations, each with associated parameters (such as transport protocol configuration and keys for encrypting the TLS ClientHello).  They also enable aliasing of apex domains, which is not possible with CNAME.  The HTTPS RR is a variation of SVCB for HTTPS and HTTP origins.  By providing more information to the client before it attempts to establish a connection, these records offer potential benefits to both performance and privacy.  TO BE REMOVED: This proposal is inspired by and based on recent DNS usage proposals such as ALTSVC, ANAME, and ESNIKEYS (as well as long standing desires to have SRV or a functional equivalent implemented for HTTP).  These proposals each provide an important function but are potentially incompatible with each other, such as when an origin is load-balanced across multiple hosting providers (multi-CDN). Furthermore, these each add potential cases for adding additional record lookups in addition to AAAA/A lookups.  This design attempts to provide a unified framework that encompasses the key functionality of these proposals, as well as providing some extensibility for addressing similar future challenges.  TO BE REMOVED: This document is being collaborated on in Github at: https://github.com/MikeBishop/dns-alt-svc [1].  The most recent working version of the document, open issues, etc. should all be available there.  The authors (gratefully) accept pull requests.</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="RFC4033" target="https://www.rfc-editor.org/info/rfc4033">
          <front>
            <title>DNS Security Introduction and Requirements</title>
            <seriesInfo name="DOI" value="10.17487/RFC4033"/>
            <seriesInfo name="RFC" value="4033"/>
            <author initials="R." surname="Arends" fullname="R. Arends">
              <organization/>
            </author>
            <author initials="R." surname="Austein" fullname="R. Austein">
              <organization/>
            </author>
            <author initials="M." surname="Larson" fullname="M. Larson">
              <organization/>
            </author>
            <author initials="D." surname="Massey" fullname="D. Massey">
              <organization/>
            </author>
            <author initials="S." surname="Rose" fullname="S. Rose">
              <organization/>
            </author>
            <date year="2005" month="March"/>
            <abstract>
              <t>The Domain Name System Security Extensions (DNSSEC) add data origin authentication and data integrity to the Domain Name System.  This document introduces these extensions and describes their capabilities and limitations.  This document also discusses the services that the DNS security extensions do and do not provide.  Last, this document describes the interrelationships between the documents that collectively describe DNSSEC.  [STANDARDS-TRACK]</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="I-D.ietf-intarea-provisioning-domains" target="http://www.ietf.org/internet-drafts/draft-ietf-intarea-provisioning-domains-11.txt">
          <front>
            <title>Discovering Provisioning Domain Names and Data</title>
            <seriesInfo name="Internet-Draft" value="draft-ietf-intarea-provisioning-domains-11"/>
            <author initials="P" surname="Pfister" fullname="Pierre Pfister">
              <organization/>
            </author>
            <author initials="E" surname="Vyncke" fullname="Eric Vyncke">
              <organization/>
            </author>
            <author initials="T" surname="Pauly" fullname="Tommy Pauly">
              <organization/>
            </author>
            <author initials="D" surname="Schinazi" fullname="David Schinazi">
              <organization/>
            </author>
            <author initials="W" surname="Shao" fullname="Wenqin Shao">
              <organization/>
            </author>
            <date month="January" day="31" year="2020"/>
            <abstract>
              <t>Provisioning Domains (PvDs) are defined as consistent sets of network configuration information.  This allows hosts to manage connections to multiple networks and interfaces simultaneously, such as when a home router provides connectivity through both a broadband and cellular network provider.  This document defines a mechanism for explicitly identifying PvDs through a Router Advertisement (RA) option.  This RA option announces a PvD identifier, which hosts can compare to differentiate between PvDs.  The option can directly carry some information about a PvD and can optionally point to additional PvD information that can be retrieved using HTTP over TLS.</t>
            </abstract>
          </front>
        </reference>
      </references>
      <references>
        <name>Informative References</name>
        <reference anchor="RFC2132" target="https://www.rfc-editor.org/info/rfc2132">
          <front>
            <title>DHCP Options and BOOTP Vendor Extensions</title>
            <seriesInfo name="DOI" value="10.17487/RFC2132"/>
            <seriesInfo name="RFC" value="2132"/>
            <author initials="S." surname="Alexander" fullname="S. Alexander">
              <organization/>
            </author>
            <author initials="R." surname="Droms" fullname="R. Droms">
              <organization/>
            </author>
            <date year="1997" month="March"/>
            <abstract>
              <t>This document specifies the current set of DHCP options.  Future options will be specified in separate RFCs.  The current list of valid options is also available in ftp://ftp.isi.edu/in-notes/iana/assignments. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="RFC8106" target="https://www.rfc-editor.org/info/rfc8106">
          <front>
            <title>IPv6 Router Advertisement Options for DNS Configuration</title>
            <seriesInfo name="DOI" value="10.17487/RFC8106"/>
            <seriesInfo name="RFC" value="8106"/>
            <author initials="J." surname="Jeong" fullname="J. Jeong">
              <organization/>
            </author>
            <author initials="S." surname="Park" fullname="S. Park">
              <organization/>
            </author>
            <author initials="L." surname="Beloeil" fullname="L. Beloeil">
              <organization/>
            </author>
            <author initials="S." surname="Madanapalli" fullname="S. Madanapalli">
              <organization/>
            </author>
            <date year="2017" month="March"/>
            <abstract>
              <t>This document specifies IPv6 Router Advertisement (RA) options (called "DNS RA options") to allow IPv6 routers to advertise a list of DNS Recursive Server Addresses and a DNS Search List to IPv6 hosts.</t>
              <t>This document, which obsoletes RFC 6106, defines a higher default value of the lifetime of the DNS RA options to reduce the likelihood of expiry of the options on links with a relatively high rate of packet loss.</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <seriesInfo name="DOI" value="10.17487/RFC2119"/>
            <seriesInfo name="RFC" value="2119"/>
            <seriesInfo name="BCP" value="14"/>
            <author initials="S." surname="Bradner" fullname="S. Bradner">
              <organization/>
            </author>
            <date year="1997" month="March"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification.  These words are often capitalized. This document defines these words as they should be interpreted in IETF documents.  This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <seriesInfo name="DOI" value="10.17487/RFC8174"/>
            <seriesInfo name="RFC" value="8174"/>
            <seriesInfo name="BCP" value="14"/>
            <author initials="B." surname="Leiba" fullname="B. Leiba">
              <organization/>
            </author>
            <date year="2017" month="May"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol  specifications.  This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the  defined special meanings.</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="I-D.schinazi-httpbis-doh-preference-hints" target="http://www.ietf.org/internet-drafts/draft-schinazi-httpbis-doh-preference-hints-01.txt">
          <front>
            <title>DoH Preference Hints for HTTP</title>
            <seriesInfo name="Internet-Draft" value="draft-schinazi-httpbis-doh-preference-hints-01"/>
            <author initials="D" surname="Schinazi" fullname="David Schinazi">
              <organization/>
            </author>
            <author initials="N" surname="Sullivan" fullname="Nick Sullivan">
              <organization/>
            </author>
            <author initials="J" surname="Kipp" fullname="Jesse Kipp">
              <organization/>
            </author>
            <date month="January" day="8" year="2020"/>
            <abstract>
              <t>When using a publicly available DNS-over-HTTPS (DoH) server, some clients may suffer poor performance when the authoritative DNS server is located far from the DoH server.  For example, a publicly available DoH server provided by a Content Delivery Network (CDN) should be able to resolve names hosted by that CDN with good performance but might take longer to resolve names provided by other CDNs, or might provide suboptimal results if that CDN is using DNS- based load balancing and returns different address records depending or where the DNS query originated from.  This document attempts to lessen these issues by allowing the web server to indicate to the client which DoH server can best resolve its addresses.  This document defines an HTTP header field that enables web host operators to inform user agents of the preferred DoH servers to use for subsequent DNS lookups for the host's domain.</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="RFC5507" target="https://www.rfc-editor.org/info/rfc5507">
          <front>
            <title>Design Choices When Expanding the DNS</title>
            <seriesInfo name="DOI" value="10.17487/RFC5507"/>
            <seriesInfo name="RFC" value="5507"/>
            <author>
              <organization>IAB</organization>
            </author>
            <author initials="P." surname="Faltstrom" fullname="P. Faltstrom" role="editor">
              <organization/>
            </author>
            <author initials="R." surname="Austein" fullname="R. Austein" role="editor">
              <organization/>
            </author>
            <author initials="P." surname="Koch" fullname="P. Koch" role="editor">
              <organization/>
            </author>
            <date year="2009" month="April"/>
            <abstract>
              <t>This note discusses how to extend the DNS with new data for a new application.  DNS extension discussions too often focus on reuse of the TXT Resource Record Type.  This document lists different mechanisms to extend the DNS, and concludes that the use of a new DNS Resource Record Type is the best solution.  This memo provides information  for the Internet community.</t>
            </abstract>
          </front>
        </reference>
      </references>
    </references>
    <section anchor="rationale" numbered="true" toc="default">
      <name>Rationale for using SVCB records</name>
      <t>This mechanism uses SVCB/HTTPS resource records <xref target="I-D.ietf-dnsop-svcb-https" format="default"/> to communicate that a given
domain designates a particular DoH resolver for clients to use for subsequent queries to within the domain.</t>
      <t>There are various other proposals for how to provide similar functionality. There are several reasons that this
mechanism has chosen SVCB records:</t>
      <ul spacing="normal">
        <li>Discovering encrypted resolver using DNS records keeps client logic for DNS self-contained, and allows an operator
of a DNS zone to define exactly which names should use a given DoH server.</li>
        <li>Using DNS records also doesn't rely on bootstrapping with higher-level application operations
(such as <xref target="I-D.schinazi-httpbis-doh-preference-hints" format="default"/>).</li>
        <li>SVCB records are extensible and allow definition of parameter keys. This makes them a superior mechanism
for extensibility, as compared to approaches such as overloading TXT records. The same keys can be used both
for upgrading direct resolvers to DoH through an explicit query (<xref target="direct" format="default"/>) and for discovering designated resolvers
when issuing standard HTTPS queries (<xref target="svcb" format="default"/>).</li>
        <li>Clients and servers that are interested in privacy of names will already need to support SVCB records in order
to use Encrypted TLS Client Hello <xref target="I-D.ietf-tls-esni" format="default"/>. Without encrypting names in TLS, the value of encrypting
DNS is reduced, so pairing the solutions provides the largest benefit.</li>
        <li>Clients that support SVCB will generally send out three queries when accessing web content on a dual-stack
network: A, AAAA, and HTTPS queries. Discovering a resolver designation for a zone as part of one of these queries,
without having to add yet another query, minimizes the total number of queries clients send. While <xref target="RFC5507" format="default"/>
recommends adding new RRTypes for new functionality, SVCB provides an extension mechanism that simplifies
client behavior.</li>
      </ul>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAPfBDF8AA+1dW3Mbx5V+n1/RgR4sVQEwJd8UbqVimpRXciRKK1L2JqlU
qjHTADoczCDTM6Rhmvnte259G4CS5c1eHuLKBQRmuk+f63dOn27PZrOit31t
jtXkpNLb3l4bdXZ+od4a19bXplNn1pUtfNhNCr1YdOb6WJ3gA+H7omrLRm9g
hKrTy3621UO9m+mqmnUyxqzyz86OHheV7s1xUcL/rtpud6xcXxWF3XbHqu8G
1z85Ovrt0ZPiyuxu2q46Vi+a3nSN6WdnOHpRuF431V913TYw4864YmuP1Z/7
tpwq13Z9Z5YOPu02+OEvRaGHft12x4VSM/ivUrZxx+pyrt4glfQN037Zbja7
5Nu2W8FCt9vaAAXlnL5zMLrpj9XrxshPb3R3pX7Q/Eppe1jO6bA1XW+bdqpO
dW2XbddYrX77xdHjz/mpdmh6XPe7xvamUhc9cMKpdqlONqazpaanzEbbGjhC
zPxa42Tzst3ky3g2V3+wTWN0lyzkGYyRff3/YyXmikm6by2nc3UyVz+0bZWs
5XTdWde32zXoYforLem0bodqWevOZEt6fPQYhHnTONMgScl6LnSjvu10U6I2
fvwKSn3z9drorW1WC9u7OehkvoQ3c/WqfKWbwSVLeKN7GOgq+4XI/1a7XnRN
JtiUG3zk62oor1zbrPaZBHr7ncGV7Slu8jWN/sqWXevaZZ9pU/s3eOzrjf+N
Jihms5nSC2CfLsG8LtfWKbDoYWOaXlVmaRvgiFYbA3ZUKVACVe1gZmBOXe+U
t2xgivLm7lS/1r1yw3YLBlmYpux2W2QvTNE4/A4sFIwY1tR3LazW4BsGpNGU
Ztsj+yvj7KrRPQ6rw8BF36qFUYMzTIiGORbO0BtlbZHgvw9AC4y30PhQ28BS
YO3NXNG6ZBHwCaYG/TAVDgl+5kot2n5Ng9YtrWy2bh3SHBeFFCd/lUC2swsw
HVw/LWDRtboCMr3LmjNzN7aqalMUD9CX0YJ72zZF8cPaNEK3U41BBrV+BhIu
kdkqcKXwraM/QboVztYqA45wUVu3hld7XALyCljYGBreTQsgaYc8ryx+QeIC
1qnFDsUKfqUnotGX+2Wx4IA92669tg7eAg7B8/gc8cXPpdD/rtSNBabBj7ZT
L954OtXt7e/ffnv65PFnT+7u5I+nj4++vLsDE6+RMxqjTL2b4qs7iAQN0RXl
DOusLAaIConVqh9gVTWuz5nu2pYG5F6ulUa9/P7NObD5eXtj4MUpEG6vdbmb
gTE4S8HMM3hjV+sefjdL5h9N2aioncgIPz4oA6rbGh7AtQMfvF6krMnkASNf
owaiZnWox/DItICnlxZJn8KTatNWdokrg99wafA8EIkeB+dTcT5wvLqHF0Cx
4e8ClSHQhkqKD9GXC5NYXgVhrWshFLa12CDy1m6QZEPvBAuE0cqhA7dYwBTa
W88NauTgcEjkBkxUdoat8PLlRapdsMyyHipSnxkawAwfeHjWXj4Ckf8GRP7V
0y+e3t1Ni/DA88vLN/TIc//I08+ffg6PkGU9C3LAgU6ZnuemrltUqN+8mJ3N
remXs752M+MaC9r0L2f1T3ZWDx6oi60po4oCqW/N3wfbGWSwQ4YbBcgMqaic
mrx6d3E5mfL/q/PX9Pnts/949+LtszP8fPH85OXL8IGfKOCP1+9eyu/4Kb55
+vrVq2fnZ/wyfKtGX706+eOEpFFMXr+5fPH6/OTlBI2wz/QAEIFi5pMtgmEi
b8BbgKDKzi7YcL85faMAyHhn9fi3ibP6CtSSjIFF3zagPPQn+1SAMIBkcBBg
PtjY1va6RjVxyq0BeigwZoP8VJem2wCAqtvV7j5tRVksW9DzG9QfoHfjjovi
DHhe9gGFHxcA4XJXzWaqm13U1GnizUA5hib8OT3k2cEecBJYG3lZdvBdOwAN
ihSWfeuZqDe88B5y/PhVfJr8MzywBX9BuhceZntYgXv2Oo8T/gREzVUyXVRg
dNaHTBPIO203W92gtoJnURfgJO+njxYPFAZPdg0ekE0i9U6H11KgJVzrGoUH
6oXGu2OT32qAyeUAUFSN5EZKcICBYEon49jjSZ0m0Q2XBJwBt0ruH39Elw6q
ndCG3EQGARd5DKSK8QMGaGQuxC8KP2AZyGUXXAwwUiKFhEkcvgbtBt1egCpQ
iPxxW1uA0GoDio9jL7t2c4/8kDPpbIfWzkaFFNPMflR405kauUfuCfDNYYUh
xid6mbtdRb6oA3iBDlWvICkgc1sAcDGGwyuF3R1M3OgVv02kPyQ4xMt5fdOY
7hERmrzBcZmIXZuxwPbYSCEWCQGlsZj1ip/ydLfk6Y0zEQeIcJEaP7UDQU7Z
HlPa6NFy3baOeB7UAeHS2nbVDJVyl+h/qwBdAA5VkLugBS3ByxNeACdPMANI
i+zSgDc7fLANS+I4CYHI+x0SBD6BZFb7ZouK0yJsbVpWBtuAHDccWgjr+NFo
6Gy4sYg45HbsTegd8hZgRo5VVG8wiyVASu4aWciDTBHfkJPY8UTdAEq/wT8B
IkYjmRiOFtaZuYyHCdKEOC2eg5iHHh4NM8p/UrXr+T2vs7ZH+RB1TEem3RBJ
2GbptyX+/QHC9o0YGM1IMgx90w51dcBfALRwkmQwgV7K/AIRmaciHuuTQnr5
0Kz8ioenI6B4WEQO0TpEG6/4U4a93Qo8+U9BQXoxOJh9JCnhArwwAUnuGBUx
hTdgDHYJIB/V+LRF6NSDG6ot1p/UOecvTj08PTt3j9jpgGMlwdIkc/Wil2Qh
Co1ZMDSI9SeZcqC+ZlPGJZFWlFUz01grmBCbw3cL+s47AIQsSBCveq2vOTf5
0bqewWpNTHFru42C2GcXaXbGHRYuD+iNO8gSGZyOwR4fEIwCb6X5qdRm4T/M
CPHfEJhB/9itVATHgQW0Fi9fxrBJMuIRMbosQeM0WnCRiSdPHCUgolmsOAr2
ufj+9BuJnCXh0Ye3t+66XNzdPZqmgyLpIam5eHZ6YKh0lQjrIkzCXyXEPXxz
ffZIQTpnOAJSuIhmhS4hVE2BlO11BZTAZN+PydA8iIB2ZLy6gUxndtWga2Ek
8u7ti5gXSIDSW/MjjgzmtbTdZoZfzvDLe+YhU8QSHgF6w96c36W8hZdFeWSL
MYXUKxkf353hzzh+cd72Jg9yHvZTfrHtU4E58jIGjKKkLLxvt7MalKKWWUFY
5vLlmXsU0c6EnRqlIWlsJzW8EO/yjWXvzyVqFvvtA5I6ZyfgJjca5OraoZNk
OU37RvJiuMhMWQ2dkA5KTQIGJaAKKPofyMY5b9BFoncyCyugRGn8eYYjokY1
/fgp1e+2ENBre2VE1Gl6WzUOOIXrma37fuswzSUvLy8HBIvKhzpyacDWKa4s
BS8yUDwEYiUNlRTPZ5vFyfgrcqnkMyhsU6hG/SNJMSFs7Yo5pmsjIDSYpTdJ
/Bo/s0EHq0O64I/BOWbq7W0YiRL7F0lhJYU2yfp4MUzwVNjuuQSepgAJ9Noy
4EOvO3R2gsptAVKAPpPnRQ8xmES4+DAAJ1B5iLgFIiJk8hSSPwtLt8x2JAJZ
33vWp9UMYUzM6Hzcw8yQEyImkcljdyAjUgYJ2erQNb70xaAI1oqZp+jLte4s
KhYXh7KFo26hw5gs2zbHCkXxj3/8A4vBo1/mSn315OhIqRfnMvxjNVcPqWx8
zz/MzN+Rfh5/+ilhHxkQYtqnoMIzJvsRzVm8EHQpNMIn9sMzlCsslNn3+dFn
n2ExKEXQdrMxlQUWAxqhShTqQMgXSMGlUsiSEdV4OCLpkSRT+7lIXkwTBUgZ
+nDErkfAyNdNaaIgiYw0U0yVdA0TAwqGpLBiiCOVHyl8WOcGjPQM2nDeT1kG
zD8sORiqh8JzuGRfMBIcNMLdWfWIR5B5AEUAnITYC+4M3ZKpxFZHI0TKAQUt
fZKD+XvyGLIywp34SrZA0HYEheh1l7sk3wNOm5ssBTqkH8CQXEemecyRZQjY
TcI8uYueii4Sq3BKCp7JnFQHwYd6Ko2MK0MHAyzHpZPKF9NjiILxKEQBOlDf
Xbw+h3iEoR9w73tQRKxVlu2aOSm1wVGStAebuJYHL4ZSfCz1MTybQ1gj8K0+
n3+GQ6YBxoLbAUuapaTNJCbf3SV00VLAuGi57IM2xM9I0tL05RoRSiygCMcT
OIOecvLpPH7zKXBncriulBdjOUKzBvv8S0c2J7Tpa21rjSWm/fnxeaQhwOat
xhxxGVw5a+8nLvfpWOPDmisQ+i0iGXYBrOOBBO89EouffNAtTmJSltF975sj
3iUjzWNFFkOcxwITjvsoySr1FWO2xWhIGxitxTqJLq98Eu4DXcAYkCSZeike
xrpY3BaD8S4l4QdtKXimSdhHfYEX/Y4KQrSh8zk9o1wZkM3gHsgLqz+PGTOm
HbUlRB2ifuP+hNWuCXHoHib4CILIiC2QKmQjv54VfNKszfuXhIoo1WQ/r193
7bBiDdTOtaXd87gRYJM7xMWA0zDsDv3+IGiN+XGtB4eweqoWQ+9hid9baDcb
4BnTRPUTxhLpAoRWLF6LWxV/jTp5g2toQcrfmCXCP44UHvAOde+83scKQuad
k3JX7naNJX9NlqhHICALukkeJxaW6YPPKj/stck5Hkxo5rQgH1BxQT6MUL7N
6FWczwKZy1Vfr91RFVKo2m57u7E/8cqTsMTeBoMoO9qpyBwYdvJHiozoPX02
8mZwa45kVLRg4SZc0o27wXch1Wk71jFYhwP2827gRldGPMOEwUewAA+WtAJC
QdbLnkzUlmvPZSqXiHdEk6VMlUKywi1fH27nskUXeNSZGYUDtvM0neaxiBCJ
ajg1IqOtJvy/SPUMy3JZHsklJiwshHTY0ybkRmx7G2HrBKJFg5mv6SbHUqCL
PnU+mSaPpq7z+Jd48Oxl72SO1Z+z0tBf0qe8HGD4J0dPjmZHT2dPPrs8+vL4
6Aj+86cJPnrHcBlgxmmq7SCMPayBM6oTdJTIh9sH+6qfxde0NOGyrZA8no0M
iioYFOx17dpYA00RShvNXVznJ1mJm+jFshKb+zxL7XwxYuQoMiQZlPtjiiQN
Fc2prrk25ZUT3EDKjL0TjRs4se0L2tdAHOMOGDcFOn7aO/jsCWQOeuey1ha3
RNKFp3sWRJnnRNnKPgI+5AtJaUEVu5co30uKNwFr0PrIQOFJKYKnPDXNsKGi
aYS+gSW+ECdszyCx7KJCxGg8lk9XClI9hLxoF4JT2QL1pOv0DqlzPQZ0cHQB
dhFIoQ4/U1HYnkQfgqNkUeNQDRCDGEkzbvhQWUXKaJguF5LG+e4RrBWPpryM
mgU8cD3nYFShJh/8788uvcrRkAQDccZ9DOvjgczASlfExIodyUQ5oHpj8khx
X4wcAUyKp76SoUcgDzlKoE12z8IeSUnQucjgiiz6ExdLCvRC7NvhxrfxgkKE
GitEDD/LoY6bXOOskrpggCXlXlAccEa2Y0xrBvgZllIeYMo8LT76bN0laC8X
MoEw2sGAKYC4MULNzZTji3aJ2ghOoQJM0zazDKlw+S8dYQRX0Aximpg+KA40
wLED9hXqxnN1MpIDqsJC9gV0KV4LRFYk65GNX6LD1NRUtdWdhPT95zj51jwB
RmSq94VqoBsWPjWUxIxRIno8pARLXFLLT2p07PHyDbI+aWghjJrEt1BFliR3
b8fI704C+zD1nR6E8b8uFUsqe50Bl2WuMaFBn/wrsrEp9pPWobSn8s4OASvY
3JGjlV+IVH41SvkwQsnN596nPgLDcIKY1OYwv832zWLC0VNhT9pF9spZU9kI
x1pfKDx471llMSGEmtFMrA0QEkOPXbobxOGTFCxL8kcljJDqJh4MXgliSKbc
L3Zkrp+YfcjvkxJy5NkM1P2AlWCekPU9rnAvEJA38M637ezKUpEqQzOjQgZl
4zGS/xN0N60r//f19iP07cTH9OBMmMu5q5dUhFjpUx2pNm5hIvhzGhPu90Td
kJXy9kGyyZDLJIxFwuEwHJnKybQUg7xLpY00qh14h+a9oF601+afKQCYcgYT
gIdfz3YApcysbls0pBlMfY9oPl4yeeD20eTe0I07T4vQnKhCR+wvqMm8GGtt
UPVs9368M8Lb8gvd5d/ms3xsVEkL3rFaSHFl3D1wHxKcq9DUnGRDUVvuJTDv
JjnQs7CXL//vRqCxAKb73P+fC0y/JLmmBuR02zzm17GAhD4nYXrqZkLCfG+k
ol2mYfE3QOpJRzyuEpISU4cKJqL4UJ7GSDTa0Z8rOkMQ+7d107txYk0kUPca
u7/iUNrnbD9IIJIwS8TSC6NJ92vn+S6a/CzbHYVUlyAirajqm8WnlBTf1/fe
7dPmF+6BIkX7m6BqtNUEsB+ypNLYaymUx0JFZnWS5RJLsVEosBR7+P05DE4t
YusTymFsSxNVUGMKbYt5TRjzVyKPG0N9z+V9F0ZY3u/YcU2zCgLII5xXrXuE
enAzMOMFeuiD6oXpEkynRaGNx/u+v+PjivtU2Q7R3PtSkdsA3qrm3b8b6xIr
+7/c5n6gnvlG2dheBGx9SX3Vsfx2+4A2PuKhyDvZAh2fsUm7lWN7ipTPmzjb
m3SX8SzZZcStzcLvA4F4fvk+4PTefmB5pEBljIXjjPBPXHKSxyk+gWl78nEM
ggAccc09xad79XwuP5InpVRTtkVoKgyqowMWsWbkGSvpbaPenuzl3r7Pna3B
szxsf6bsxam4Lc8lmX2RlEF9kmLTB7I66V7dzNt4KI2lwZXOGTSp1UmVHUbn
adJGn5Z8Em0XgbpxyoK/511NxPkiS+dHXpyKmFFenFN/aFsNeMwKXplt3e42
sVUYg9G4NjBq6KbTWtJeqXzDEjoro52td4XsepDGs1uW/X+/G4yBduRugAVJ
KUrnSZb3RUHTint3joDAwxtH1NKfGjiy8FRv9cLW3MVNmp0fBECz5+MWd3uH
O9jIdHWN7phqNvmZhrShq8W+C8hU41EE6bvlpkxLzqLvIHwC3/zRvaRjF7QA
JNKSEk15Ey4kyJRuku6n4ZQiKYgcXGDA2rrb6klBYpnY7fXnEPu4v/VTfBi+
+ZK/wS1JrO1JDpucEfTd7aEzC21g9Ljffi7ipnzShny4ky+hnF3NOM6Ru/CD
FH4K0irqeNuriVIfo6ZKG9kZcsw0FRVeaedTO2dLPqXxfJputxfvhXh99GrB
yjEd4I6Z0I8Z+43kGRvjAdfeOAjpscYRkBO3Ia3169ERnKxTr7hX0H6DbqMJ
vHLTjeycyhbJDfYXrU29TVejr1uQIgSPq7R3idS44GrDquXeETrm4kvEhw70
5J0DBHVGampj59yU5ISaZbcT4XYAvezcE00cwTw6No4TB3pbdHzwwED7GrIb
4MWebiL77WGWQ/E2K78HRWd6Mv/vtdDZja11V4dTEGM7zHrYisieuQLYPEol
D7LRm92oEcC7ngp1Bj0+NZyPetbIRoqYFrxXuwVOHiIC4MHYKD2yDXlBkZTF
D3iNhODkVz/KIe9JKkPHJnF5odqDPiDpSDnIM194Z8/hW/LyMltuerHBh+rZ
6rUHqlNV7Md07HYi+tNmhEOU4Pkc1Jne5zCjHsbLy5ee741ZkURU0eI5Rfan
oZWP9kVb3DcajD8K/b71/Kqe1nwFH+huHVvz/c4oVsD+Cj/Psx8TjE+DPVYj
0P4ewO/D2O9+nO/mP81v7n3wY9OC0TlE3E6Twm7eXJ0u3+94UJMj3QDgscFm
qHuLrI/sLVINCU1ILHI5ggnRs+RzXchX38V10lDvFdaKQoOK70sJHeABP4Ch
FcEOxW+lC/Oj+mJ6qVHfw7EiDBC0J0ej4oJTH9xKuYGzCoC+RUyR49GEg05F
7BtRmRjsWUCiWOtxABQFAsuVC36NEZjGcYIXsZ3vbSIOhAb5MHaxaStT+xP2
Wo4txhMPchMBGZv0q2oMceVa400bBm82saWTY9ewUBIqF6XfML7t0u05Xd/o
XbB6F04udTlcCQqQbIsrR8MXvuYt8Fnyei7aDHjgaYTW+bXMi2K0L9L2Pmks
3rSYfWD7E7gPkqAdnz5Y7PjQXVqeLA6QGzRuTO6hdgzRL7pEwjbYI+5MWoPp
zOCkDw/P7isMa01JzYDJUwA8B0RaJ3t4O545dHGLPSdLksMWe1T8b5QqNkVL
faxDQ50dLd5jEYrW5IldTEsJ90pgyBqdMN+l+0IgnTRdF3kkD0fpsyq9ih4i
VyZQ/4t2w5zm2jAaeehP/MXq5F3Qnjo5Mn5KsVxpIM21rZhPtBo+rSeZIW54
cJtkIVkLPb3F+zMgkqy4KsVHVZmSZY0BB7tcEJHvKYhs5ZEjyyiABaCG+I19
Q+fJgi89WPRKGzoj3Li2Op47kwNI/wYqPcUBg8UcHFClrdN0DQloIrM0PTE9
Hn1ayCFIsWU+1+uTZd+tydhmTyIc6nUjjaCF20KKGno0/ClgcTOhlB2EFerJ
nI+rVEo0VCogf8I6nA3YVxDKSYKr8bADbBJLMexPYUB/SO59zCwSZtLbnjSu
SWU6zIgv2pn4jAyXWWBAETOswNagI4li0Cr4hCjfWyOEJueeyxoWQXfcSP0b
1R4yoYrTiRLDkuv5XDoERGyk8ezLjlvLAe943CIUy+Q8AqVY57rrIJGMcQ9M
/R0x8R7NHl8L42MVLJiiAc0ycLVRAG+RnWs57NkjmffePiD1JznUVkPC0zOW
0Bu8i2t8AAKTR3GOjQI10eUVFu0WVPRALR7pXpAh6n1K8TFPEkZAJEJlzaQU
5gvcJNmFlydMU9AKGHzQQnl5eQn0EGfSm4ksN+AE28rO08SemWRHJZxjDy09
uqCak9tgAJV+74hSKOYuwGsgcWixvs6WsI7UbxkSvwBspHPOtxDzIRPvcpgx
3D8gqYd2WE5La35oMODQ2qHDjnO8qobzf34mnnMbHU+kRea6pGWBzbBZmC6s
cV6k7YJUFo73H9AwXE857MJjyz1qZRHFCDL6xuxaySwXoO1Ly05PrGKKkJXp
h+QcO6BHhEXyiwOSFDtjLU8Bga9/j9GK9CQVe0aagMh9Q3WCgPlWpz3gmzag
sFzSe6rIXLLLqUTbU1t06TUaHnfhi/fc8QESBEcI6c0KrzgaeTd8zwuJ/HM4
mEYFoXAzSpHeaKbMfDWfYvUAFvtKY3m+HRyHZ6cpd6b+AYBMV6Gmk9xZRRjr
0ClARGvFmWmsrmftcuYPGz88ay8e4f0KCDhjtyrbvO/85fEFdcS9DGlkgEWV
ZA3kAHjvYtsC5aKtsCi66sEfu0nu7CEQYCUTbEsQLMv4jTjrsYg9edQ7tEDA
01H3I3hgfyZOGkV5AbmdUPkVhCJFiMLfDYR9iJvA6rxuhBrKz2XVMkoESX3x
TsErdFx8DVqsDMrVO3ljFOslqXqLt1VhOX3HjYsAl9ulnH8oJEnOr92KNO6d
EWb3mR1RSRvAk1PNLpbQ0haxrMOTf/i4zcxpEU5HJ4fu6T6/vTP695y/B9E/
u06S1zzRz30osh7Sy6tQe6Wbwlar0U0HBe/oiUyw+WfY4uFB4ge+LlgVYrRd
eee8HLpebhjBiy0DlpTtpyJaQPS90ifKZ/FJXegeQp/lCAFsFnO6Gcmb9M4n
CLDugFfxHcL/dJLPmdUmNLj6wu1OPWRfQT03obpeHDT/aagrHvINgj3STcxk
1+QRb5Da5io1gRBVY/kDKF0DsEBLWPBOEWj/t9rWA99WxpgmWyMlywF5OJOt
10EIu6KoQjiquZJBfRaMkJQRGd5M1Y+a/+xS6ZTLJRWh6l0xJiMAK5UAK1jD
j1zYMCuu38jTcjFUj2Gyj5gEfGGxMJEYJf1Gu/Q2glF/OuDBcM0Suj5ku+fw
CoJ0yIgokaEJyTu+ODk/GblGdfuAjjnyzRKgIeE8I27t/sHsXc0GqQOCMtyS
kpx/khz8fZHERBnATYDKFVhA9zGb7EDvz7wxjDP9jNpXdpYDsv/nZ3WJ7Szy
+ZnUXfnP4ufjWfJP/teHfxi9DbQkW9Ay4d4J0PSqA/j9go55wIfYDNY4qRUd
rIre/h4+3k2AeBTGpTS48zHOf0kjk0ba+yYz8mfahkqiQHZ65tDJmTm+e+KP
5rDMHHz151E34l9ELHtSR3/nQdGbcD3GYTmF6zOCtMZ3tzzEKP4oDhTFNad9
BowXAkN9PzTM89mTr758Cj4FvF5ybErm+JaO8pxieYs/Uim4Uh2iT65vJHs+
eJbAT563qZv8EPiH71Qp/OV7YV/64LWs/sC0loNRlClV3PT+7vLb2dNYFnZy
rBnvMOS9hqK4uC6JW6Dc+DWxAhCw0ajC+E1GtdyMcrBsUrz1hSd8LRNgcgEo
2NU7F+7Co229yWjzfyR8PMkdd+D41tiYRoxeVhfvzs7TnWNO3BLo0EqJlFL/
wvt9Bg/INcLbG8CZmFilnf1719tIb9wPazr6l9FMB5DG66KpaXsm2x0XJeEO
q+d456fE26SGbiUywdym4cPefo9/OfQDbauiquBtLryJvh06viHvhkqU2c7s
jXVrI3no/rlLhm4MtUNhWtJ0DIMnJfYB1aZahZtbdXNFwz3r7JU630Hkhgz+
ZQv/91MLpkOFwal6Za+0qdXJotNrvXGY5kN+DNwo1ze663+aqhNAhs81XjcO
rxtAEs9NBVrdbiAzsxv1qjxtgSsX/QCPq1NYwxrEhgOvBhj4e7PS0+K7Fnws
JFwreAfk+dJsfBPVs7q2kFZ9g/2i6WbM0piKkiS+i3cLq29HF7/Kddv4FLLg
7YfuJrp9EC8dEn3eGExYrduwciQ3soxucXIfuLWJm3A3G0j15UQblVuoOiBN
WHkFKL1DND1lR2fXfEmQa6b4Fd0lDHbRZKlXei+MXO6UXMqGPbOYIInudS3o
nharxUvfElWTTgTQ24Zb1hivXu5d8MaVoFBEswBLAwtxE6TEewZzW8ruchNf
KBnv6HLb9G63K2O2LuYqK0SbWEAhJF4vZ7L3TPe5YO2PkmsEuf4ubb7oGp/3
95Rysx+32NIFv5gVc2Imp5O4vDsu6aCeqXd7FFJFCo98NJ/04QLSRdv2eLU+
X1kU0gDTyW1o+G9DCDWXbUjmH/pGtdvb36OWOTzbo3+ypF4L6+jQxjZsIsxw
59pxljjLlZzKcj/2Rq7gDbzh1VvvpWPUxt5Mf7OkZBhmQ7dXA3lYqA4Cptjn
xxZniCLH7VnpTYLlda2mw9V+RSj1utWEBC7/89ITyl0ytO9H3aHprTe4t8GB
drvq+E3JI7OQgRLy12yk19ZKQnh7Kw14d3yv6/hquAM3mLqCtzLl+iX6V4/o
rlLxkiZr0msHif2nB0pcIRemqpvx7ZSjunuIhmBV1S5c+eGvwxkFJC6cFOIU
7r8//b7r09UP0vAu9hdvDeayBEc2PuIEBManCipMOdlSrfDfuwL6YztfCggl
yfy2OiqeUmmKSqwZr7Jrf2idxAlO9PB0MdWmkFgQsImZIIlHbjdH+zKLeIcF
goFq0PXMYe27kBbfY3UCIQz+YT+RSXKeuaXDN1EKuuL6D+FIKj1keboMNy38
kQIpIPO/y0HtTB/u/CLdnCqszeHFIU5Aba/T8rdfbbisBZjhIQ1fWf7FF0df
3d1RZWwDobDiPmQUqLlRb99i1sJ+Hv/OnPqU2R0kRYZDJk0XrXhfzgKygDDx
mJDz2yx+92pe/BdX3I7ESWgAAA==

-->

</rfc>
