<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.7) -->


<!DOCTYPE rfc  [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">

]>

<?rfc comments="yes"?>

<rfc ipr="trust200902" docName="draft-brown-epp-delegation-automation-extension-00" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true">
  <front>
    <title abbrev="EPP Delegation Maintenance Automation Extension">Delegation Maintenance Automation Status Extension for the Extensible
Provisioning Protocol (EPP)</title>

    <author initials="G." surname="Brown" fullname="Gavin Brown">
      <organization>ICANN</organization>
      <address>
        <email>gavin.brown@icann.org</email>
      </address>
    </author>

    <date year="2026" month="July" day="03"/>

    <area>Operations</area>
    <workgroup>REGEXT Working Group</workgroup>
    <keyword>Internet-Draft</keyword>

    <abstract>


<?line 59?>

<t>This document specifies an extension to the Domain Mapping for the Extensible
Provisioning Protocol (EPP) which allows EPP clients to enable and disable
automatic delegation maintenance carried out by the server. It also describes
how the maintenance automation state of a domain can be included in RDAP
responses.</t>

<t>The source for this draft, and an issue tracker, may can be found at <eref target="https://github.com/gbxyz/epp-ds-automation-extension" />.</t>



    </abstract>



  </front>

  <middle>


<?line 70?>

<section anchor="intro"><name>Introduction</name>

<t><xref target="RFC7477"/> automates the maintenance of delegation information records,
typically <spanx style="verb">NS</spanx> records and any associated glue records (see Section 7 of
<xref target="RFC9499"/>) through the publication of <spanx style="verb">CSYNC</spanx> records in the child zone which
indicate the delegation's desired delegation information ("NS automation").</t>

<t>Similarly, <xref target="RFC7344"/>, <xref target="RFC8078"/>, and <xref target="RFC9615"/> automate DNSSEC
(<xref target="RFC9364"/>) trust maintenance by having the child publish Child DS
(<spanx style="verb">CDS</spanx>) and/or Child DNSKEY (<spanx style="verb">CDNSKEY</spanx>) records which indicate the delegation's
desired DNSSEC parameters ("DS automation"). <xref target="I-D.ietf-dnsop-ds-automation"/>
provides operational recommendations for parent operators wishing to deploy DS
automation.</t>

<t>Section 6.1 of <xref target="I-D.ietf-dnsop-ds-automation"/> states that
parent zone operators running under the registrant-registrar-registry (RRR) model
and using the Extensible Provisioning Protocol (EPP, <xref target="STD69"/>)
<strong>MUST NOT</strong> suspend DS automation solely on the basis of the
presence of the <spanx style="verb">serverUpdateProhibited</spanx> status code (defined in
Section 2.3 of <xref target="RFC5731"/>). This status code causes any request
to modify the domain name (including DNSSEC information as per
<xref target="RFC5910"/>) to be rejected by the EPP server.</t>

<t>The most common use of the <spanx style="verb">serverUpdateProhibited</spanx> status is as part of a
"registry lock" (see <xref target="CENTR-REGISTRY-LOCK"/>), a security measure designed to
mitigate the risk of (a) a compromised customer account at the sponsoring
registrar (see Section 9 of <xref target="RFC9499"/>), or (b) a compromised or malicious
registrar.</t>

<t>For domains which have a registry lock, it is not always the case
that the registrant of the domain will want either DS automation or NS
automation to take place.</t>

<t>This document specifies an extension to the Domain Mapping for
EPP <xref target="RFC5731"/> which allows the sponsoring client of a domain
object to specify whether or not DS automation and/or NS
automation ("delegation automation") should be carried out by the server.</t>

<t>It also describes how the delegation automation state of domain objects should
be represented in Registration Data Access Protocol (RDAP, <xref target="STD95"/>) responses.</t>

<section anchor="conventions-used-in-this-document"><name>Conventions Used in This Document</name>

<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref target="BCP14"/> <xref target="RFC2119"/>
<xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here.</t>

<t>The term "delegation automation" refers to either or both of "DS automation" and
"NS automation", as described above. An EPP server may choose to implement
either or both of these protocols, in accordance with its own policy.</t>

<t>In this document's examples, "<spanx style="verb">C:</spanx>" represents lines sent by a protocol client
and "<spanx style="verb">S:</spanx>" represents lines returned by a protocol server. Indentation and
white space in these examples are provided only to illustrate element
relationships and are not required features of this protocol.</t>

<t>A protocol client that is authorized to manage an existing object is described
as a "sponsoring" client throughout this document.</t>

<t>XML is case sensitive. Unless stated otherwise, the XML specifications and
examples provided in this document MUST be interpreted in the character case
presented in order to develop a conforming implementation.</t>

<t>EPP uses XML namespaces to provide an extensible object management framework
and to identify schemas required for XML instance parsing and validation. These
namespaces and schema definitions are used to identify both the base protocol
schema and the schemas for managed objects.</t>

<t>The XML namespace prefixes used in these examples (such as the string
<spanx style="verb">automation</spanx> in <spanx style="verb">automation:ds-automation</spanx>) are solely for illustrative
purposes. A conforming implementation <strong>MUST NOT</strong> require the use of these or
any other specific namespace prefixes.</t>

<t>In accordance with Section 3.2.2.1 of XML Schema Part 2: Datatypes
<xref target="XSD-DATATYPES"/>, the allowable lexical representations for the <spanx style="verb">xs:boolean</spanx>
datatype are the strings "<spanx style="verb">0</spanx>" and "<spanx style="verb">false</spanx>" for the concept 'false' and the
strings "<spanx style="verb">1</spanx>" and "<spanx style="verb">true</spanx>" for the concept 'true'. Implementations <strong>MUST</strong>
support both styles of lexical representation.</t>

</section>
</section>
<section anchor="epp-extension-elements"><name>EPP Extension Elements</name>

<t>This specification adds two new elements, <spanx style="verb">&lt;automation:nsAutomation&gt;</spanx> and
<spanx style="verb">&lt;automation:dsAutomation&gt;</spanx>, to the domain name mapping (<xref target="RFC5731"/>). These
elements both have a single boolean "<spanx style="verb">enabled</spanx>" attribute.</t>

<t><list style="numbers" type="1">
  <t>If the value of the "<spanx style="verb">enabled</spanx>" attribute of the <spanx style="verb">&lt;automation:dsAutomation&gt;</spanx> element is
"<spanx style="verb">true</spanx>" or "<spanx style="verb">1</spanx>", then the  server <strong>MAY</strong> perform DS automation for the
domain.</t>
  <t>If the value of the "<spanx style="verb">enabled</spanx>" attribute of the <spanx style="verb">&lt;automation:dsAutomation&gt;</spanx> element is
"<spanx style="verb">false</spanx>" or "<spanx style="verb">0</spanx>", then the server <strong>MUST NOT</strong> perform DS automation for the
domain.</t>
</list></t>

<t>Similarly:</t>

<t><list style="numbers" type="1">
  <t>If the value of the "<spanx style="verb">enabled</spanx>" attribute of the <spanx style="verb">&lt;automation:ns-automation&gt;</spanx> element is
"<spanx style="verb">true</spanx>" or "<spanx style="verb">1</spanx>", then the  server <strong>MAY</strong> perform NS automation for the
domain.</t>
  <t>If the value of the "<spanx style="verb">enabled</spanx>" attribute of the <spanx style="verb">&lt;automation:ns-automation&gt;</spanx> element is
"<spanx style="verb">false</spanx>" or "<spanx style="verb">0</spanx>", then the server <strong>MUST NOT</strong> perform NS automation for the
domain.</t>
</list></t>

<t>The <spanx style="verb">&lt;automation:nsAutomation&gt;</spanx> is only used when the EPP server supports NS automation,
and the <spanx style="verb">&lt;automation:dsAutomation&gt;</spanx> element iso nly used when the EPP server supports NS
automation.</t>

</section>
<section anchor="epp-command-mapping"><name>EPP Command Mapping</name>

<section anchor="epp-query-commands"><name>EPP Query Commands</name>

<section anchor="epp-info-command"><name>EPP <spanx style="verb">&lt;info&gt;</spanx> Command</name>

<t>This extension does not add any elements to the EPP <spanx style="verb">&lt;info&gt;</spanx> command described
in the EPP domain mapping (<xref target="RFC5731"/>). However, additional elements are
defined for the <spanx style="verb">&lt;info&gt;</spanx> response.</t>

<t>When an <spanx style="verb">&lt;info&gt;</spanx> command has been processed successfully, the EPP <spanx style="verb">&lt;resData&gt;</spanx>
element <strong>MUST</strong> contain child elements as described in the EPP domain mapping
(<xref target="RFC5731"/>). In addition, the EPP <spanx style="verb">&lt;extension&gt;</spanx> element <strong>MUST</strong> contain a
child <spanx style="verb">&lt;automation:infData&gt;</spanx> element that identifies the extension namespace.</t>

<t>The <spanx style="verb">&lt;automation:infData&gt;</spanx> element <strong>MUST</strong> contain at least one of the following child elements:</t>

<t><list style="numbers" type="1">
  <t>a <spanx style="verb">&lt;automation:nsAutomation&gt;</spanx> element, if the server supports NS automation.</t>
  <t>a <spanx style="verb">&lt;automation:dsAutomation&gt;</spanx> element, if the server supports DS automation.</t>
</list></t>

<t>Example domain <spanx style="verb">&lt;info&gt;</spanx> response:</t>

<figure><artwork><![CDATA[
S: <?xml version="1.0"?>
S: <epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
S:   <response>
S:     <result code="1000">
S:       <msg>OK</msg>
S:     </result>
S:     <resData>
S:       <domain:infData
S:         xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
S:         <domain:name>example.com</domain:name>
S:         <domain:roid>EXAMPLE1-REP</domain:roid>
S:         <domain:status s="ok"/>
S:         <domain:ns>
S:           <domain:hostObj>ns1.example.net</domain:hostObj>
S:           <domain:hostObj>ns2.example.org</domain:hostObj>
S:         </domain:ns>
S:         <domain:clID>ClientX</domain:clID>
S:       </domain:infData>
S:     </resData>
S:     <extension>
S:       <automation:create
S:         xmlns:automation="urn:ietf:params:xml:ns:epp:delegation-maintenance-automation-1.0">
S:         <automation:nsAutomation enabled="false"/>
S:         <automation:dsAutomation enabled="true"/>
S:       </automation:create>
S:     </extension>
S:     <trID>
S:       <svTRID>54322-XYZ</svTRID>
S:     </trID>
S:   </response>
S: </epp>
]]></artwork></figure>

</section>
</section>
<section anchor="epp-transform-commands"><name>EPP Transform Commands</name>

<section anchor="epp-create-command"><name>EPP <spanx style="verb">&lt;create&gt;</spanx> Command</name>

<t>This extension defines additional elements for the EPP <spanx style="verb">&lt;create&gt;</spanx> command
described in the EPP domain mapping <xref target="RFC5731"/>.  No additional elements are
defined for the EPP <spanx style="verb">&lt;create&gt;</spanx> response.</t>

<t>The EPP <spanx style="verb">&lt;create&gt;</spanx> command provides a transform operation that allows a client
to create a domain object. In addition to the EPP command elements described in
the EPP domain mapping (<xref target="RFC5731"/>), the command <strong>MUST</strong> contain an
<spanx style="verb">&lt;extension&gt;</spanx> element, and the <spanx style="verb">&lt;extension&gt;</spanx> element <strong>MUST</strong> contain a child
<spanx style="verb">&lt;automation:create&gt;</spanx> element that identifies the extension namespace if the
client wants to associate data defined in this extension to the domain
object.</t>

<t>The <spanx style="verb">&lt;automation:create&gt;</spanx> element <strong>MUST</strong> contain at least one of the following
child elements:</t>

<t><list style="numbers" type="1">
  <t>a <spanx style="verb">&lt;automation:nsAutomation&gt;</spanx> element, if the server supports NS automation.
If the server does not support NS automation, then a <spanx style="verb">&lt;create&gt;</spanx> command
containing this element <strong>MUST</strong> be rejected with a
2102 ("Unimplemented option") response. If omitted, the default NS automation
policy (if applicable) <strong>MUST</strong> be configured for the domain.</t>
  <t>a <spanx style="verb">&lt;automation:dsAutomation&gt;</spanx> element, if the server supports DS automation.
If the server does not support DS automation, then a <spanx style="verb">&lt;create&gt;</spanx> command
containing this element <strong>MUST</strong> be rejected with a
2102 ("Unimplemented option") response. If omitted, the default DS automation
policy (if applicable) <strong>MUST</strong> be configured for the domain.</t>
</list></t>

<t>Example domain <spanx style="verb">&lt;create&gt;</spanx> command:</t>

<figure><artwork><![CDATA[
C: <?xml version="1.0" encoding="UTF-8" standalone="no"?>
C: <epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
C:   <command>
C:     <create>
C:       <domain:create
C:         xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
C:         <domain:name>example.com</domain:name>
C:         <domain:period unit="y">1</domain:period>
C:         <domain:ns>
C:           <domain:hostObj>ns1.example.net</domain:hostObj>
C:           <domain:hostObj>ns2.example.org</domain:hostObj>
C:         </domain:ns>
C:         <domain:authInfo>
C:           <domain:pw/>
C:         </domain:authInfo>
C:       </domain:create>
C:     </create>
C:     <extension>
C:       <automation:create
C:         xmlns:automation="urn:ietf:params:xml:ns:epp:delegation-maintenance-automation-1.0">
C:         <automation:nsAutomation enabled="false"/>
C:         <automation:dsAutomation enabled="true"/>
C:       </automation:create>
C:     </extension>
C:   </command>
C: </epp>
]]></artwork></figure>

</section>
<section anchor="epp-update-command"><name>EPP <spanx style="verb">&lt;update&gt;</spanx> Command</name>

<t>This extension defines additional elements for the EPP <spanx style="verb">&lt;update&gt;</spanx> command
described in the EPP domain mapping <xref target="RFC5731"/>.  No additional elements are
defined for the EPP <spanx style="verb">&lt;update&gt;</spanx> response.</t>

<t>The EPP <spanx style="verb">&lt;update&gt;</spanx> command provides a transform operation that allows a client
to modify the attributes of a domain object. In addition to the EPP command
elements described in the EPP domain mapping, the command <strong>MUST</strong> contain an
<spanx style="verb">&lt;extension&gt;</spanx> element, and the <spanx style="verb">&lt;extension&gt;</spanx> element <strong>MUST</strong> contain a child
<spanx style="verb">&lt;automation:update&gt;</spanx> element that identifies the extension namespace if the
client wants to update the domain object with data defined in this extension.</t>

<t>The <spanx style="verb">&lt;automation:update&gt;</spanx> element <strong>MUST</strong> contain at least one of the following
child elements:</t>

<t><list style="numbers" type="1">
  <t>a <spanx style="verb">&lt;automation:nsAutomation&gt;</spanx> element, if the server supports NS automation.
If the server does not support NS automation, then an <spanx style="verb">&lt;update&gt;</spanx> command
containing this element <strong>MUST</strong> be rejected with a
2102 ("Unimplemented option") response.</t>
  <t>a <spanx style="verb">&lt;automation:dsAutomation&gt;</spanx> element, if the server supports DS automation.
If the server does not support DS automation, then an <spanx style="verb">&lt;update&gt;</spanx> command
containing this element <strong>MUST</strong> be rejected with a
2102 ("Unimplemented option") response.</t>
</list></t>

<t>Example domain <spanx style="verb">&lt;update&gt;</spanx> command:</t>

<figure><artwork><![CDATA[
C: <?xml version="1.0" encoding="UTF-8" standalone="no"?>
C: <epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
C:   <command>
C:     <update>
C:       <domain:update
C:         xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
C:         <domain:name>example.com</domain:name>
C:       </domain:update>
C:     </update>
C:     <extension>
C:       <automation:create
C:         xmlns:automation="urn:ietf:params:xml:ns:epp:delegation-maintenance-automation-1.0">
C:         <automation:nsAutomation enabled="true"/>
C:         <automation:dsAutomation enabled="false"/>
C:       </automation:create>
C:     </extension>
C:   </command>
C: </epp>
]]></artwork></figure>

</section>
</section>
</section>
<section anchor="rdap-status-mapping"><name>RDAP Status Mapping</name>

<t>Operators of EPP servers who also operate an RDAP server can include an entry
in the "<spanx style="verb">status</spanx>" member of domain responses to allow interested parties to
determine whether delegation automation is enabled or disabled for a given
domain name.</t>

<t><list style="numbers" type="1">
  <t>A domain for which NS automation is enabled <strong>MUST</strong> have the
"<spanx style="verb">NS automation enabled</spanx>" value in its "<spanx style="verb">status</spanx>" member.</t>
  <t>A domain for which NS automation is disabled <strong>MUST</strong> have the
"<spanx style="verb">NS automation disabled</spanx>" value in its "<spanx style="verb">status</spanx>" member.</t>
  <t>A domain for which DS automation is enabled <strong>MUST</strong> have the
"<spanx style="verb">DS automation enabled</spanx>" value in its "<spanx style="verb">status</spanx>" member.</t>
  <t>A domain for which DS automation is disabled <strong>MUST</strong> have the
"<spanx style="verb">DS automation disabled</spanx>" value in its "<spanx style="verb">status</spanx>" member.</t>
</list></t>

<t>These two status values will be registered in <xref target="RDAP-JSON-VALUES"/> (see
<xref target="iana-rdap"/>).</t>

<t>The <spanx style="verb">DS automation enabled</spanx> and <spanx style="verb">DS automation disabled</spanx> values <strong>MUST NOT</strong>
both be present at the same time. Similarly, <spanx style="verb">NS automation enabled</spanx> and
<spanx style="verb">NS automation disabled</spanx> <strong>MUST NOT</strong> both be present at the same time.</t>

</section>
<section anchor="schema"><name>Formal Syntax (XML)</name>

<t>An EPP object mapping is specified in XML Schema notation. The formal syntax
presented here is a complete schema representation of the object mapping
suitable for automated validation of EPP XML instances.  The BEGIN and END tags
are not part of the schema; they are used to note the beginning and ending of
the schema for URI registration purposes.</t>

<figure><artwork><![CDATA[
BEGIN
<?xml version="1.0" encoding="UTF-8"?>
<schema
  xmlns="http://www.w3.org/2001/XMLSchema"
  xmlns:automation="urn:ietf:params:xml:ns:epp:delegation-maintenance-automation-1.0"
  targetNamespace="urn:ietf:params:xml:ns:epp:delegation-maintenance-automation-1.0"
  elementFormDefault="qualified">

  <annotation>
    <documentation>
     DS Automation Status Extension for the
     Extensible Provisioning Protocol (EPP)
   </documentation>
  </annotation>

  <!--
  Child elements found in EPP commands.
  -->
  <element name="infData" type="automation:infDataType"/>
  <element name="create" type="automation:createType"/>
  <element name="update" type="automation:updateType"/>

  <complexType name="automationType">
    <attribute name="enabled"
      type="boolean"
      use="required"/>
  </complexType>

  <complexType name="infDataType">
    <sequence>
      <element name="nsAutomation"
        type="automation:automationType"
        minOccurs="0"/>
      <element name="dsAutomation"
        type="automation:automationType"
        minOccurs="0"/>
    </sequence>
  </complexType>

  <complexType name="createType">
    <sequence>
      <element name="nsAutomation"
        type="automation:automationType"
        minOccurs="0"/>
      <element name="dsAutomation"
        type="automation:automationType"
        minOccurs="0"/>
    </sequence>
  </complexType>

  <complexType name="updateType">
    <sequence>
      <element name="nsAutomation"
        type="automation:automationType"
        minOccurs="0"/>
      <element name="dsAutomation"
        type="automation:automationType"
        minOccurs="0"/>
    </sequence>
  </complexType>
</schema>
END
]]></artwork></figure>

</section>
<section anchor="iana-considerations"><name>IANA Considerations</name>

<section anchor="xml-namespace"><name>XML Namespace</name>

<t>This document uses URNs to describe XML namespaces and XML schemas conforming to
a registry mechanism described in <xref target="RFC3688"/>. The following URI assignments are
requested of IANA:</t>

<t>Registration for the TTL namespace:</t>

<t>URI: urn:ietf:params:xml:ns:epp:delegation-maintenance-automation-1.0</t>

<t>Registrant Contact: IESG</t>

<t>XML: None. Namespace URIs do not represent an XML specification.</t>

<t>Registration for the TTL XML schema:</t>

<t>URI: urn:ietf:params:xml:schema:epp:delegation-maintenance-automation-1.0</t>

<t>Registrant Contact: IESG</t>

<t>XML: See <xref target="schema"/> of this document.</t>

</section>
<section anchor="epp-extension-registry"><name>EPP Extension Registry</name>

<t>IANA is requested to register the EPP extension described in this document in
<xref target="EPP-EXTENSIONS"/>, described in <xref target="RFC7451"/>. The details of the registration
are as follows:</t>

<t>Name of Extension: DS Automation Status Extension for the Extensible
Provisioning Protocol (EPP)</t>

<t>Document Status: Standards Track</t>

<t>Reference: this document</t>

<t>Registrant: IESG</t>

<t>TLDs: Any</t>

<t>IPR Disclosure: None</t>

<t>Status: Active</t>

<t>Notes: None</t>

</section>
<section anchor="iana-rdap"><name>RDAP JSON Values</name>

<t>IANA is requested to list this document as a reference for <xref target="RDAP-JSON-VALUES"/>
and register the following values:</t>

<t>Value: NS automation enabled</t>

<t>Type: status</t>

<t>Description: The server MAY perform NS automation for this domain.</t>

<t>Registrant: IETF</t>

<t>Contact Information: iesg@ietf.org</t>

<t>Value: NS automation disabled</t>

<t>Type: status</t>

<t>Description: The server MUST NOT perform NS automation for this domain.</t>

<t>Registrant: IETF</t>

<t>Contact Information: iesg@ietf.org</t>

<t>Reference: this document</t>

<t>Value: DS automation enabled</t>

<t>Type: status</t>

<t>Description: The server MAY perform DS automation for this domain.</t>

<t>Registrant: IETF</t>

<t>Contact Information: iesg@ietf.org</t>

<t>Value: DS automation disabled</t>

<t>Type: status</t>

<t>Description: The server MUST NOT perform DS automation for this domain.</t>

<t>Registrant: IETF</t>

<t>Contact Information: iesg@ietf.org</t>

<t>Reference: this document</t>

</section>
</section>
<section anchor="security-considerations"><name>Security Considerations</name>

<t>The mapping extensions described in this document do not provide any security
services beyond those described by EPP (<xref target="RFC5730"/>), the EPP domain name
mapping (<xref target="RFC5731"/>), and protocol layers used by EPP. The security
considerations  described in these other specifications apply to this
specification as well.</t>

<t>As with other domain object transforms, the EPP transform operations described
in this document <strong>MUST</strong> be restricted to the sponsoring client as
authenticated using the mechanisms described in Sections 2.9.1.1 and 7 of
<xref target="RFC5730"/>. Any attempt to perform a transform operation on a domain object by
any client other than the sponsoring client <strong>MUST</strong> be rejected with an
appropriate EPP authorization error.</t>

<t>The provisioning service described in this document involves the exchange of
information that can have an operational impact on the DNS. A trust
relationship <strong>MUST</strong> exist between the EPP client and server using a strong
authentication mechanism.</t>

</section>
<section anchor="operational-considerations"><name>Operational Considerations</name>

<t>Server operators <strong>MUST</strong> obey the value for the "<spanx style="verb">enabled</spanx>" attribute of
<spanx style="verb">&lt;automation:nsAutomation&gt;</spanx> and <spanx style="verb">&lt;automation:dsAutomation&gt;</spanx> elements,
irrespective of the presence (or absence) of EPP status codes such as
<spanx style="verb">serverUpdateProhibited</spanx>.</t>

<t>When the "<spanx style="verb">enabled</spanx>" attribute is "<spanx style="verb">false</spanx>" or "<spanx style="verb">0</spanx>", the sponsoring client
<strong>MAY</strong> perform NS/DS automation itself, and submit any necessary changes to the
DNSSEC configuration of the domain using an <spanx style="verb">&lt;update&gt;</spanx> command (extended by
<xref target="RFC5910"/> as needed).</t>

<t>When the "<spanx style="verb">enabled</spanx>" attribute is "<spanx style="verb">true</spanx>" or "<spanx style="verb">1</spanx>", the sponsoring client
<strong>SHOULD NOT</strong> perform NS.DS automation, for the reasons outlined in Section
7.2.3 of <xref target="I-D.ietf-dnsop-ds-automation"/>.</t>

<t>EPP clients may use the presence or absence of these elements in <spanx style="verb">&lt;info&gt;</spanx>
responses to determine whether NS/DS automation are supported by the server, but
server operators <strong>SHOULD</strong> document their operational policy and provide this
to client operators during onboarding.</t>

<t>It is impractical for EPP clients with large portfolios of domain names that
wish to deploy (or decommission) delegation automation themselves to submit
<spanx style="verb">&lt;update&gt;</spanx> commands to enable or disable delegation automation for all domains
under their sponsorship. It is <strong>RECOMMENDED</strong> that server operators provide an
out-of-band method for clients to enable or disable delegation automation for
all domains under their sponsorship in a single operation.</t>

</section>
<section anchor="change-log"><name>Change Log</name>

<t>This section is to be removed before publishing as an RFC.</t>

<section anchor="v01"><name>v01</name>

<t><list style="symbols">
  <t>Made the extension elements optional according to server policy.</t>
  <t>Removed the default attribute value is it may be misleading (implying an expected default policy).</t>
  <t>Updated to cover NS automation as well as DS automation (thanks Peter Thomassen). This includes a namespace URI update.</t>
</list></t>

</section>
<section anchor="v00"><name>v00</name>

<t><list style="symbols">
  <t>Initial version based on conversations within ICANN GDS Technical Services,
and Peter Thomassen.</t>
</list></t>

</section>
</section>
<section anchor="acknowledgements"><name>Acknowledgements</name>

<t>The author wishes to thank the following for their constructive feedback and
advice during the development of this document:</t>

<t>Andy Newton, Gustavo Lozano, Francisco Arias, Peter Thomassen.</t>

</section>


  </middle>

  <back>


<references title='References' anchor="sec-combined-references">

    <references title='Normative References' anchor="sec-normative-references">




<reference anchor="I-D.ietf-dnsop-ds-automation">
   <front>
      <title>Operational Recommendations for DNSSEC Delegation Signer (DS) Automation</title>
      <author fullname="Steve Sheng" initials="S." surname="Sheng">
         </author>
      <author fullname="Peter Thomassen" initials="P." surname="Thomassen">
         <organization>deSEC</organization>
      </author>
      <date day="22" month="May" year="2026"/>
      <abstract>
	 <t>   Enabling support for automatic acceptance of DNSSEC Delegation Signer
   (DS) parameters from the Child DNS operator (via RFCs 7344, 8078,
   9615) requires the parental agent, often a registry or registrar, to
   make a number of technical decisions around acceptance checks, error
   and success reporting, and multi-party issues such as concurrent
   updates.  This document describes recommendations about how these
   points are best addressed in practice.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-ietf-dnsop-ds-automation-09"/>
   
</reference>
<reference anchor="RFC3688">
  <front>
    <title>The IETF XML Registry</title>
    <author fullname="M. Mealling" initials="M." surname="Mealling"/>
    <date month="January" year="2004"/>
    <abstract>
      <t>This document describes an IANA maintained registry for IETF standards which use Extensible Markup Language (XML) related items such as Namespaces, Document Type Declarations (DTDs), Schemas, and Resource Description Framework (RDF) Schemas.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="81"/>
  <seriesInfo name="RFC" value="3688"/>
  <seriesInfo name="DOI" value="10.17487/RFC3688"/>
</reference>
<reference anchor="RFC7451">
  <front>
    <title>Extension Registry for the Extensible Provisioning Protocol</title>
    <author fullname="S. Hollenbeck" initials="S." surname="Hollenbeck"/>
    <date month="February" year="2015"/>
    <abstract>
      <t>The Extensible Provisioning Protocol (EPP) includes features to add functionality by extending the protocol. It does not, however, describe how those extensions are managed. This document describes a procedure for the registration and management of extensions to EPP, and it specifies a format for an IANA registry to record those extensions.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="7451"/>
  <seriesInfo name="DOI" value="10.17487/RFC7451"/>
</reference>
<referencegroup anchor="STD69" target="https://www.rfc-editor.org/info/std69">
  <reference anchor="RFC5730" target="https://www.rfc-editor.org/info/rfc5730">
    <front>
      <title>Extensible Provisioning Protocol (EPP)</title>
      <author fullname="S. Hollenbeck" initials="S." surname="Hollenbeck"/>
      <date month="August" year="2009"/>
      <abstract>
        <t>This document describes an application-layer client-server protocol for the provisioning and management of objects stored in a shared central repository. Specified in XML, the protocol defines generic object management operations and an extensible framework that maps protocol operations to objects. This document includes a protocol specification, an object mapping template, and an XML media type registration. This document obsoletes RFC 4930. [STANDARDS-TRACK]</t>
      </abstract>
    </front>
    <seriesInfo name="STD" value="69"/>
    <seriesInfo name="RFC" value="5730"/>
    <seriesInfo name="DOI" value="10.17487/RFC5730"/>
  </reference>
  <reference anchor="RFC5731" target="https://www.rfc-editor.org/info/rfc5731">
    <front>
      <title>Extensible Provisioning Protocol (EPP) Domain Name Mapping</title>
      <author fullname="S. Hollenbeck" initials="S." surname="Hollenbeck"/>
      <date month="August" year="2009"/>
      <abstract>
        <t>This document describes an Extensible Provisioning Protocol (EPP) mapping for the provisioning and management of Internet domain names stored in a shared central repository. Specified in XML, the mapping defines EPP command syntax and semantics as applied to domain names. This document obsoletes RFC 4931. [STANDARDS-TRACK]</t>
      </abstract>
    </front>
    <seriesInfo name="STD" value="69"/>
    <seriesInfo name="RFC" value="5731"/>
    <seriesInfo name="DOI" value="10.17487/RFC5731"/>
  </reference>
  <reference anchor="RFC5732" target="https://www.rfc-editor.org/info/rfc5732">
    <front>
      <title>Extensible Provisioning Protocol (EPP) Host Mapping</title>
      <author fullname="S. Hollenbeck" initials="S." surname="Hollenbeck"/>
      <date month="August" year="2009"/>
      <abstract>
        <t>This document describes an Extensible Provisioning Protocol (EPP) mapping for the provisioning and management of Internet host names stored in a shared central repository. Specified in XML, the mapping defines EPP command syntax and semantics as applied to host names. This document obsoletes RFC 4932. [STANDARDS-TRACK]</t>
      </abstract>
    </front>
    <seriesInfo name="STD" value="69"/>
    <seriesInfo name="RFC" value="5732"/>
    <seriesInfo name="DOI" value="10.17487/RFC5732"/>
  </reference>
  <reference anchor="RFC5733" target="https://www.rfc-editor.org/info/rfc5733">
    <front>
      <title>Extensible Provisioning Protocol (EPP) Contact Mapping</title>
      <author fullname="S. Hollenbeck" initials="S." surname="Hollenbeck"/>
      <date month="August" year="2009"/>
      <abstract>
        <t>This document describes an Extensible Provisioning Protocol (EPP) mapping for the provisioning and management of individual or organizational social information identifiers (known as "contacts") stored in a shared central repository. Specified in Extensible Markup Language (XML), the mapping defines EPP command syntax and semantics as applied to contacts. This document obsoletes RFC 4933. [STANDARDS-TRACK]</t>
      </abstract>
    </front>
    <seriesInfo name="STD" value="69"/>
    <seriesInfo name="RFC" value="5733"/>
    <seriesInfo name="DOI" value="10.17487/RFC5733"/>
  </reference>
  <reference anchor="RFC5734" target="https://www.rfc-editor.org/info/rfc5734">
    <front>
      <title>Extensible Provisioning Protocol (EPP) Transport over TCP</title>
      <author fullname="S. Hollenbeck" initials="S." surname="Hollenbeck"/>
      <date month="August" year="2009"/>
      <abstract>
        <t>This document describes how an Extensible Provisioning Protocol (EPP) session is mapped onto a single Transmission Control Protocol (TCP) connection. This mapping requires use of the Transport Layer Security (TLS) protocol to protect information exchanged between an EPP client and an EPP server. This document obsoletes RFC 4934. [STANDARDS-TRACK]</t>
      </abstract>
    </front>
    <seriesInfo name="STD" value="69"/>
    <seriesInfo name="RFC" value="5734"/>
    <seriesInfo name="DOI" value="10.17487/RFC5734"/>
  </reference>
</referencegroup>
<referencegroup anchor="STD95" target="https://www.rfc-editor.org/info/std95">
  <reference anchor="RFC7480" target="https://www.rfc-editor.org/info/rfc7480">
    <front>
      <title>HTTP Usage in the Registration Data Access Protocol (RDAP)</title>
      <author fullname="A. Newton" initials="A." surname="Newton"/>
      <author fullname="B. Ellacott" initials="B." surname="Ellacott"/>
      <author fullname="N. Kong" initials="N." surname="Kong"/>
      <date month="March" year="2015"/>
      <abstract>
        <t>This document is one of a collection that together describes the Registration Data Access Protocol (RDAP). It describes how RDAP is transported using the Hypertext Transfer Protocol (HTTP). RDAP is a successor protocol to the very old WHOIS protocol. The purpose of this document is to clarify the use of standard HTTP mechanisms for this application.</t>
      </abstract>
    </front>
    <seriesInfo name="STD" value="95"/>
    <seriesInfo name="RFC" value="7480"/>
    <seriesInfo name="DOI" value="10.17487/RFC7480"/>
  </reference>
  <reference anchor="RFC7481" target="https://www.rfc-editor.org/info/rfc7481">
    <front>
      <title>Security Services for the Registration Data Access Protocol (RDAP)</title>
      <author fullname="S. Hollenbeck" initials="S." surname="Hollenbeck"/>
      <author fullname="N. Kong" initials="N." surname="Kong"/>
      <date month="March" year="2015"/>
      <abstract>
        <t>The Registration Data Access Protocol (RDAP) provides "RESTful" web services to retrieve registration metadata from Domain Name and Regional Internet Registries. This document describes information security services, including access control, authentication, authorization, availability, data confidentiality, and data integrity for RDAP.</t>
      </abstract>
    </front>
    <seriesInfo name="STD" value="95"/>
    <seriesInfo name="RFC" value="7481"/>
    <seriesInfo name="DOI" value="10.17487/RFC7481"/>
  </reference>
  <reference anchor="RFC9082" target="https://www.rfc-editor.org/info/rfc9082">
    <front>
      <title>Registration Data Access Protocol (RDAP) Query Format</title>
      <author fullname="S. Hollenbeck" initials="S." surname="Hollenbeck"/>
      <author fullname="A. Newton" initials="A." surname="Newton"/>
      <date month="June" year="2021"/>
      <abstract>
        <t>This document describes uniform patterns to construct HTTP URLs that may be used to retrieve registration information from registries (including both Regional Internet Registries (RIRs) and Domain Name Registries (DNRs)) using "RESTful" web access patterns. These uniform patterns define the query syntax for the Registration Data Access Protocol (RDAP). This document obsoletes RFC 7482.</t>
      </abstract>
    </front>
    <seriesInfo name="STD" value="95"/>
    <seriesInfo name="RFC" value="9082"/>
    <seriesInfo name="DOI" value="10.17487/RFC9082"/>
  </reference>
  <reference anchor="RFC9083" target="https://www.rfc-editor.org/info/rfc9083">
    <front>
      <title>JSON Responses for the Registration Data Access Protocol (RDAP)</title>
      <author fullname="S. Hollenbeck" initials="S." surname="Hollenbeck"/>
      <author fullname="A. Newton" initials="A." surname="Newton"/>
      <date month="June" year="2021"/>
      <abstract>
        <t>This document describes JSON data structures representing registration information maintained by Regional Internet Registries (RIRs) and Domain Name Registries (DNRs). These data structures are used to form Registration Data Access Protocol (RDAP) query responses. This document obsoletes RFC 7483.</t>
      </abstract>
    </front>
    <seriesInfo name="STD" value="95"/>
    <seriesInfo name="RFC" value="9083"/>
    <seriesInfo name="DOI" value="10.17487/RFC9083"/>
  </reference>
  <reference anchor="RFC9224" target="https://www.rfc-editor.org/info/rfc9224">
    <front>
      <title>Finding the Authoritative Registration Data Access Protocol (RDAP) Service</title>
      <author fullname="M. Blanchet" initials="M." surname="Blanchet"/>
      <date month="March" year="2022"/>
      <abstract>
        <t>This document specifies a method to find which Registration Data Access Protocol (RDAP) server is authoritative to answer queries for a requested scope, such as domain names, IP addresses, or Autonomous System numbers. This document obsoletes RFC 7484.</t>
      </abstract>
    </front>
    <seriesInfo name="STD" value="95"/>
    <seriesInfo name="RFC" value="9224"/>
    <seriesInfo name="DOI" value="10.17487/RFC9224"/>
  </reference>
</referencegroup>
<referencegroup anchor="BCP14" target="https://www.rfc-editor.org/info/bcp14">
  <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119">
    <front>
      <title>Key words for use in RFCs to Indicate Requirement Levels</title>
      <author fullname="S. Bradner" initials="S." surname="Bradner"/>
      <date month="March" year="1997"/>
      <abstract>
        <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
      </abstract>
    </front>
    <seriesInfo name="BCP" value="14"/>
    <seriesInfo name="RFC" value="2119"/>
    <seriesInfo name="DOI" value="10.17487/RFC2119"/>
  </reference>
  <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174">
    <front>
      <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
      <author fullname="B. Leiba" initials="B." surname="Leiba"/>
      <date month="May" year="2017"/>
      <abstract>
        <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
      </abstract>
    </front>
    <seriesInfo name="BCP" value="14"/>
    <seriesInfo name="RFC" value="8174"/>
    <seriesInfo name="DOI" value="10.17487/RFC8174"/>
  </reference>
</referencegroup>

<reference anchor="XSD-DATATYPES" target="https://www.w3.org/TR/2004/REC-xmlschema-2-20041028/">
  <front>
    <title>XML Schema Part 2: Datatypes Second Edition</title>
    <author fullname="Paul V. Biron">
      <organization></organization>
    </author>
    <author fullname="Ashok Malhotra">
      <organization></organization>
    </author>
    <date year="2004" month="October"/>
  </front>
<refcontent>W3C Recommendation</refcontent></reference>
<reference anchor="RDAP-JSON-VALUES" target="https://www.iana.org/assignments/rdap-json-values/rdap-json-values.xhtml">
  <front>
    <title>RDAP JSON Values</title>
    <author >
      <organization></organization>
    </author>
    <date year="n.d."/>
  </front>
</reference>
<reference anchor="EPP-EXTENSIONS" target="https://www.iana.org/assignments/epp-extensions/epp-extensions.xhtml">
  <front>
    <title>Extensions for the Extensible Provisioning Protocol (EPP)</title>
    <author >
      <organization></organization>
    </author>
    <date year="n.d."/>
  </front>
</reference>


    </references>

    <references title='Informative References' anchor="sec-informative-references">



<reference anchor="RFC5910">
  <front>
    <title>Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP)</title>
    <author fullname="J. Gould" initials="J." surname="Gould"/>
    <author fullname="S. Hollenbeck" initials="S." surname="Hollenbeck"/>
    <date month="May" year="2010"/>
    <abstract>
      <t>This document describes an Extensible Provisioning Protocol (EPP) extension mapping for the provisioning and management of Domain Name System security (DNSSEC) extensions for domain names stored in a shared central repository. Specified in XML, this mapping extends the EPP domain name mapping to provide additional features required for the provisioning of DNS security extensions. This document obsoletes RFC 4310. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="5910"/>
  <seriesInfo name="DOI" value="10.17487/RFC5910"/>
</reference>
<reference anchor="RFC7344">
  <front>
    <title>Automating DNSSEC Delegation Trust Maintenance</title>
    <author fullname="W. Kumari" initials="W." surname="Kumari"/>
    <author fullname="O. Gudmundsson" initials="O." surname="Gudmundsson"/>
    <author fullname="G. Barwood" initials="G." surname="Barwood"/>
    <date month="September" year="2014"/>
    <abstract>
      <t>This document describes a method to allow DNS Operators to more
easily update DNSSEC Key Signing Keys using the DNS as a
communication channel. The technique described is aimed at
delegations in which it is currently hard to move information from
the Child to Parent.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="7344"/>
  <seriesInfo name="DOI" value="10.17487/RFC7344"/>
</reference>
<reference anchor="RFC7477">
  <front>
    <title>Child-to-Parent Synchronization in DNS</title>
    <author fullname="W. Hardaker" initials="W." surname="Hardaker"/>
    <date month="March" year="2015"/>
    <abstract>
      <t>This document specifies how a child zone in the DNS can publish a
record to indicate to a parental agent that the parental agent may
copy and process certain records from the child zone. The existence
of the record and any change in its value can be monitored by a
parental agent and acted on depending on local policy.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="7477"/>
  <seriesInfo name="DOI" value="10.17487/RFC7477"/>
</reference>
<reference anchor="RFC8078">
  <front>
    <title>Managing DS Records from the Parent via CDS/CDNSKEY</title>
    <author fullname="O. Gudmundsson" initials="O." surname="Gudmundsson"/>
    <author fullname="P. Wouters" initials="P." surname="Wouters"/>
    <date month="March" year="2017"/>
    <abstract>
      <t>RFC 7344 specifies how DNS trust can be maintained across key rollovers in-band between parent and child. This document elevates RFC 7344 from Informational to Standards Track. It also adds a method for initial trust setup and removal of a secure entry point.</t>
      <t>Changing a domain's DNSSEC status can be a complicated matter involving multiple unrelated parties. Some of these parties, such as the DNS operator, might not even be known by all the organizations involved. The inability to disable DNSSEC via in-band signaling is seen as a problem or liability that prevents some DNSSEC adoption at a large scale. This document adds a method for in-band signaling of these DNSSEC status changes.</t>
      <t>This document describes reasonable policies to ease deployment of the initial acceptance of new secure entry points (DS records).</t>
      <t>It is preferable that operators collaborate on the transfer or move of a domain. The best method is to perform a Key Signing Key (KSK) plus Zone Signing Key (ZSK) rollover. If that is not possible, the method using an unsigned intermediate state described in this document can be used to move the domain between two parties. This leaves the domain temporarily unsigned and vulnerable to DNS spoofing, but that is preferred over the alternative of validation failures due to a mismatched DS and DNSKEY record.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8078"/>
  <seriesInfo name="DOI" value="10.17487/RFC8078"/>
</reference>
<reference anchor="RFC9364">
  <front>
    <title>DNS Security Extensions (DNSSEC)</title>
    <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
    <date month="February" year="2023"/>
    <abstract>
      <t>This document describes the DNS Security Extensions (commonly called "DNSSEC") that are specified in RFCs 4033, 4034, and 4035, as well as a handful of others. One purpose is to introduce all of the RFCs in one place so that the reader can understand the many aspects of DNSSEC. This document does not update any of those RFCs. A second purpose is to state that using DNSSEC for origin authentication of DNS data is the best current practice. A third purpose is to provide a single reference for other documents that want to refer to DNSSEC.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="237"/>
  <seriesInfo name="RFC" value="9364"/>
  <seriesInfo name="DOI" value="10.17487/RFC9364"/>
</reference>
<reference anchor="RFC9499">
  <front>
    <title>DNS Terminology</title>
    <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
    <author fullname="K. Fujiwara" initials="K." surname="Fujiwara"/>
    <date month="March" year="2024"/>
    <abstract>
      <t>The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document.</t>
      <t>This document updates RFC 2308 by clarifying the definitions of "forwarder" and "QNAME". It obsoletes RFC 8499 by adding multiple terms and clarifications. Comprehensive lists of changed and new definitions can be found in Appendices A and B.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="219"/>
  <seriesInfo name="RFC" value="9499"/>
  <seriesInfo name="DOI" value="10.17487/RFC9499"/>
</reference>
<reference anchor="RFC9615">
  <front>
    <title>Automatic DNSSEC Bootstrapping Using Authenticated Signals from the Zone's Operator</title>
    <author fullname="P. Thomassen" initials="P." surname="Thomassen"/>
    <author fullname="N. Wisiol" initials="N." surname="Wisiol"/>
    <date month="July" year="2024"/>
    <abstract>
      <t>This document introduces an in-band method for DNS operators to publish arbitrary information about the zones for which they are authoritative, in an authenticated fashion and on a per-zone basis. The mechanism allows managed DNS operators to securely announce DNSSEC key parameters for zones under their management, including for zones that are not currently securely delegated.</t>
      <t>Whenever DS records are absent for a zone's delegation, this signal enables the parent's registry or registrar to cryptographically validate the CDS/CDNSKEY records found at the child's apex. The parent can then provision DS records for the delegation without resorting to out-of-band validation or weaker types of cross-checks such as "Accept after Delay".</t>
      <t>This document establishes the DS enrollment method described in Section 4 of this document as the preferred method over those from Section 3 of RFC 8078. It also updates RFC 7344.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9615"/>
  <seriesInfo name="DOI" value="10.17487/RFC9615"/>
</reference>

<reference anchor="CENTR-REGISTRY-LOCK" target="https://centr.org/library/library/download/9799/6192/41.html">
  <front>
    <title>Models of registry lock for top-level domain registries</title>
    <author >
      <organization></organization>
    </author>
    <date year="2020" month="August"/>
  </front>
<refcontent>CENTR</refcontent></reference>


    </references>

</references>



  </back>

<!-- ##markdown-source:
H4sIAAAAAAAAA+1c7XvauJb/rr9CSz9M2idASF/DprmXgbSTnYbkBjrT7j77
bIwR4ImxuJYJZbr53/ecoxfLxiS0096d3efOfCixLem8n5+kI9XrdZZFWSza
/L8Z5z0Ri2mQRTLh50GUZCIJklDwzjKTc/14kAXZUvHTT/BO4YOJTHk2E/bJ
KBbQz2UqbyN8HSVT/COToYz53unl5WMWjEapuG1z+GOH8dxAbCzDJJgDoeM0
mGT1USpXSV0sFvWx66QeuIZ1YRvWDw6YyoJk/F9BLBNon6VLwaJFSr9Udnhw
cHRwyIJUBG1+sRAptVfQBp7M2/zsdPiGraZtfnX69vTDkP8q0xtk620qlwt2
s4IvgPA0EVm9h5SxMMjaXGVjtoja/D+A9X2uZAq9TRT8Ws/1j1DO5yLJ1H8y
IHom0zaITfP3NriNEv4j8gfPZApDn3U7/T78IeZBFLf5FL9okAT+GoVBkjTg
K8YSmSLztwL7Oqv3GpHIJvVxoiQISXnCwfdXb7pPX7x6ZX6+fPa8hT8Hw96L
I/Pj6Dn++LF72XrWZvDrw6BX73WGneHHy9MBvuLcmE7tw/k7PghnQB6/DNKM
H7Z5LwBLWS+E4gMRymTMT8cRjl3TDYN0KkBMsyxbqHazuVqtGqunyEZzeNUE
lTxrXp1265/msaJu64d1fNg6OHzVpA5yoeF/dT5ZxrEW32WwjPkvDf5jlMqk
4n1HzeQNmFs8k1ka0AfjIIMXOEC9dUBPQEdANFgQ0Pjr0y6/ElpfY5IfSuOq
17ms/9vgol//pfPufUkg+JLjS/5LEC+F2spzFCQBcR0oFU0TsohmOg4W9d8U
mO4ttd540Pg0y+YxUgFOVAejPO0Pzi76RRqc56gKH73XQ7+IWPRA52vlPy2h
UTLxbRMM7vlR68Da3tNnz5wZvnxpfr46eGmN8+jpC/vB0bOjI/vzRYsMtHva
H17VwTnPBsOrj/V3F92fC3I4lxAgFJcTUOo0Aq9e81iGN1oo4BmxuBUxH4Nr
gNeZTyKjMt8MaJxK2YTwPiXBxNEoDdK1+3cMHhrLYNw8enl01HzROjpsPms1
SCa+3R0e1A9eMVav13kwguGDMGNsOIsUkBUuUc5cLUQYTYAuHiTcCRgYIMX2
NPXnwWKB+qyIyffom69mUTjjQRzLlaKwHMYR6hZ7h4iM5gLhk48jhb+ZjSMh
zyMvn3vhOwxSkOCYy2XGR2uiRIn0VqQNfpbBOEpCSxWm0QjEPJMr+sLvII9U
EEdBRqi8wKoI4h0fCR4lYbwcwyjwCN2NpUItwOTAO1B2MKRcptCXlgWKEoPz
PnECPURKLQVHUd+IdB9GX9uOJ3KJn2T8WID6mVb265pV9jTKZstRA8JBczr6
tP6dLL4QXXP7rzVPGlqt82g8BtGxR5gsUjlehsTd50cR/nnH2OfPxvzv7iz7
oOuyYEAOnsydV0k03FCmY7XPIOZCSojjNb/uD67tc8P2moPryjCCzsd8CqHE
vd9TQmCkps5ewkCaIvS3u7vHQAhku+mMCFosRzEMQV8CQdfdwcd+Nx8J9IFf
hbMoHvPfIeNq+4IYMMZWgt7mXPyg0BiiFAjawtperT/wTKL2GGQ6iOZRHKTx
ep9ryUEMubszf2DowD+QZ80FhApPrrzXHwxOu2xPv4ToQiwiGChIG2x3hpl2
6jFEzKsZ79JfvQHbu+72BtePcbAmmJp53h/8fPqR4zv6Be+teLSzbRUGs8LQ
NPJFkELWAnwBKqr1SnIA7u5L83d3bIFuD11yaYFNEBMpeTLT6QHGwTCjP5Mw
2gq4JNbRWRexXCOzed+oA2MtLxottIOHaNGujDYdZMwMR+aRj5kuE4pP4IBC
RzATj4Mkq9ufad3F8b2rq6vHfI4BnqGyl8oqa6dMh+ZCgAfUz548OX8/GPL+
xfDJE66WEG8T1G8hFslYgF9JbeCjQEWUVuAPkLNQwngovrzWAe/9AkM8DDqL
RhH43DUJAfBzCDTzvbGYRAmFMCfMw8ZTLUzMkS+ftoC0BqdU4LcMg6WiVLAG
Cf0dEEHGQE8giGii462JlYh4+J4Olci+MSrfuwLFQf7a2zEpkytIDISp+A2I
AvJMDMfMYOK4jrBzCQ6DpgTdAD278g684KCIEzGus1ohL9d0KPr8uSKvA23g
1UBEuEyjbM3nIlDLVFAAmaIgM8nmgDKn1rPSSN3gIHsBOCiSCv4wjxR8GYKz
yzlYWRCGEPAzDPiUqDCHyBSExZzBFYPjkdOPCY77gNH53qg8AjycBxAoI7lU
eV8gujfwRuvHRgOIMpD0ivhkn0cZiiqRmDJXwVpngzBQgqELldzDCt8ofhXF
MV/hcwH5CtgsWjJQ0Pe9mXBEcAOxPQ5C0fij4IOhqXgmXEQYRTEbsOGneCZH
aHnYvx55DR0IYgMIR4EUuTGht8jRXs1LJ37U5ID/lxCjR/cBFcY2kAq3SKWy
3xyoGA1oHpQZjZE/6SiRGdBidEetcbbEO2EolPJiFOIaE6SOnqNj+hjn0SPe
lckt9EdB/L3S3ZLmekZz2k9vBAiQkk8NY1xtX/+LsQ5/X53+7f3Z1WkPfw9+
6rx7537YLwY/Xbx/B++Z+ZW37F6cn5/2e7oxPOWlR+edjzWdiGsXl0OYo3Te
1TRCiBRz9gXJwMQcTL4piAllFCgnfOLs82eai4I5kWkdtlrgfTpwvWq9fEZm
JhI9mkzitfkTVAawZ7EQ4MjQCxgh6H0RZaDdfRwDFLRKOBiXMGENKJjzLdaD
MwLMxYiMI2uRI5nNUPOl/IyEsBJ22S9yFYzkrWjwTuIFV41FZ1IqEko0X8SC
dLk5IPwNHy2MvQA7yF+IOIPwywoaQBSBJAUMLiTEojUadmLwsJE+ADDxKcBR
oIPadbd9XctNVfEYMhQICdUELhK40YzfUt6tXQ8qW4Eel2miM4jX0k0GIM0n
mfNhBlEiw9AAIcigSODO0kZGYuCM0S9KJ46X5ETwoRFTKmKNa2bRwuBeaIlR
A1MlYauJgESUCpO9QRaWNBBPp8whARZKWrTkEP1OeQa0lARToQMi+DFGMhO2
Ik/DDNQd8Foe7mp5r4SoMfQU1AEk4GoKPMFQj4JXEc6bG/x9EmN4oEADEkBj
AJAmyMI5tjFhOjSwDkXqpOckF5XUzykUlFzPYfgA56JgdJR2CuELjAwxGgZI
mD/LBWU/whUoCme1FiyifRNmQUIRlpCayZEMaV5uQdhmhKnFTIROEAlDHLsh
m0Plo/lgdtBrRMpTMDgJSTHBlT8wJ0AbhA2x5S1kZQ19EVkBS8yjBz/Q3XFC
Z5GRJZjQUonisOSGBgrmbshMcyISM4ohbkKAALkZ2+RgAk5BJNAPjPsJSFkq
pwnfD/bUEnOpyaMZQZXrPMRcYxPv73YBhuNEJRUWySJJzoPAxthimS4kphfe
2a5NXoDKRuZETQ4C8UfKEJ+SnTrTrOBTh6Ry2LJo62njEP6nCcZ9i4yQBgrL
kzj9Q4oIctAKRgxuGtLkx5ixN/kh1PpJtUcS5BIk12xs+tWZyckZEuj1wXVN
57PrCWQQAX/ZHkBgoVhk/Ad68YM1AJa3bbm2uAZd1RSf/wCRsSBwZST+5AlT
y8VCAu9keipbxzqIVTOHIIESS75af6q7VQbhFSIGD8YAEbKV5IlY2XAKOeH6
2LOmROWL8yfXFGMK78eF9/sWI/rzkbkBinvlSQ66oh1Wc2iAMbouqNCoB8Sn
V6XGKM4MpDtaZpi8WyA4jYJpmdRC4srP3WRlO/FWBBCLmdMYKIz0SOalo6TN
26CkzkfwCJhOoeOUQKpRNdOSAGoPvye11jaJ3IMCuTm1uRPvSLJbdWl/A2En
flz649Luf2dp30vuV4r7AZqHmzQUNI7LD4iDKFGs7IAekjTRQhUH2mc2Ne1m
ThAPdhykuD6kY09Xzuc4npke0rwFn/9tKWCma94qfKyfXx/j6gQQYF6ZSJXP
OsdSmFnxWC9pupBhYk2hl9AMnyOyKOfARKUtAeknuQJok+7jQJFZOnNjQWJg
dvnGpRA7qJ2mgRB+RYlBzNogaAYZfCTgJeAGnPZBP5DY8RduVa33PVagO0x0
J9c2Orp8gIkjo0VxWnbMqStNnaoZZiWGzxLHqj+8E71nFRsEBEyTUDApYFkT
7tppLK0BVGQWuHPVOnBQZfybnW0SkUEmDFTGaVlRO/FEIgSghYaCjHQIC+51
MPMtzKsmvi9Xu1UDY0ywi09t7a9X7I+dasxn1bZhX7Qty/mgzY//8mkec+gM
5fi61moc1P5y4l6KxYLD+0S9rsF8rI1rtG1aWFZteAxct3ETAxu5Npwf21G8
Z/rpMs5oGRLGOTgotKEv5mp6cvHzcRP/LTRt6rYb/ZFaS51olq3Siy+5Zqat
v9nKk35dZqvYP1rciYHWuKdz3PRfbGuVymh8cvqhc3757rRVvzq9dM3ozbZm
Zv0TtCBvas3tNKmNV/nLmVTZxei3k0S1GpbuRGSOAPt+lx4OXQ8ynT7YQy6a
Tfps32F81jvp0gT3g/ueHpbU2yzqd9NONp/mYajUl+dvYQoze1FtLfln93lB
26sm8faC/O29aoPaEkXMBur4dY0wQpXat8SLvCWCoY2Gx80NvktSrBbYcZZu
qkPdDq/g6fNnTw8P6x8+/vtx0zwp9lhqSooqhohj3A49cUl+mAaJIqhTlegN
1fekekqwqjIBuz3uYlcmvbId0p+/Qt3gvC93TvSlMb10P9xKEXdbcQFuOxux
uG05nRnNCnlgF9cA0eh+8u1vvXRQSNY+8LGjOfp9QbBdgM++mZHqfjZzbMIq
IcE+z1HlbohBJ+Ti9NFJ7QsBg8mozCyu4c4H4UG33Y21FmZJx1sE29jLKGxA
VKGQDQK/DISw7w5CzgpfObBsFw6KMwE9TQmqHMiwozdUUVRlfv0dQlqyCdhh
6+CQ79XeJ27BCNe6FmbfxbkJzsTkPMrg7b7ZUZkECCoKxDG9Ys33gG+wUyw5
gHD4uEAArlFF02Xq+aY/4/umaOwBwfb+zILtfUvBbqDSMosGlnYrYSmkNcCO
wP3r2vvhm/qrGqfiTKrNfF1LpMWt3a/ArV3KSoYK7xE+9DJkt4wyPdjQ/aMg
s/tVILOiFWSGSI75Momy17V17aTlmuk324dTG6++Ej8+0MMO+LF7D36sIB23
WM5wjrN9+MWqub3rLe1zKLppBcfNqocl7NR9AGxuWM13AJvdrwabW1o+DDa7
D4LN7hawqT2xWXbFHB5aDLikKpFvggFdV/9ADOjGrMSAZYq+FgN6hT1ukVIV
iiJ3Q4WsEhVuEc3/Kg50kvtGOFD3529FmP1FSrD3Y8MqGLhB3/8HGJhUOdF3
hCt/Doz2j+d6A0CVh/8zAihDYzWA0i//FADKvasg+LhZ9fD/eq6vzNi7pPpq
kPDNc70+DWMOjrltoAtX9QvBMd9OwpJIqSvvdF6kuhDqwXg1lumb4n8qGUmy
dG03dWrXeo31usbnYj7CailXkOdq52hdAAOxLnkRCv0Uy1Epr0jI9FgBFlHh
uq46rK74w7CgRYn7fuZ0hAYIAZ9GtyJh3ra33p/uWGrwK10VWdwE9Dp1sYZ2
wTGr1a6LH+d7l3pTE/rFcq8NKehIu8vYjouHB7ef7jL608rRe1/Cee9rOX+2
29j3ct77as6pqoGKKszqvz7BpQt0R7aCV6S2xLF8rOzujqqP2efPePqqjifB
cK/OQJJqoRAC20azJcDfkGZUbDGimhyq9LPF0FiukUVgvNw7cLHFCHUtyBYb
Ke5/PzgcRo03WKIe88EaMvEnvvfh/N1j/vmRrqa6Y8zUTLoyMQ3n85oWLVCv
ZgiAQF70xSe6d0W9e5VtWAdKxX5Uyx2LzBZwlWprLKQrjs/UMsqo3IiigDlv
4pec2WjnV6cpmHkgTT+evj3rk/JO+z2eBVPFbOmirZbPC8r+1RS2eoVp8KGG
uCMwKn2SgpaCE6r9lxOWtyb63l+duQpyos2Vf2n8QfTQr11giIEdx3oA5mVI
fXiqeMrz8OCg1QQhaOXU/M+/bUI1PetjXH07T/h2HRtkiNba06ttr2t/X4K+
0QRNOmc2IyfWCE+Yh3F0IWbpOUaoHc5d599/weFOA5MqxoXkX6LRvviXet38
7BZrDfR5uSjxJ5pgQfrbet31bCE0JsPXNbPxV+NYZve6trnPP4TnFptstNaw
pKKxfnFvWw0BK9rqF35b24EOBZ/wlekkb0bfe+rMq4j0lyY81nJFmZFNNZv/
Ahz5dc0WsXoMND0CHqLMF59HlsJjQmDFnoGVBeOjS58qvimqEvuFjwE5XYTh
MgW3P8h5qBhv/H3HO26Wef4iOXqW9E8xfr0YPaf6pxgfEiN8ROlQ/wUggA4M
d/odPOmjorG7mwL31xFBuHxWPrFFpfbvr/pKV+jrxb5y7T2CAzo3YCrUvYpv
mAZ559HmIpwFSaTm5QM55hIJXDsdFmqtEFp4twTQCqo5qYjTpQlx1WascAjK
Lq0Ohx6Z8BF01uZ/NF/nY4F4uri8E2Z4ucfgLR24aPO+TADnOokiCyhQc3LE
QdVk86hF4x4+cvnex4j54tsxM6AjlAYs37lzLt4hk0fl0nDT45oxsrhI8Vxh
YER2ouJWi/0l+sJism+HUQIzl+IlFViav2lGeAGJNSOYgAdRbM/WFiAqAWI6
TEGr5CBTVBiBaktOe0fktOPtCIzZw3Smpzb+m4wDPE83xPsDUBkTmDaAmtpF
9n01WfUM3/Wgi06Ccr684r1IhbHEU6zaAhmzo3RCOpLB+oDqlX356NHG3SJ4
iYCbGm5RXgxElDRDB5NSSzgJpWr2SbXCBd3nTq5nkqADIqTNK+eFwDHEt7aZ
/oI0SfW0KtombZtlnfPOx3vrool2swNdlOrwDWPGB/hZfrK5zSOhpn9FV9PX
41RSaWeoO5NpZrHfmdbtFmW4qJz5f42sq0r+v5msq9cgvlrW34fW7bJ+hMeQ
9FHzcgIezvKDLPl9N/eFQpNK8tNua3eQnSHDEabkkVhL2j7D0595Z6M1hVxX
p3Xg6rS8fTtMmWxLSZfZfNRxLQ7WuNBKywa654YRuyEnLDDLN3YL8XRX4ViX
+RCrSdZ63zFSrHS4SPGViOmEpdI7JrqL4nac2xVVOXsVO6WqXM/vC7q4R4On
r0ITBrPKk+eBoiu4cGsxpNWa/BoJB3xKmjWn0xQ/bBw1Wo0WyTe/NUVrCM/1
rnHDVswXdJjdmnH15i/KqCSN0ZqO0NkT8iSvDAjawsg9m1OQOBeg/0VKtXAo
1cCcZjUBJE2lvdZh4SdDY5n35/hbGd+6PVmU2BRTMvOvmaD9W1y610e6ksKF
JNF8gU5qLtbo9Qe4ZEv3sRRO8+YM0pFbYDNbCe9AitUnHuHUEURrMsDjezKZ
+mpGmpx2ab3xwiOo7O0D3V1+U4mjRILHeseKLLbYdq6IPXCYbpfNULXPohR3
MwQhBAuT3BUke7j0OKLfj93mSn55iOLmACnbdlGHPbaynZEIF7srDz1tmiXb
PKnVLK2+Z0rEEx2k1HI0jzKKjonA0zBBiqfh0aTsAR9mbjGxNWqF9VjjQEbx
VZurfI/i9ZiCn3/vCYaoRAh48XhHCVSdUqsUQH5tQkEOjdKGtLWeVAQKo4tc
ZrGtSTAhh71suCti7r9vxxy6tnd54a0CeD63YCq5peTndt3CnnfihBU2zzY3
yDZUSoeM9a57foGMNrd9DgJkatOjtJBAQC6yQKMoLUQKU7ro1dLoXIOF0iZK
uh7HS1KCTEYSwDr81Ld6gOYg3uC5djoyizL35UTxMsbVYo7UA9qNpPK2EWli
SuGM4RVJ3v1I6HdjulopUhg+H2/ZNwSu5mDwt1qY2uDZpp3616/l+4tb+qTt
htheY6eYu0EpSq1BYgSlC9giFLZ3TwdInKLzhkpyqMLAEutyUh+h4Oegc6n3
OTcvituFUuZRyrdQSldZ2IO/zgIoUHd1gnknp/YUszkrHil3c9Fc3qLdCRhN
2Du7KCLQFTbg8noGfHvQYuwJPw/GolRR5LxAF3CAoegT6uZKLCMrd6nGE5g+
6zH9sts8XJh9QoWX+qAnApFgJbEIqMM9rBhZm4glPi105ra96EEe0yg6VhOY
CeUteV7B7TTIwn+L/riHsOFG8Ut0XQB78FyB39u7pcx+Ok4JE38BxNRNWWEd
IAlneCdC4HaD6PIDvJAD4zE+MwAN/Qh0SDeX8rdAzRCybUIuNzBoVx9ELZFE
Ku6EN4lcQcyd5sfVhYEsdDOZTQbAVGlSamIoWBOiWIjQOklOILCPYLJOu5TB
WGMaHSC0xugSi7mwNyl5AKeNm43jNe+LVYZR+i3gkuBWggH+HiRyn78BMBfC
NF7yDsArAK4bHP0PDWFqlmZXAAA=

-->

</rfc>

