<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-deleg-10" category="std" consensus="true" submissionType="IETF" updates="1034, 1035, 4035, 6672, 6840" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="DELEG">Extensible Delegation for DNS</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-deleg-10"/>
    <author initials="P." surname="Špaček" fullname="Petr Špaček">
      <organization>ISC</organization>
      <address>
        <email>pspacek@isc.org</email>
      </address>
    </author>
    <author initials="R." surname="Weber" fullname="Ralf Weber">
      <organization>Akamai Technologies</organization>
      <address>
        <email>rweber@akamai.com</email>
      </address>
    </author>
    <author initials="D." surname="Lawrence" fullname="David C Lawrence">
      <organization>Salesforce</organization>
      <address>
        <email>tale@dd.org</email>
      </address>
    </author>
    <date year="2026" month="July" day="04"/>
    <area>Internet</area>
    <workgroup>deleg</workgroup>
    <keyword>Internet-Draft</keyword>
    <keyword>DNS</keyword>
    <keyword>delegation</keyword>
    <abstract>
      <?line 46?>
<t>This document specifies a new extensible method for the delegation of authority for a domain in the Domain Name System (DNS) using DELEG and DELEGPARAM records.</t>
      <t>A delegation in the DNS enables efficient and distributed management of the DNS namespace.
The traditional DNS delegation is based on NS records which contain only hostnames of servers and no other parameters.
The new delegation records are extensible, can be secured with DNSSEC, and eliminate the problem of having two sources of truth for delegation information.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://github.com/ietf-wg-deleg/draft-ietf-deleg-base/tree/gh-pages"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-deleg/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        deleg Working Group mailing list (<eref target="mailto:dd@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/dd/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/dd/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/ietf-wg-deleg/draft-ietf-deleg-base/"/>.</t>
    </note>
  </front>
  <middle>
    <?line 53?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>In the Domain Name System, responsibility for each subdomain within the domain name hierarchy can be delegated to different servers, which makes them authoritative for their portion of the namespace.</t>
      <t>The original DNS record that does this, called an NS record, contains only the hostname of a single name server and no other parameters.
The resolver needs to resolve these names into usable addresses and infer other required parameters, such as the transport protocol and any other protocol features.
Moreover, the NS record set exists in two places--one at the delegation point, and the other at the apex of the delegated zone, which might not match the NS records at the delegation.
The DNS Security Extensions (DNSSEC) protect only one copy, those in the apex.</t>
      <t>These properties of NS records limit resolvers to unencrypted messages on UDP and TCP port 53, and this initial contact cannot be protected with DNSSEC.
These limitations are a barrier for the efficient introduction of new DNS technology.</t>
      <t>The DELEG and DELEGPARAM resource record (RR) types remedy this problem by providing extensible parameters to indicate authoritative name server capabilities and additional information, such as other transport protocols that a resolver may use.</t>
      <t>The DELEG record creates a new delegation.
It is a Delegation Type record as defined in <xref target="I-D.ietf-dnsop-delext"/>.
It is authoritative at the delegation point and thus can be signed with DNSSEC.
This makes it possible to validate all delegation parameters, including those of future extensions.</t>
      <t>The DELEGPARAM record is an auxiliary record which does not create a delegation provides an optional layer of indirection.
It can be used to share the same delegation information across any number of zones, simplifying operations management by reducing the number of situations for which the delegation information for a domain would need to be changed at the delegation point.
For example, if the customers of a DNS operator point their delegations to a DELEGPARAM record managed by the DNS operator, then the operator can make changes without requiring the customers to have to update the delegation point.</t>
      <t>The DELEG record can be used alongside, or even instead of, an NS record to create a delegation.
The combination of DELEG+NS is fully compatible with old resolvers, facilitating the incremental rollout of this new method.</t>
      <t>Future documents can use the extensibility mechanism for more advanced features, like connecting to a name server with an encrypted transport.</t>
      <section anchor="terminology">
        <name>Terminology</name>
        <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in
all capitals, as shown here.</t>
        <t>Terminology regarding the Domain Name System comes from <xref target="BCP219"/>, with additional terms defined here:</t>
        <ul spacing="normal">
          <li>
            <t>legacy delegation: A delegation that is done with an NS RRset</t>
          </li>
          <li>
            <t>Delegation Type: Defined in <xref target="I-D.ietf-dnsop-delext"/>.</t>
          </li>
          <li>
            <t>Delegation-Extension-aware: Defined in <xref target="I-D.ietf-dnsop-delext"/>.</t>
          </li>
          <li>
            <t>DELEG-aware: DNS software that follows the protocol defined in this document.
DELEG-aware software is inherently Delegation-Extension-aware.</t>
          </li>
          <li>
            <t>DELEG-unaware: A DNS software that does not follow the protocol defined in this document.</t>
          </li>
          <li>
            <t>non-DELEG specifications: DNS protocols that predate this protocol, or are written after this protocol is published but are not related to this protocol.</t>
          </li>
          <li>
            <t>Delegation NS RRset: An NS RRset that delegates authority of subdomain to a set of authoritative servers.</t>
          </li>
          <li>
            <t>Authoritative NS RRset: An NS RRset at the apex of a zone.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="protocol-overview">
      <name>Protocol Overview</name>
      <t>This section is a brief overview of the protocol.
It is meant for people who want to understand the protocol before they dive deeper into the specifics.</t>
      <t>When a DELEG-aware resolver sends queries, it sets the DE bit in the EDNS0 header to 1 in queries to authoritative servers, as a signal that it is DELEG-aware.</t>
      <t>DELEG-unaware authoritative servers intrinsically ignore this signal.</t>
      <t>A DELEG-aware authoritative server uses that signal to determine the type of response it will send.
If the response is not a referral, the authoritative server doesn't change anything about how it responds.
If the response is a referral, the authoritative server checks if there is a DELEG RRset for the queried zone. If so, it returns the DELEG RRset instead of any NS RRset in the response.</t>
      <t>Records in the DELEG RRset for a zone describe how to find name servers for that zone (<xref target="deleg-delegparam"/>).
The RDATA for DELEG records has key=value pairs (<xref target="nameserver-info"/>).</t>
      <ul spacing="normal">
        <li>
          <t>"server-ipv4" and "server-ipv6" keys contain one or more IP addresses for the delegated name servers</t>
        </li>
        <li>
          <t>"server-name" key contains one or more hostnames for the delegated name servers; the addresses must be fetched separately</t>
        </li>
        <li>
          <t>"include-delegparam" key contains one or more domain names which in turn have more information about the delegation</t>
        </li>
        <li>
          <t>"mandatory" key contains a list of other keys which must be present in the same record, and which the resolver must understand in order to use that record</t>
        </li>
      </ul>
      <t>The DELEG-aware resolver uses the information in the DELEG RRset to form the list of best servers to ask about the original zone (<xref target="finding-best"/>).
If the DELEG RRset contains "include-delegparam", the resolver queries those hostnames for DELEGPARAM RRsets.
DELEGPARAM records have the same format as DELEG records; thus, they can have the same key=value pairs.</t>
      <t>The DELEG protocol changes how zones are signed (<xref target="signers"/>) and validated (<xref target="dnssec-validators"/>).
The changes are primarily because DELEG RRsets are authoritative at the delegation point and thus are signed and validated as authoritative data, similar to DS records.</t>
      <t>A zone might be delegated with only DELEG records but no NS records.
Such a zone would be invisible to DELEG-unaware resolvers.</t>
      <t>In order to protect validators from downgrade attacks, this document uses a DNSKEY flag described in <xref target="I-D.ietf-dnsop-delext"/>.</t>
      <t>There are many parts of the DELEG protocol that are not included in this brief overview.
For example, DELEG-aware authoritative servers have choices to make depending both on the request and the contents of the zone file.
For those readers who learn better from examples than the definitive text, see <xref target="examples"/>.</t>
    </section>
    <section anchor="deleg-delegparam">
      <name>DELEG and DELEGPARAM Resource Record Types</name>
      <t>The DELEG record has an RR type that is TBD1.
It is a Delegation Type, as defined in <xref target="I-D.ietf-dnsop-delext"/>; thus, TBD1 will be from the 0xF000-0xF1EF range.
The DELEGPARAM record has an RR type of TBD2.
It is not a Delegation Type, and thus will not come from the range defined in <xref target="I-D.ietf-dnsop-delext"/>.</t>
      <t>The DELEG record and the DELEGPARAM record have the same wire and presentation formats,
but their semantics are different as described in a following section.</t>
      <t>The record format is based on the extensible key=value list that was originally defined as "SvcParams" for the SVCB record type <xref target="RFC9460"/>.
Unlike SVCB, the DELEG protocol does not have "SvcPriority" and "TargetName" fields.
The keys in the DELEG protocol are also different than those used in SVCB.
To avoid confusion between the two protocols, the list of key=value parameters used by the DELEG protocol are called DelegInfos and are tracked in their own IANA registry for Delegation Information.</t>
      <t>The following rules are adapted from SVCB, but with changed names:</t>
      <ul spacing="normal">
        <li>
          <t>The whole RDATA consists of a single list called "DelegInfos".</t>
        </li>
        <li>
          <t>DelegInfos consists of individual DelegInfo key=value pairs.</t>
        </li>
        <li>
          <t>Each DelegInfo pair has a DelegInfoKey and a possibly optional DelegInfoValue.</t>
        </li>
        <li>
          <t>Each DelegInfo has a specified presentation format and wire encoding.</t>
        </li>
        <li>
          <t>Each DelegInfoKey has a presentation name and a registered key number.</t>
        </li>
        <li>
          <t>Each DelegInfoValue is in a format specific to its DelegInfoKey.</t>
        </li>
      </ul>
      <t>Implementations can reuse the same code to parse SvcParams and DelegInfos and only plug in a different list of key=value pairs for the SVCB/HTTPS and DELEG/DELEGPARAM record families.</t>
      <t>The initial set of DelegInfoKeys and their formats are defined in <xref target="nameserver-info"/>.</t>
      <section anchor="presentation-format">
        <name>Presentation Format</name>
        <t>The RDATA presentation format of the DELEG and DELEGPARAM resource records consists of a single list, DelegInfos.</t>
        <t>The DelegInfos presentation format is defined exactly the same as SvcParams in Section 2.1 of <xref target="RFC9460"/>. The following rules are adapted from SVCB, but with changed names:</t>
        <ul spacing="normal">
          <li>
            <t>DelegInfos is a whitespace-separated list with each DelegInfo consisting of a DelegInfoKey=DelegInfoValue pair, or a standalone DelegInfoKey.</t>
          </li>
          <li>
            <t>Individual element definitions are the same as <xref target="RFC9460"/>:
            </t>
            <ul spacing="normal">
              <li>
                <t>The DelegInfo syntax is the same as SvcParam, but it references DelegInfo elements instead of SvcParam elements.</t>
              </li>
              <li>
                <t>The DelegInfoKey syntax is the same as SvcParamKey.</t>
              </li>
              <li>
                <t>The syntax for unknown keys in Section 2.1 of <xref target="RFC9460"/> applies.</t>
              </li>
              <li>
                <t>The DelegInfoValue syntax is the same as SvcParamValue.</t>
              </li>
              <li>
                <t>The rules from Appendix A of <xref target="RFC9460"/> apply.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>All the requirements in Section 2.1 of <xref target="RFC9460"/> apply.</t>
          </li>
        </ul>
        <t>DelegInfos MAY be zero-length; this is similar to what is allowed in SVCB records.</t>
      </section>
      <section anchor="rdata-wire-format">
        <name>RDATA Wire Format</name>
        <t>The RDATA portion of the DELEG and DELEGPARAM resource record is variable length and entirely consists of a single "DelegInfos" element:</t>
        <artwork><![CDATA[
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/                         DelegInfos                            /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
        <t>The format of the DelegInfos element is identical to the format of the SvcParams element defined in <xref target="RFC9460"/> Section 2.2,
including the requirements for strictly increasing numeric order to keys and no key duplication allowed.</t>
        <t>All the requirements in Section 2.2 of <xref target="RFC9460"/> apply.</t>
        <t>The DelegInfos element is a sequence of individual DelegInfo elements and MAY be empty.
The wire format of an individual DelegInfo element is the same as for a SvcParam element,
but it references DelegInfo elements instead of SvcParam elements.</t>
        <artwork><![CDATA[
                +0 (MSB)                            +1 (LSB)
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0:  |                          DelegInfoKey                         |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2:  |                length of DelegInfoValue                       |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
4:  /                          DelegInfoValue ...                   /
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
        <t>The permissible lengths depend on the DelegInfoKey value.
Some future keys may have no DelegInfoValue, which would be indicated with an explicit 0 length.</t>
      </section>
      <section anchor="semantics">
        <name>Semantics</name>
        <t>The following is a brief summary of semantic differences between the DELEG and DELEGPARAM types.</t>
        <ul spacing="normal">
          <li>
            <t>DELEG creates a delegation for its owner name, similar to the NS RR type.</t>
          </li>
          <li>
            <t>DELEG and NS RR types can coexist at the same owner name.</t>
          </li>
          <li>
            <t>DELEG is authoritative at the delegation point, similar to the DS RR type, and unlike the NS RR type.</t>
          </li>
          <li>
            <t>DELEG is signed when using DNSSEC, similar to the DS RR type, and unlike the NS RR type.</t>
          </li>
          <li>
            <t>DELEG cannot be present at the apex of the delegated zone, similar to the DS RR type, and unlike the NS RR type.</t>
          </li>
          <li>
            <t>DELEG has special processing for being included in answers.</t>
          </li>
        </ul>
        <t>Conversely,</t>
        <ul spacing="normal">
          <li>
            <t>DELEGPARAM is an ordinary RR and doesn't require any special processing.</t>
          </li>
          <li>
            <t>DELEGPARAM does not create a delegation for its owner name.</t>
          </li>
          <li>
            <t>DELEGPARAM cannot exist at a delegation point.</t>
          </li>
          <li>
            <t>DELEGPARAM DNSSEC-signing and record-placement rules are the same as for any ordinary RR type.</t>
          </li>
          <li>
            <t>DELEGPARAM is used as the target of the DELEG protocol's "include-delegparam" mechanism, as described in section <xref target="slist"/>.</t>
          </li>
        </ul>
        <t>Note that neither DELEG nor DELEGPARAM trigger Additional Section processing like NS does.
The significance of this difference is addressed more in the next section.</t>
      </section>
      <section anchor="nameserver-info">
        <name>Name Server Information for Delegation</name>
        <t>The DELEG and DELEGPARAM records have four keys that describe information about name servers.
The purpose of this information is to populate the SLIST (see <xref target="slist"/>) with IP addresses of the name servers for a zone.</t>
        <t>The types of information defined in this document are:</t>
        <ul spacing="normal">
          <li>
            <t>server-ipv4: an unordered collection of IPv4 addresses for name servers</t>
          </li>
          <li>
            <t>server-ipv6: an unordered collection of IPv6 addresses for name servers</t>
          </li>
          <li>
            <t>server-name: an unordered collection of hostnames of name servers; the addresses must be fetched separately</t>
          </li>
          <li>
            <t>include-delegparam: an unordered collection of domain names that point to DELEGPARAM RRsets, which in turn have more information about the delegation</t>
          </li>
        </ul>
        <t>These keys MUST have a non-empty DelegInfoValue.</t>
        <t>The presentation values for server-ipv4 and server-ipv6 are comma-separated lists of one or more IP addresses of the appropriate family in standard textual format <xref target="RFC5952"/> <xref target="RFC4001"/>.
The wire formats for server-ipv4 and server-ipv6 are a sequence of IP addresses, in network byte order, for the respective address family.</t>
        <t>The presentation values for server-name and include-delegparam are an unordered collection of fully-qualified domain names and relative domain names, separated by commas.
Relative names in the presentation format are interpreted according to the origin rules in Section 5.1 of <xref target="RFC1035"/>.
Parsing the comma-separated list is specified in Section A.1 of <xref target="RFC9460"/>.</t>
        <t>The DELEG protocol allows the use of all valid domain names, as defined in <xref target="RFC1035"/> and Section 11 of <xref target="RFC2181"/>.
The presentation format for names with special characters requires both double-escaping by applying rules of Section 5.1 of <xref target="RFC1034"/> together with the escaping rules from Section A.1 of <xref target="RFC9460"/>.</t>
        <t>For example, assume a list of two domain names. The first domain name is "simple.example". The second domain name is under ".example" whose leftmost label is "abc" followed by a escape character (U+001B), followed by "def", followed by a comma, followed by "ghi". This list would hoave a presentation value of "simple.example,abc\027def\,ghi.example".</t>
        <t>The wire format for server-name and include-delegparam are each a concatenated unordered collection of wire-format domain names, where the root label provides the separation between names:</t>
        <artwork><![CDATA[
+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| name | name | name | ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-
]]></artwork>
        <t>The names in the wire format MUST NOT be compressed, per <xref target="RFC3597"/>.</t>
        <t>For interoperability with the resolver algorithm defined in section <xref target="slist"/>,
a DELEG or DELEGPARAM record that has a non-empty DelegInfos MUST have one, and only one, set of server information keys, chosen from the following:</t>
        <ul spacing="normal">
          <li>
            <t>one server-ipv4 key</t>
          </li>
          <li>
            <t>one server-ipv6 key</t>
          </li>
          <li>
            <t>a pair consisting of one server-ipv4 key and one server-ipv6 key</t>
          </li>
          <li>
            <t>one server-name key</t>
          </li>
          <li>
            <t>one include-delegparam key</t>
          </li>
        </ul>
        <t>This restriction only applies to a single DELEG or DELEGPARAM record; a DELEG or DELEGPARAM RRset can have records with different server information keys.
Authoritative servers MAY refuse to load zones which have a disallowed combination of keys in a single record.</t>
        <t>When using server-name or include-delegparam, the addresses for the names in the set must be fetched as if they were referenced by NS records.
Because of the lack of Additional Section processing, there are no "glue" records provided for these names, so they cannot be for names inside the delegated domain.</t>
        <t>With this initial DELEG specification, servers are still expected to be reached on the standard DNS port for both UDP and TCP, 53.  While a future specification is expected to address other transports using other ports, its eventual semantics are not covered here.</t>
      </section>
      <section anchor="mandatory">
        <name>Metadata keys</name>
        <t>This specification defines a key which serves as a protocol extensibility mechanism, but is not directly used for contacting DNS servers.</t>
        <t>Any DELEG or DELEGPARAM record can have key named "mandatory" which is similar to the key of the same name in <xref target="RFC9460"/>.</t>
        <t>The presentation format for the value MUST be a comma-separated list of one or more valid DelegInfoKeys, either by their registered name or in the unknown-key format.</t>
        <t>The wire format for the value is a sequence of DelegInfoKey numeric values in network byte order, concatenated, in strictly increasing numeric order.</t>
        <t>The "mandatory" key is optional, but when it is present, the RR in which it appears MUST also contain all of the DelegInfoKeys referenced in its DelegInfoValue.
Resolvers MUST handle non-compliant RRs as specified in <xref target="slist"/>.</t>
        <t>A resolver MUST NOT use an RR with a "mandatory" key in the resolution process unless all of the DelegInfoKeys referenced by the "mandatory" DelegInfoValue are supported in the resolver's implementation.
See <xref target="slist"/>.</t>
      </section>
    </section>
    <section anchor="de-bit">
      <name>Signaling DELEG Support</name>
      <t>This document requires the use of the EDNS0 DE flag and its requirements from <xref target="I-D.ietf-dnsop-delext"/>.</t>
      <t>A resolver that is DELEG-aware MUST signal in queries that it supports the DELEG protocol by setting the DE bit to 1 as described in <xref target="I-D.ietf-dnsop-delext"/>.</t>
      <t>The DE bit set to 0 indicates the resolver is not DELEG-aware, and therefore can only be served referrals with NS records and other data according to non-DELEG specifications.
Other special scenarios with DE=0 queries to DELEG-aware authorities are addressed in <xref target="authoritative-servers"/>.</t>
    </section>
    <section anchor="use-of-deleg-records-in-the-protocols">
      <name>Use of DELEG Records in the Protocols</name>
      <t>The DELEG RRset MAY contain multiple records.
A DELEG RRset MAY be present with or without NS or DS RRsets at the delegation point, though without NS records then DELEG-unaware software will not be able to resolve records in the the delegated zone.</t>
      <t>DELEG RRsets MUST NOT appear at a zone's apex.
The erroneous inclusion of DELEG RRset at zone's apex will cause DNSSEC validation failures.
Servers MAY refuse to load such an invalid zone, similar to the DS RR type.</t>
      <section anchor="resolvers">
        <name>Resolvers</name>
        <t>Resolvers use DELEG records for referrals following the rules from <xref target="I-D.ietf-dnsop-delext"/>.</t>
        <t>A resolver that is DELEG-aware MUST signal in queries that it supports the DELEG protocol by setting the DE bit to 1 in (see <xref target="de-bit"/>).
This indicates that the resolver understands the DELEG semantics and does not need NS records to follow a referral.</t>
        <t>The DE bit set to 0 indicates the resolver is not DELEG-aware, and therefore can only be served referrals with NS records and other data according to non-DELEG specifications.
Other special scenarios with DE=0 queries to DELEG-aware authorities are addressed in <xref target="authoritative-servers"/>.</t>
        <section anchor="delegation-point-types-qtypedeleg">
          <name>Delegation point types, QTYPE=DELEG</name>
          <t>Record types defined as authoritative at a delegation point, currently the DS and DELEG types, retain the same special handling as described in Section 2.6 of <xref target="RFC4035"/>.</t>
          <t>DELEG-unaware resolvers can get different types of answers for QTYPE=DELEG queries based on the configuration of the server, such as whether it is DELEG-aware and whether it also is authoritative for subdomains.
For example, a DELEG-unaware authoritative name server which has loaded DELEG records via the <xref target="RFC3597"/> unknown types mechanism would answer with them only if there were no NS records at the owner name, and answer with an NS delegation otherwise.</t>
        </section>
        <section anchor="finding-best">
          <name>Algorithm for "Finding the Best Servers to Ask"</name>
          <t>This document updates instructions for finding the best servers to ask.
It was covered in Section 5.3.3 of <xref target="RFC1034"/> and Section 3.4.1 of <xref target="RFC6672"/> with the text "2. Find the best servers to ask.".
These instructions were informally updated by section 4.2 of <xref target="RFC4035"/> for the DS RR type but the algorithm change was not made explicit.
This document simply extends this existing behavior from the DS RR type to the DELEG RR type as well, and makes this special case explicit.</t>
          <t>When a DELEG RRset exists for a delegation in a zone, DELEG-aware resolvers ignore any NS RRset for the delegated zone, whether from the delegation point or from the apex of the delegated zone.</t>
          <t>Each delegation level can have a mixture of DELEG and NS RR types, and DELEG-aware resolvers MUST be able to follow chains of delegations which combines both types in arbitrary ways.</t>
          <t>An example of a valid delegation tree:</t>
          <artwork><![CDATA[
; root zone with NS-only delegations
. SOA ...
test. NS ...

; test. zone with NS+DELEG delegations
test. SOA ...
sld.test. NS ...
sld.test. DELEG ...

; sld.test. zone with NS-only delegation
sld.test. SOA ...
nssub.sld.test. NS ...

; nssub.sld.test. zone with DELEG-only delegation
delegsub.sub.sld.test. DELEG ...
]]></artwork>
          <t>The terms SNAME and SLIST used here are defined in Section 5.3.2 of <xref target="RFC1034"/>. Quote:</t>
          <ul spacing="normal">
            <li>
              <t>SNAME is the domain name we are searching for.</t>
            </li>
            <li>
              <t>SLIST is a structure which describes the name servers and the zone which the resolver is currently trying to query.</t>
            </li>
          </ul>
          <t>This document defines SLIST to be a set. Each individual value MUST be represented only once in the final SLIST even if it was encountered multiple times during SLIST construction.</t>
          <t>Neither <xref target="RFC1034"/> nor this document define how a resolver uses SLIST; they only define how to populate it.</t>
          <t>A DELEG-aware SLIST needs to be able to hold two types of information, delegations defined by NS records and delegations defined by DELEG records.
DELEG and NS delegations can create cyclic dependencies and/or lead to duplicate entries which point to the same server.
Resolvers need to enforce suitable limits to prevent runaway processing even if someone has incorrectly configured some of the data used to create an SLIST;
this is the same recommendation to bound the amount of work as is made in Section 5.3.3 of <xref target="RFC1034"/>.</t>
          <t>Step 2 of Section 5.3.3 of <xref target="RFC1034"/> is just "2. Find the best servers to ask."
For DELEG-aware resolvers, this description becomes:</t>
          <t>=====</t>
          <t>2. Find the best servers to ask:</t>
          <t>2.1. Determine deepest possible zone cut which can potentially hold the answer for a given (query name, type, class) combination:</t>
          <t>2.1.1. Start with SNAME equal to QNAME.</t>
          <t>2.1.2. If QTYPE is a type that is authoritative at the delegation point (currently, DS or DELEG), remove the leftmost label from SNAME.
For example, if the QNAME is "test.example." and the QTYPE is DELEG or DS, set SNAME to "example.".</t>
          <t>2.2. Look for locally-available DELEG and NS RRsets, starting at current SNAME.</t>
          <t>2.2.1. For a given SNAME, check for the existence of a DELEG RRset.
If it exists, the resolver MUST use its content to populate SLIST.
However, if the DELEG RRset is known to exist but is unusable (for example, if it is found in DNSSEC BAD cache, or content of individual RRs is unusable for any reason), the resolver MUST NOT instead use an NS RRset; instead, the resolver MUST treat this case as if SLIST is populated with unreachable servers.</t>
          <t>2.2.2. If a given SNAME is proven to not have a DELEG RRset but does have an NS RRset, the resolver MUST copy the NS RRset into SLIST.</t>
          <t>2.2.3. If SLIST is now populated, stop walking up the DNS tree.</t>
          <t>2.2.4. However, if SLIST is not populated, remove the leftmost label from SNAME and go back to step 2.2, using the newly shortened SNAME.</t>
          <t>=====</t>
          <t>The rest of Step 2's description in Section 5.3.3 of <xref target="RFC1034"/> is not affected by this document.</t>
          <t>Resolvers MUST respond to "QNAME=. / QTYPE=DELEG" queries in the same fashion as they respond to "QNAME=. / QTYPE=DS" queries.</t>
        </section>
        <section anchor="slist">
          <name>Populating the SLIST from DELEG and DELEGPARAM Records</name>
          <t>Each individual DELEG record inside a DELEG RRset, or each individual DELEGPARAM record in a DELEGPARAM RRset, can cause the addition of zero or more entries to SLIST.</t>
          <t>A resolver processes each individual DELEG record within a DELEG RRset, or each individual DELEGPARAM record in a DELEGPARAM RRset, using the following steps:</t>
          <ol spacing="normal" type="1"><li>
              <t>Discard all DelegInfo elements with DelegInfoKey values that are not supported by the resolver implementation.
If no DelegInfo elements remain after this filtering, stop processing the record.
Otherwise, continue using only the supported DelegInfo elements.</t>
            </li>
            <li>
              <t>If a DelegInfo element with the "mandatory" DelegInfoKey is present, check its DelegInfoValue.
The DelegInfoValue is a list of keys which MUST have corresponding DelegInfo elements in the record after the filtering in the previous steps.
If any of the listed DelegInfo elements is not present, stop processing this record.</t>
            </li>
            <li>
              <t>If a record has more than one type of server information key (excluding the IPv4/IPv6 case, see <xref target="nameserver-info"/>), or if it has multiple server information keys of the same type, that record is malformed.
Stop processing this record.</t>
            </li>
            <li>
              <t>If any DNS name referenced by server-name key or the include-delegparam key is equal to or is a subdomain of the delegated domain (i.e. the DELEG record owner), that record is malformed.
Stop processing this record.  </t>
              <t>
This check MUST be performed against the original owner name of the DELEG record even if the currently-processed record is a DELEGPARAM record that was included by the original DELEG record. The purpose of this check is to ensure deterministic behavior. Not performing this check would allow delegations to be reachable only with certain cache content and/or a specific algorithm for server selection from SLIST.</t>
            </li>
            <li>
              <t>If server-ipv4 and/or server-ipv6 keys are present inside the record, copy all of the address values into SLIST.
Stop processing this record.</t>
            </li>
            <li>
              <t>If a server-name key is present in the record, resolve each name in the value into IPv4 and/or IPv6 addresses.
Copy these addresses into SLIST.
Stop processing this record.</t>
            </li>
            <li>
              <t>If an include-delegparam key is present in the record, resolve each name in the value using the DELEGPARAM RR type.
Recursively apply the algorithm described in this section, after checking that the maximum loop count described in <xref target="too-much-work"/> has not been reached.</t>
            </li>
            <li>
              <t>If none of the above applies, SLIST is not modified by this particular record.</t>
            </li>
          </ol>
          <t>A DELEG-aware resolver MAY implement lazy filling of SLIST, such as by deferring processing of remaining records, or even individual names or query types, if SLIST already has what the resolver considers a sufficiently large pool of addresses to contact.</t>
          <t>The order in which to try the servers in the final SLIST is outside the scope of this document.</t>
        </section>
      </section>
      <section anchor="authoritative-servers">
        <name>Authoritative Servers</name>
        <t>The DELEG RR type defines a zone cut in similar way as the NS RR type.
Behavior defined for zone cuts in existing non-DELEG specifications apply to zone cuts created by the DELEG record.
A notable example of this is that the occlusion (usually accidentally) created by delegation NS records would also be created by DELEG records at a delegation point (see <xref target="occluded-example"/>).
Rules for setting Authoritative Answer (AA) bit in answers also remain unchanged: the DELEG RR type has the same special treatment as DS RR type.</t>
        <t>DELEG-aware authoritative servers act differently when handling queries from DELEG-unaware clients (those with DE=0) than from DELEG-aware clients (those with DE=1).
See <xref target="de-bit"/> and <xref target="resolvers"/>.</t>
        <section anchor="aware-referral">
          <name>DELEG-aware Clients</name>
          <t>When the client indicates that it is DELEG-aware by setting DE=1 in the query, DELEG-aware authoritative servers treat DELEG records as delegations, and the servers are authoritative.
This new zone cut has priority over a legacy delegation.</t>
          <section anchor="deleg-aware-clients-requesting-qtypedeleg">
            <name>DELEG-aware Clients Requesting QTYPE=DELEG</name>
            <t>An explicit query for the DELEG RR type at a delegation point behaves much like a query for the DS RR type: the server answers authoritatively from the delegating zone.
All non-DELEG specifications for the special handling of queries with QTYPE=DS apply equally to QTYPE=DELEG.
In summary, the server either provides an authoritative DELEG RRset or declares its non-existence, with relevant DNSSEC proofs when requested and available.</t>
          </section>
          <section anchor="delegation-with-deleg">
            <name>Delegation with DELEG</name>
            <t>If the delegation has a DELEG RRset, the authoritative server MUST put the DELEG RRset into the Authority section of the referral.
In this case, the server MUST NOT include the NS RRset in the Authority section.</t>
            <t>Non-DELEG DNSSEC specifications for RRSIG inclusion in answers with authoritative RRsets ({!RFC4035} section 3.1.1) MUST be followed.
Similarly, rules for DS RRset inclusion in referrals apply as specified by the DNSSEC protocol.</t>
          </section>
          <section anchor="ns-no-deleg">
            <name>DELEG-aware Clients with NS RRs Present but No DELEG RRs</name>
            <t>If the delegation does not have a DELEG RRset, the authoritative server MUST put the NS RRset into the authority section of the referral.
The absence of the DELEG RRset MUST be proven as specified by the DNSSEC protocol for authoritative data.</t>
            <t>Similarly, rules for DS RRset inclusion into referrals apply as specified by the DNSSEC protocol.
Please note, in practice the same process and records are used to prove the non-existence of both DELEG and DS RRsets.</t>
          </section>
        </section>
        <section anchor="deleg-unaware-clients">
          <name>DELEG-unaware Clients</name>
          <t>A general principle for DELEG-aware authoritative servers is that they respond to a DELEG-unaware client by following non-DELEG specifications.</t>
          <t>DELEG-unaware clients do not recognize DELEG records as a delegation point and are not aware of the special handling rules for DELEG records.
They understand a DELEG RRset as an ordinary unknown RR type.</t>
          <t>In summary, DELEG records are not returned in referral responses to DELEG-unaware clients,
and DELEG-unaware clients do not consider DELEG records authoritative at a delegation point.</t>
          <t>An authoritative server responding to DELEG-unaware clients has to handle three distinct situations:</t>
          <ul spacing="normal">
            <li>
              <t>No DELEG RRset is present. In this case, the authoritative server follows the non-DELEG specifications.</t>
            </li>
            <li>
              <t>An NS RRset and a DELEG RRset are both present. In this case, the authoritative server uses the NS RRset when constructing referral responses, following the non-DELEG specifications. See also <xref target="signers"/> and <xref target="examples"/>.</t>
            </li>
            <li>
              <t>A DELEG RRset is present, but an NS RRset is not.  This is addressed in the next section.</t>
            </li>
          </ul>
          <section anchor="no-ns">
            <name>DELEG-unaware Clients with DELEG RRs Present but No NS RRs</name>
            <t>Authoritative servers may receive requests from DELEG-unaware clients for which the child zone is authoritative and is delegated with DELEG RRs only (that is, without any NS RRs).
Such a zone is, by definition, not resolvable for DELEG-unaware clients.
From the perspective of a DELEG-unaware client, the zone cut created by the DELEG RRs is invisible.
The authoritative server should respond in a way that makes sense to DELEG-unaware clients.</t>
            <t>The current, primary use case for zone owners that have zones to have DELEG records but no NS records is that they want resolution of those zones only if the resolver uses future features of the DELEG protocol, such as encrypted DNS transports.</t>
            <t>The authoritative server is RECOMMENDED to supplement its responses to DELEG-unaware resolvers with an <xref target="RFC8914"/> Extended DNS Error using the (IANA-TBD) value "New Delegation Only" from the Extended DNS Error Codes registry.</t>
            <t>When there is no NS records for a delegated zone, a DELEG-aware authoritative server MUST respond to DELEG-unaware clients with an answer that accurately describes the situation to a DELEG-unaware resolver.
For a query of the delegated zone itself, the response has an RCODE of NOERROR; for a query that has more labels than the delegated zone, the response has an RCODE of NXDOMAIN; this is no different than what is already specified by algorithms in <xref target="RFC1034"/> and subsequent updates.
NSEC and DS records are returned following the existing rules in <xref target="RFC4035"/>.</t>
          </section>
          <section anchor="de0-deleg">
            <name>DELEG-unaware Clients Requesting QTYPE=DELEG</name>
            <t>From the perspective of DELEG-unaware clients, the DELEG RR type does not have special semantics and should behave like an old ordinary RR type such as TXT.
Thus, queries with DE=0 and QTYPE=DELEG MUST result in a response which can be validated by a DELEG-unaware client.</t>
            <ul spacing="normal">
              <li>
                <t>If there is an NS RRset, this will be a legacy referral. From the perspective of a DELEG-unaware client, the DELEG RR is effectively occluded by NS RRset.
The DELEG-unaware resolver can then obtain a final answer which can be validated from the delegated zone in similar fashion as described in <xref target="RFC4035"/> section 3.1.4.1.</t>
              </li>
              <li>
                <t>If there is no NS RRset but there is a DELEG RRset, this will be a normal authoritative response with the DELEG RRset, following non-DELEG specifications.</t>
              </li>
              <li>
                <t>If there is no NS RRset and no DELEG RRset, this will be a standard negative response following non-DELEG specifications.</t>
              </li>
            </ul>
            <t>The above rules apply to authoritative servers that are serving both a parent and a child zone when a DELEG-unaware client sends a QTYPE=DELEG query.</t>
          </section>
        </section>
      </section>
      <section anchor="signers">
        <name>DNSSEC Signers</name>
        <t>The DELEG record is authoritative at the delegation point and needs to be signed as such.
Existing rules from the DNSSEC specifications apply.</t>
        <t>In summary: for DNSSEC signing, treat the DELEG RR type the same way as the DS RR type.</t>
        <t>The DELEG RR type defines a zone cut in similar way as the NS RR type.
This has several consequences which stem from existing non-DELEG specifications:</t>
        <ul spacing="normal">
          <li>
            <t>All owner names below zone cut are occluded and thus not present in NSEC chains.</t>
          </li>
          <li>
            <t>All RRsets which are not permissible at the delegation point are occluded too and not represented in NSEC chain type bitmap.</t>
          </li>
        </ul>
        <t>See examples in <xref target="example-root"/> and <xref target="example-occluded"/>.</t>
        <t>In order to protect validators from downgrade attacks (see <xref target="downgrade-attacks"/>) this draft introduces a new DNSKEY flag ADT (Authoritative Delegation Types, see <xref target="validator-downgrade-protection"/>).
To achieve downgrade resistance, DNSSEC-signed zones which contain a DELEG RRset MUST set ADT flag to 1 in at least one of the DNSKEY records published in the zone.
## DNSSEC Signers {#signers}</t>
        <t>The DELEG record is authoritative at the delegation point and needs to be signed as such.
Existing rules from the DNSSEC specifications apply.
These are defined in <xref target="I-D.ietf-dnsop-delext"/>.</t>
        <t>In order to protect validators from downgrade attacks (see <xref target="downgrade-attacks"/>), <xref target="I-D.ietf-dnsop-delext"/> introduces a the DNSKEY flag called DNSKEY-ADT.
To achieve downgrade resistance, DNSSEC-signed zones which contain a DELEG RRset MUST follow the rules in  <xref target="I-D.ietf-dnsop-delext"/>.</t>
      </section>
      <section anchor="dnssec-validators">
        <name>DNSSEC Validators</name>
        <t>DELEG awareness introduces additional requirements on validators.</t>
        <section anchor="clarifications-on-nonexistence-proofs">
          <name>Clarifications on Nonexistence Proofs</name>
          <t>This document updates Section 4.1 of <xref target="RFC6840"/> to include "NS or DELEG" types in the type bitmap as indication of a delegation point, and generalizes applicability of ancestor delegation proof to all RR types that are authoritative at a delegation point (that is, both DS and DELEG).
The text in that section is updated as follows:</t>
          <t>An "ancestor delegation" NSEC RR (or NSEC3 RR) is one with:</t>
          <ul spacing="normal">
            <li>
              <t>the NS and/or DELEG bit set,</t>
            </li>
            <li>
              <t>the Start of Authority (SOA) bit clear, and</t>
            </li>
            <li>
              <t>a signer field that is shorter than the owner name of the NSEC RR,
or the original owner name for the NSEC3 RR.</t>
            </li>
          </ul>
          <t>Ancestor delegation NSEC or NSEC3 RRs MUST NOT be used to assume
nonexistence of any RRs below that zone cut, which include all RRs at
that original owner name, other than types authoritative at the delegation point (DS and DELEG), and all RRs below that owner name regardless of type.</t>
        </section>
        <section anchor="insecure-delegation-proofs">
          <name>Insecure Delegation Proofs</name>
          <t>This document updates Section 4.4 of <xref target="RFC6840"/> to include securing DELEG records, and explicitly states that Opt-Out is not applicable to the DELEG protocol.
The first paragraph of that section is updated to read:</t>
          <t>Section 5.2 of <xref target="RFC4035"/> specifies that a validator, when proving a
delegation is not secure, needs to check for the absence of the DS
and SOA bits in the NSEC (or NSEC3) type bitmap; this was clarified in Section 4.1 of <xref target="RFC6840"/>.
This document updates <xref target="RFC4035"/> and <xref target="RFC6840"/> to specify that the validator MUST also check for the presence of the NS or the DELEG bit in the matching NSEC (or NSEC3) RR (proving that there is, indeed, a delegation).
Alternately, the validator must make sure that the delegation with an NS record is covered by an NSEC3
RR with the Opt-Out flag set.
Opt-Out is not applicable to DELEG RR type
because DELEG records are authoritative at the delegation point in the same
way that DS RR types are.</t>
        </section>
        <section anchor="validator-downgrade-protection">
          <name>Referral downgrade protection</name>
          <t>If the zone is DNSSEC-secure, and if any DNSKEY of the zone has the DNSKEY-ADT flag (<xref target="validator-downgrade-protection"/>) set to 1, a DELEG-aware validator MUST prove the absence of a DELEG RRset in referral responses from this particular zone.</t>
          <t>Without this check, an attacker could strip the DELEG RRset from a referral response and replace it with an unsigned (and potentially malicious) NS RRset (<xref target="downgrade-attacks"/>).
The reason for this is that according to non-DELEG DNSSEC specification, a referral response with an unsigned NS and signed DS RRsets does not require additional proofs of nonexistence.</t>
        </section>
        <section anchor="positive-responses">
          <name>Positive responses</name>
          <t>An existing DELEG RRset is authoritative in, and signed by, the delegating zone, similarly to a DS RRset (see <xref target="signers"/>).</t>
          <t>A validator SHOULD NOT treat a positive response with a DELEG RRset as DNSSEC-bogus only because all DNSKEYs in the zone have the DNSKEY-ADT flag set to 0.
Such a zone would not be protected from downgrade attacks (<xref target="downgrade-attacks"/>) but this behavior is consistent with other non-DELEG DNSSEC specifications:
validators are not expected to detect inconsistencies in data if a chain of trust can be established.</t>
        </section>
        <section anchor="chaining">
          <name>Chaining</name>
          <t>A Validating Stub Resolver that is DELEG-aware MUST only use security-aware resolvers that are DELEG-aware.
A DELEG-aware Validating Resolver that uses forwarders MUST only use DELEG-aware and security-aware forwarders.
Otherwise DNSSEC-secure zones might fail to validate (see <xref target="legacynxdomain"/>) and DNSSEC-insecure zones might observe inconsistent answers (see <xref target="operational-considerations"/>).</t>
          <t><xref target="RFC9606"/> specifies a DNS resource record type, RESINFO, to allow resolvers to publish information about their capabilities and policies. This can be used to inform DNS clients that DELEG is supported by the DNS resolver.</t>
          <t>A resolver which supports <xref target="RFC9606"/> SHOULD add the "deleg" key if it supports DELEG protocol; otherwise, a DNS client would not know that the resolver is DELEG-aware.
A resolver that uses forwarders MAY use a RESINFO query to determine if the configured forwarders are DELEG-aware.</t>
          <t>Note that, per the rules for the keys defined in Section 6.4 of <xref target="RFC6763"/>, if there is no '=' in a key, then it is a boolean attribute, simply identified as being present with no value.</t>
        </section>
      </section>
    </section>
    <section anchor="operational-considerations">
      <name>Operational Considerations</name>
      <t>When DELEG is deployed, new operational considerations will apply.
While the majority of these relate to the operation of DELEG-aware servers or resolvers, there is a more general set of operational practices which will need to apply because not all resolvers will be DELEG-aware.
This section gives an overview of some of those considerations.</t>
      <section anchor="ns-not-required-by-protocol">
        <name>NS Not Required by Protocol</name>
        <t>A zone delegated exclusively using DELEG records is not resolvable by non-DELEG aware resolvers.
In that case the zone is not required to have NS RRset in the apex of the delegated zone.
Software to manage zone content or check the validity of zones needs to be updated to allow zones without an NS RRset at the apex.</t>
      </section>
      <section anchor="ns-maybe-required-in-practice">
        <name>NS Maybe Required in Practice</name>
        <t>Although DELEG removes the protocol requirement for NS records, resolver support for DELEG will not be universal for a long time after this protocol is first deployed.
The deployment of DELEG-only delegation creates a new situation in which DNS servers that are authoritative for a particular set of domains provide partly or completely different answers.
Where "split DNS" or "split-horizon DNS" <xref target="RFC9499"/> differences depend on the source of the query, resolution of DELEG-only delegations will depend on whether or not the resolver is aware of and using DELEG.
Compare examples of DELEG-only delegation and respective answers for DELEG-unaware client in <xref target="legacynxdomain"/> and DELEG-aware client in <xref target="aware-new-delegation-only"/>.</t>
        <t>For any part of the namespace that is intended to be globally reachable, operators should avoid DELEG-only delegations, as some resolvers will be unaware of DELEG.
For other parts of the namespace, operators should take care to ensure that any variability in responses introduced maps correctly to the client capabilities.</t>
        <t>DELEG-only delegation is appropriate only where all intended users are known to use DELEG-capable resolvers.
This might be the case when a zone operator wants a zone be reachable only over secure transport, for example.
The decision to drop NS records should be guided by operational measurements of resolver adoption of the DELEG protocol.</t>
      </section>
      <section anchor="ns-and-deleg-combined">
        <name>NS and DELEG Combined</name>
        <t>This document explicitly allows zones to be delegated using DELEG records without also using NS records; delegating a zone with both DELEG and NS records is also allowed.
Software that manages delegations or checks the validity of zones need to be updated to allow delegations with all combinations of (with, without) * (NS, DELEG) records.</t>
        <t>If both NS and DELEG records are present, zone managers might want to check consistency across both RRsets, subject to local policy.
This specification treats both NS and DELEG RRsets as completely independent on the protocol level,
but it does not prohibit a provisioning system from generating one record type from the other.</t>
      </section>
      <section anchor="authoritative-deployment">
        <name>Authoritative Deployment</name>
        <t>Before adding a first DELEG record into a DNS zone, these steps need to be taken, in this order:</t>
        <ol spacing="normal" type="1"><li>
            <t>If zone checkers are used: ensure that the zone checkers are DELEG-aware.</t>
          </li>
          <li>
            <t>Ensure that all authoritative servers serving (and transfering) the zone are DELEG-aware.</t>
          </li>
          <li>
            <t>If a zone is DNSSEC-signed: ensure that the signer is DELEG-aware.</t>
          </li>
          <li>
            <t>If a zone is DNSSEC-signed: ensure that at least one DNSKEY record has the DNSKEY-ADT flag set to 1. Failure to do so results in loss of downgrade resistence of the DELEG protocol for this zone; see <xref target="downgrade-attacks"/>.</t>
          </li>
        </ol>
        <section anchor="enabling-the-dnskey-adt-flag">
          <name>Enabling the DNSKEY-ADT Flag</name>
          <t>According to the DNSSEC specification, changing flags of a DNSKEY record changes its Key Tag and thus requires a key rollover.
For this reason, the DNSKEY-ADT flag cannot be simply enabled on an existing key without other changes to the record.
Operators are advised to set the DNSKEY-ADT flag at the time of generating a new key, as part of a regular key rollover using established procedures.
A zone can safely have keys with the DNSKEY-ADT flag set to 1 even if the zone does not have any DELEG records.
Turning on the DNSKEY-ADT flag can be done months or even years before a first DELEG record is introduced into the zone.</t>
          <t>Downgrade protection is effective if any DNSKEY with ADT flag set to 1 is present, even if this key does not sign any RRset.
In other words, it is sufficient to pre-publish new key, as described in stage 2 of Pre-Publish Zone Signing Key Rollover, section 4.1.1.1 of <xref target="RFC6781"/>.</t>
          <t>An extremely conservative approach might be:</t>
          <ol spacing="normal" type="1"><li>
              <t>Lower DNSKEY TTL to shorten time to rollback.</t>
            </li>
            <li>
              <t>Add a new DNSKEY with ADT flag set to 1, but do not sign any RRsets with this key.</t>
            </li>
            <li>
              <t>Monitor deployment for issues.</t>
            </li>
            <li>
              <t>Experiment with adding DELEG records at this point, even if the key rollover is not finished. If there is a problem, withdraw the new, otherwise unused key.</t>
            </li>
            <li>
              <t>Finish the key rollover.</t>
            </li>
            <li>
              <t>Restore the original DNSKEY TTL.</t>
            </li>
          </ol>
          <t>Such an approach requires changing only to DNSKEY RRset and resigning it.
Consequently, the time required to withdraw the new DNSKEY record is limited only by DNSKEY TTL + time to sign + time to transfer modified DNSKEY RRset.</t>
        </section>
      </section>
      <section anchor="interaction-with-dynamic-dns-upate">
        <name>Interaction with Dynamic DNS Upate</name>
        <t>DELEG records can be updated like other regular zone data at the delegation point, similar to NS records, because dynamic updates work on zone data but not on queries.
A DELEG-only delegation would not need an NS record in the delegated zone, but the NS record in the delegated zone cannot be deleted because of Section 7.13 in <xref target="RFC2136"/>.
This should cause no immediate problems because dynamic DNS updates with DELEG are most useful at the delegation point.
A DELEGPARAM record will be handled like any other record.</t>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <section anchor="too-much-work">
        <name>Preventing Over-work Attacks</name>
        <t>Resolvers MUST prevent situations where accidental misconfiguration of zones or malicious attacks cause them to perform too much work when resolving.
This document describes two sets of actions that, if not controlled, could lead to over-work attacks.</t>
        <t>Long chains of include-delegparam information (<xref target="nameserver-info"/>), and those with circular chains of include-delegparam information, can be burdensome.
To prevent this, the resolver MUST limit include-delegparam chain processing when populating SLIST similarly to CNAME processing in <xref target="RFC1034"/>;
otherwise, the resolver could exhaust some of its resources.
Note that include-delegparam chains can have CNAME/DNAME steps in them; in such a case, a CNAME step is counted the same as a DELEGPARAM step when determining when to stop following a chain.</t>
        <t>Content of SLIST MUST be deduplicated to prevent amplification attacks similar to CVE-2026-3592 which use the resolver to attack other systems.
See <xref target="finding-best"/>.</t>
      </section>
      <section anchor="downgrade-attacks">
        <name>Preventing Downgrade Attacks</name>
        <t>During the rollout of the DELEG protocol, the operator of an authoritative server can upgrade the server software to be DELEG-aware before changing any DNS zones.
Such deployment should work and provide DELEG-aware clients with correct DELEG-aware answers.
However, the deployment will not be protected from downgrade attacks against the DELEG protocol.</t>
        <t>To protect DNSSEC-secure DNS zones that contain DELEG delegations, the delegating zone needs to have at least one DNSKEY with the DNSKEY-ADT flag set to 1.
Failure to set this flag in a DNSKEY record in the zone allows an attacker to remove the DELEG RRset from referrals which contain the DS RRset, and replace the original signed DELEG RRset with an arbitrary unsigned NS set.
Doing so would be a downgrade from the strong protection offered by DNSSEC for DELEG.
That is, the DELEG protocol when used with upgraded DNSKEY records gives the same protection to DELEG that the zone's DS RRset has.
Without DELEG, there are no security guarantees for delegation NS records.</t>
        <t>Please note that a full DNSKEY rollover is not necessary to achieve the downgrade protection for DELEG.
Any single DNSKEY with the DNSKEY-ADT flag set to 1 is sufficient; the zone can introduce an otherwise unused record into the DNSKEY RRset.</t>
      </section>
      <section anchor="deleg-is-stronger-than-ns">
        <name>DELEG Is Stronger Than NS</name>
        <t>DELEG RRtype has stronger protection (by DNSSEC) than delegation NS records and glue records.
A zone that does not need to be resolvable by DELEG-unaware clients (see <xref target="operational-considerations"/>),
and is delegated only with DELEG records,
will have a smaller attack surface compared to a zone delegated with both DELEG and NS records.</t>
        <t>The additional attack surface of legacy delegations stems from the possibility of replacing NS and glue records in referrals with arbitrary values,
which is not detectable by DNSSEC (by design in <xref target="RFC4035"/> Section 2.2).</t>
        <t>For example, this allows redirecting a referral to names and/or addresses under an attacker's control.
Even for DNSSEC-secure zones, an attacker can use this ability to continuously proxy queries and responses,
observe traffic, and also monitor the network addresses involved, which might be a privacy concern for roaming clients.</t>
        <t>The feasibility and impact of such attacks depend on the threat model, which is outside the scope of this document.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="iana-existing">
        <name>Changes to Existing Registries</name>
        <t>All new allocations should reference this document.</t>
        <t>IANA is requested to assign two types in the Resource Record (RR) TYPEs registry (<xref target="RFC6895"/>):</t>
        <ul spacing="normal">
          <li>
            <t>TYPE DELEG, Meaning "Extensible Delegation", from the Delegation Types range defined in <xref target="I-D.ietf-dnsop-delext"/>. The requested value is 61440.</t>
          </li>
          <li>
            <t>TYPE DELEGPARAM, Meaning "Extensible Delegation Indirection", Value TBD2 inside one of the ranges marked as "data TYPEs".</t>
          </li>
        </ul>
        <t>IANA is requested to assign a value in the Extended DNS Error Codes registry (<xref target="RFC8914"/>):</t>
        <ul spacing="normal">
          <li>
            <t>INFO-CODE TBD3, with the Purpose "New Delegation Only".</t>
          </li>
        </ul>
        <t>IANA is requested to create this assignment in the DNS Resolver Information Keys registry (<xref target="RFC9606"/>): Name "deleg", Description "The presence of the key indicates that DELEG protocol is supported."</t>
      </section>
      <section anchor="new-registry-for-delegation-information">
        <name>New Registry for Delegation Information</name>
        <t>IANA is requested to create the "DELEG Delegation Information" registry.
This registry defines the namespace for delegation information keys, including string representations and numeric key values.</t>
        <section anchor="procedure">
          <name>Procedure</name>
          <t>A registration MUST include the following fields:</t>
          <t>Number:  Wire-format numeric identifier (range 0-65535)
Name:  Unique presentation name
Meaning:  A short description
Reference:  Location of specification or registration source
Change Controller:  Person or entity, with contact information if appropriate</t>
          <t>To enable code reuse from SVCB parsers, the requirements for registered Name exactly copy requirements set by <xref target="RFC9460"/> section 14.3.1:
The characters in the registered Name field entry MUST be lowercase alphanumeric or "-".
The name MUST NOT start with "key" or "invalid".</t>
          <t>The registration policy for new entries is Expert Review (<xref target="RFC8126"/>).
The designated expert MUST ensure that the reference is stable and publicly available and that it specifies how to convert the delegation information's presentation format to wire format.
The reference MAY be any individual's Internet-Draft or a document from any other source with similar assurances of stability and availability.
An entry MAY specify a reference of the form "Same as (other key name)" if it uses the same presentation and wire formats as an existing key.</t>
          <t>This arrangement supports the development of new parameters while ensuring that zone files can be made interoperable.</t>
        </section>
        <section anchor="initial-contents">
          <name>Initial Contents</name>
          <t>The "DELEG Delegation Information" registry should be populated with the following initial registrations:</t>
          <artwork><![CDATA[
Number:  0
Name:  mandatory
Meaning: Mandatory keys in this RR
Reference:  {{mandatory}} of this document
Change Controller:  IETF

Number:  1
Name:  server-ipv4
Meaning:  An unordered collection of IPv4 addresses of name servers
Reference:  {{nameserver-info}} of this document
Change Controller:  IETF

Number:  2
Name:  server-ipv6
Meaning:  An unordered collection of IPv6 addresses of name servers
Reference:  {{nameserver-info}} of this document
Change Controller:  IETF

Number:  3
Name:  server-name
Meaning:  An unordered collection of domain names of name servers
Reference:  {{nameserver-info}} of this document
Change Controller:  IETF

Number:  4
Name:  include-delegparam
Meaning:  An unordered collection of domain names of DELEGPARAM records
Reference:  {{nameserver-info}} of this document
Change Controller:  IETF

The registration for numbers 65280-65534 is reserved for private use.
The registration for number 65535 is reserved.
]]></artwork>
        </section>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="I-D.ietf-dnsop-delext">
          <front>
            <title>DNS Protocol Modifications for Delegation Extensions</title>
            <author fullname="Roy Arends" initials="R." surname="Arends">
              <organization>ICANN</organization>
            </author>
            <author fullname="Peter van Dijk" initials="P." surname="van Dijk">
              <organization>PowerDNS</organization>
            </author>
            <author fullname="Petr Špaček" initials="P." surname="Špaček">
              <organization>ISC</organization>
            </author>
            <date day="29" month="June" year="2026"/>
            <abstract>
              <t>   The Domain Name System (DNS) protocol permits Delegation Signer (DS)
   records at delegation points.  This document specifies modifications
   to the DNS protocol to permit a range of resource record types at
   delegation points.  These modifications are designed to maintain
   compatibility with existing DNS resolution mechanisms and provide a
   secure method for processing these records at delegation points.

   This document updates RFC 6895.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-dnsop-delext-07"/>
        </reference>
        <reference anchor="RFC9460">
          <front>
            <title>Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records)</title>
            <author fullname="B. Schwartz" initials="B." surname="Schwartz"/>
            <author fullname="M. Bishop" initials="M." surname="Bishop"/>
            <author fullname="E. Nygren" initials="E." surname="Nygren"/>
            <date month="November" year="2023"/>
            <abstract>
              <t>This document specifies the "SVCB" ("Service Binding") and "HTTPS" DNS resource record (RR) types to facilitate the lookup of information needed to make connections to network services, such as for HTTP origins. SVCB records allow a service to be provided from multiple alternative endpoints, each with associated parameters (such as transport protocol configuration), and are extensible to support future uses (such as keys for encrypting the TLS ClientHello). They also enable aliasing of apex domains, which is not possible with CNAME. The HTTPS RR is a variation of SVCB for use with HTTP (see RFC 9110, "HTTP Semantics"). By providing more information to the client before it attempts to establish a connection, these records offer potential benefits to both performance and privacy.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9460"/>
          <seriesInfo name="DOI" value="10.17487/RFC9460"/>
        </reference>
        <reference anchor="RFC1035">
          <front>
            <title>Domain names - implementation and specification</title>
            <author fullname="P. Mockapetris" initials="P." surname="Mockapetris"/>
            <date month="November" year="1987"/>
            <abstract>
              <t>This RFC is the revised specification of the protocol and format used in the implementation of the Domain Name System. It obsoletes RFC-883. This memo documents the details of the domain name client - server communication.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="13"/>
          <seriesInfo name="RFC" value="1035"/>
          <seriesInfo name="DOI" value="10.17487/RFC1035"/>
        </reference>
        <reference anchor="RFC2181">
          <front>
            <title>Clarifications to the DNS Specification</title>
            <author fullname="R. Elz" initials="R." surname="Elz"/>
            <author fullname="R. Bush" initials="R." surname="Bush"/>
            <date month="July" year="1997"/>
            <abstract>
              <t>This document considers some areas that have been identified as problems with the specification of the Domain Name System, and proposes remedies for the defects identified. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2181"/>
          <seriesInfo name="DOI" value="10.17487/RFC2181"/>
        </reference>
        <reference anchor="RFC1034">
          <front>
            <title>Domain names - concepts and facilities</title>
            <author fullname="P. Mockapetris" initials="P." surname="Mockapetris"/>
            <date month="November" year="1987"/>
            <abstract>
              <t>This RFC is the revised basic definition of The Domain Name System. It obsoletes RFC-882. This memo describes the domain style names and their used for host address look up and electronic mail forwarding. It discusses the clients and servers in the domain name system and the protocol used between them.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="13"/>
          <seriesInfo name="RFC" value="1034"/>
          <seriesInfo name="DOI" value="10.17487/RFC1034"/>
        </reference>
        <reference anchor="RFC3597">
          <front>
            <title>Handling of Unknown DNS Resource Record (RR) Types</title>
            <author fullname="A. Gustafsson" initials="A." surname="Gustafsson"/>
            <date month="September" year="2003"/>
            <abstract>
              <t>Extending the Domain Name System (DNS) with new Resource Record (RR) types currently requires changes to name server software. This document specifies the changes necessary to allow future DNS implementations to handle new RR types transparently. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="3597"/>
          <seriesInfo name="DOI" value="10.17487/RFC3597"/>
        </reference>
        <reference anchor="RFC4035">
          <front>
            <title>Protocol Modifications for the DNS Security Extensions</title>
            <author fullname="R. Arends" initials="R." surname="Arends"/>
            <author fullname="R. Austein" initials="R." surname="Austein"/>
            <author fullname="M. Larson" initials="M." surname="Larson"/>
            <author fullname="D. Massey" initials="D." surname="Massey"/>
            <author fullname="S. Rose" initials="S." surname="Rose"/>
            <date month="March" year="2005"/>
            <abstract>
              <t>This document is part of a family of documents that describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection of new resource records and protocol modifications that add data origin authentication and data integrity to the DNS. This document describes the DNSSEC protocol modifications. This document defines the concept of a signed zone, along with the requirements for serving and resolving by using DNSSEC. These techniques allow a security-aware resolver to authenticate both DNS resource records and authoritative DNS error indications.</t>
              <t>This document obsoletes RFC 2535 and incorporates changes from all updates to RFC 2535. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4035"/>
          <seriesInfo name="DOI" value="10.17487/RFC4035"/>
        </reference>
        <reference anchor="RFC6672">
          <front>
            <title>DNAME Redirection in the DNS</title>
            <author fullname="S. Rose" initials="S." surname="Rose"/>
            <author fullname="W. Wijngaards" initials="W." surname="Wijngaards"/>
            <date month="June" year="2012"/>
            <abstract>
              <t>The DNAME record provides redirection for a subtree of the domain name tree in the DNS. That is, all names that end with a particular suffix are redirected to another part of the DNS. This document obsoletes the original specification in RFC 2672 as well as updates the document on representing IPv6 addresses in DNS (RFC 3363). [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6672"/>
          <seriesInfo name="DOI" value="10.17487/RFC6672"/>
        </reference>
        <reference anchor="RFC8914">
          <front>
            <title>Extended DNS Errors</title>
            <author fullname="W. Kumari" initials="W." surname="Kumari"/>
            <author fullname="E. Hunt" initials="E." surname="Hunt"/>
            <author fullname="R. Arends" initials="R." surname="Arends"/>
            <author fullname="W. Hardaker" initials="W." surname="Hardaker"/>
            <author fullname="D. Lawrence" initials="D." surname="Lawrence"/>
            <date month="October" year="2020"/>
            <abstract>
              <t>This document defines an extensible method to return additional information about the cause of DNS errors. Though created primarily to extend SERVFAIL to provide additional information about the cause of DNS and DNSSEC failures, the Extended DNS Errors option defined in this document allows all response types to contain extended error information. Extended DNS Error information does not change the processing of RCODEs.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8914"/>
          <seriesInfo name="DOI" value="10.17487/RFC8914"/>
        </reference>
        <reference anchor="RFC6840">
          <front>
            <title>Clarifications and Implementation Notes for DNS Security (DNSSEC)</title>
            <author fullname="S. Weiler" initials="S." role="editor" surname="Weiler"/>
            <author fullname="D. Blacka" initials="D." role="editor" surname="Blacka"/>
            <date month="February" year="2013"/>
            <abstract>
              <t>This document is a collection of technical clarifications to the DNS Security (DNSSEC) document set. It is meant to serve as a resource to implementors as well as a collection of DNSSEC errata that existed at the time of writing.</t>
              <t>This document updates the core DNSSEC documents (RFC 4033, RFC 4034, and RFC 4035) as well as the NSEC3 specification (RFC 5155). It also defines NSEC3 and SHA-2 (RFC 4509 and RFC 5702) as core parts of the DNSSEC specification.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6840"/>
          <seriesInfo name="DOI" value="10.17487/RFC6840"/>
        </reference>
        <reference anchor="RFC9606">
          <front>
            <title>DNS Resolver Information</title>
            <author fullname="T. Reddy.K" initials="T." surname="Reddy.K"/>
            <author fullname="M. Boucadair" initials="M." surname="Boucadair"/>
            <date month="June" year="2024"/>
            <abstract>
              <t>This document specifies a method for DNS resolvers to publish information about themselves. DNS clients can use the resolver information to identify the capabilities of DNS resolvers. How DNS clients use such information is beyond the scope of this document.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9606"/>
          <seriesInfo name="DOI" value="10.17487/RFC9606"/>
        </reference>
        <reference anchor="RFC6763">
          <front>
            <title>DNS-Based Service Discovery</title>
            <author fullname="S. Cheshire" initials="S." surname="Cheshire"/>
            <author fullname="M. Krochmal" initials="M." surname="Krochmal"/>
            <date month="February" year="2013"/>
            <abstract>
              <t>This document specifies how DNS resource records are named and structured to facilitate service discovery. Given a type of service that a client is looking for, and a domain in which the client is looking for that service, this mechanism allows clients to discover a list of named instances of that desired service, using standard DNS queries. This mechanism is referred to as DNS-based Service Discovery, or DNS-SD.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6763"/>
          <seriesInfo name="DOI" value="10.17487/RFC6763"/>
        </reference>
        <reference anchor="RFC6781">
          <front>
            <title>DNSSEC Operational Practices, Version 2</title>
            <author fullname="O. Kolkman" initials="O." surname="Kolkman"/>
            <author fullname="W. Mekking" initials="W." surname="Mekking"/>
            <author fullname="R. Gieben" initials="R." surname="Gieben"/>
            <date month="December" year="2012"/>
            <abstract>
              <t>This document describes a set of practices for operating the DNS with security extensions (DNSSEC). The target audience is zone administrators deploying DNSSEC.</t>
              <t>The document discusses operational aspects of using keys and signatures in the DNS. It discusses issues of key generation, key storage, signature generation, key rollover, and related policies.</t>
              <t>This document obsoletes RFC 4641, as it covers more operational ground and gives more up-to-date requirements with respect to key sizes and the DNSSEC operations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6781"/>
          <seriesInfo name="DOI" value="10.17487/RFC6781"/>
        </reference>
        <reference anchor="RFC2136">
          <front>
            <title>Dynamic Updates in the Domain Name System (DNS UPDATE)</title>
            <author fullname="P. Vixie" initials="P." role="editor" surname="Vixie"/>
            <author fullname="S. Thomson" initials="S." surname="Thomson"/>
            <author fullname="Y. Rekhter" initials="Y." surname="Rekhter"/>
            <author fullname="J. Bound" initials="J." surname="Bound"/>
            <date month="April" year="1997"/>
            <abstract>
              <t>Using this specification of the UPDATE opcode, it is possible to add or delete RRs or RRsets from a specified zone. Prerequisites are specified separately from update operations, and can specify a dependency upon either the previous existence or nonexistence of an RRset, or the existence of a single RR. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2136"/>
          <seriesInfo name="DOI" value="10.17487/RFC2136"/>
        </reference>
        <reference anchor="RFC6895">
          <front>
            <title>Domain Name System (DNS) IANA Considerations</title>
            <author fullname="D. Eastlake 3rd" initials="D." surname="Eastlake 3rd"/>
            <date month="April" year="2013"/>
            <abstract>
              <t>This document specifies Internet Assigned Numbers Authority (IANA) parameter assignment considerations for the allocation of Domain Name System (DNS) resource record types, CLASSes, operation codes, error codes, DNS protocol message header bits, and AFSDB resource record subtypes. It obsoletes RFC 6195 and updates RFCs 1183, 2845, 2930, and 3597.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="42"/>
          <seriesInfo name="RFC" value="6895"/>
          <seriesInfo name="DOI" value="10.17487/RFC6895"/>
        </reference>
        <reference anchor="RFC8126">
          <front>
            <title>Guidelines for Writing an IANA Considerations Section in RFCs</title>
            <author fullname="M. Cotton" initials="M." surname="Cotton"/>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <author fullname="T. Narten" initials="T." surname="Narten"/>
            <date month="June" year="2017"/>
            <abstract>
              <t>Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t>
              <t>To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t>
              <t>This is the third edition of this document; it obsoletes RFC 5226.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="26"/>
          <seriesInfo name="RFC" value="8126"/>
          <seriesInfo name="DOI" value="10.17487/RFC8126"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <referencegroup anchor="BCP219" target="https://www.rfc-editor.org/info/bcp219">
          <reference anchor="RFC9499" target="https://www.rfc-editor.org/info/rfc9499">
            <front>
              <title>DNS Terminology</title>
              <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
              <author fullname="K. Fujiwara" initials="K." surname="Fujiwara"/>
              <date month="March" year="2024"/>
              <abstract>
                <t>The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document.</t>
                <t>This document updates RFC 2308 by clarifying the definitions of "forwarder" and "QNAME". It obsoletes RFC 8499 by adding multiple terms and clarifications. Comprehensive lists of changed and new definitions can be found in Appendices A and B.</t>
              </abstract>
            </front>
            <seriesInfo name="BCP" value="219"/>
            <seriesInfo name="RFC" value="9499"/>
            <seriesInfo name="DOI" value="10.17487/RFC9499"/>
          </reference>
        </referencegroup>
        <reference anchor="RFC5952">
          <front>
            <title>A Recommendation for IPv6 Address Text Representation</title>
            <author fullname="S. Kawamura" initials="S." surname="Kawamura"/>
            <author fullname="M. Kawashima" initials="M." surname="Kawashima"/>
            <date month="August" year="2010"/>
            <abstract>
              <t>As IPv6 deployment increases, there will be a dramatic increase in the need to use IPv6 addresses in text. While the IPv6 address architecture in Section 2.2 of RFC 4291 describes a flexible model for text representation of an IPv6 address, this flexibility has been causing problems for operators, system engineers, and users. This document defines a canonical textual representation format. It does not define a format for internal storage, such as within an application or database. It is expected that the canonical format will be followed by humans and systems when representing IPv6 addresses as text, but all implementations must accept and be able to handle any legitimate RFC 4291 format. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5952"/>
          <seriesInfo name="DOI" value="10.17487/RFC5952"/>
        </reference>
        <reference anchor="RFC4001">
          <front>
            <title>Textual Conventions for Internet Network Addresses</title>
            <author fullname="M. Daniele" initials="M." surname="Daniele"/>
            <author fullname="B. Haberman" initials="B." surname="Haberman"/>
            <author fullname="S. Routhier" initials="S." surname="Routhier"/>
            <author fullname="J. Schoenwaelder" initials="J." surname="Schoenwaelder"/>
            <date month="March" year="2005"/>
            <abstract>
              <t>This MIB module defines textual conventions to represent commonly used Internet network layer addressing information. The intent is that these textual conventions will be imported and used in MIB modules that would otherwise define their own representations. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4001"/>
          <seriesInfo name="DOI" value="10.17487/RFC4001"/>
        </reference>
        <reference anchor="I-D.tapril-ns2">
          <front>
            <title>Parameterized Nameserver Delegation with NS2 and NS2T</title>
            <author fullname="Tim April" initials="T." surname="April">
              <organization>Akamai Technologies</organization>
            </author>
            <date day="13" month="July" year="2020"/>
            <abstract>
              <t>   Within the DNS, there is no mechanism for authoritative servers to
   advertise which transport methods they are capable of.  If secure
   transport methods are adopted by authoritative operators, transport
   signaling would be required to negotiate how authoritative servers
   would be contacted by resolvers.  This document provides two new
   Resource Record Types, NS2 and NS2T, to facilitate this negotiation
   by allowing zone owners to signal how the authoritative nameserver(s)
   for their zone(s) may accept queries.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-tapril-ns2-01"/>
        </reference>
      </references>
    </references>
    <?line 829?>

<section anchor="examples">
      <name>Examples</name>
      <section anchor="example-root">
        <name>Root zone file</name>
        <t>The following example shows an excerpt from a signed root zone.
It shows the delegation point for "example." and "test."</t>
        <t>The "example." delegation has DELEG and NS records.
The "test." delegation has DELEG but no NS records.</t>
        <artwork><![CDATA[
example.   DELEG server-ipv4=192.0.2.1 server-ipv6=2001:db8::1
example.   DELEG server-name=ns2.example.net.,ns3.example.org.
example.   RRSIG DELEG 13 1 300 20260101000000 (
                        20250101000000 33333 . SigExampleDELEG/ )

example.   NS    ns1.example.
example.   NS    ns2.example.net.
example.   NS    ns3.example.org.

example.   DS    44444 13 2 ABCDEF01234567...
example.   RRSIG DS 13 1 300 20260101000000 (
                        20250101000000 33333 . SigExampleDS )

example.   NSEC  net. NS DS RRSIG NSEC DELEG
example.   RRSIG NSEC 13 1 300 20260101000000 (
                        20250101000000 33333 . SigExampleNSEC+/ )

; unsigned glue for legacy (NS) delegation
; it is NOT present in NSEC chain
ns1.example. A     192.0.2.1
ns1.example. AAAA  2001:db8::1
]]></artwork>
        <t>The "test." delegation point has a DELEG record and no NS or DS records.</t>
        <t>Please note:
This is an example of an unnecessarily complicated setup to demonstrate the capabilities of the DELEG and DELEGPARAM RR types.</t>
        <artwork><![CDATA[
test.      DELEG server-ipv6=3fff::33
test.      DELEG include-delegparam=Acfg.example.org.,cname.example.org.
test.      DELEG include-delegparam=config2.example.net.
test.      RRSIG DELEG 13 1 300 20260101000000 (
                        20250101000000 33333 . SigTestDELEG )

test.      NSEC  . RRSIG NSEC DELEG
test.      RRSIG NSEC 13 1 300 20260101000000 (
                        20250101000000 33333 . SigTestNSEC/ )

; a forgotten glue record from legacy (NS) delegation
; it is NOT present in NSEC chain and it is occluded
a.test.    A     192.0.2.1
]]></artwork>
        <t>Delegations to org and net zones omitted for brevity.</t>
      </section>
      <section anchor="exampleorg-zone-file">
        <name>Example.org zone file</name>
        <t>The following example shows an excerpt from an unsigned example.org zone.</t>
        <artwork><![CDATA[
Acfg.example.org.    DELEGPARAM server-ipv6=2001:db8::6666
Acfg.example.org.    DELEGPARAM server-name=ns3.example.org.
Acfg.example.org.    DELEGPARAM include-delegparam=subcfg.example.org.

; unhelpful but technically legal CNAME
cname.example.org.   CNAME      Acfg.example.org.

ns3.example.org.     AAAA       3fff::33

subcfg.example.org.  DELEGPARAM server-ipv4=203.0.113.1 server-ipv6=3fff::2
]]></artwork>
      </section>
      <section anchor="examplenet-zone-file">
        <name>Example.net zone file</name>
        <t>The following example shows an excerpt from an unsigned example.net zone.</t>
        <artwork><![CDATA[
ns2.example.net.     A          198.51.100.1

config2.example.net. DELEGPARAM server-name=b.example.org.
]]></artwork>
      </section>
      <section anchor="responses">
        <name>Responses</name>
        <t>The following sections show referral examples:</t>
        <section anchor="do-bit-clear-de-bit-clear">
          <name>DO bit clear, DE bit clear</name>
          <section anchor="query-for-fooexample">
            <name>Query for foo.example</name>
            <artwork><![CDATA[
;; Header: QR RCODE=NOERROR
;;

;; Question
foo.example.  IN MX

;; Answer
;; (empty)

;; Authority
example.   NS    ns1.example.
example.   NS    ns2.example.net.
example.   NS    ns3.example.org.

;; Additional
ns1.example. A     192.0.2.1
ns1.example. AAAA  2001:db8::1
]]></artwork>
          </section>
          <section anchor="query-for-footest">
            <name>Query for foo.test</name>
            <t>See <xref target="no-ns"/>.</t>
            <artwork><![CDATA[
;; Header: QR AA RCODE=NXDOMAIN
;;

;; Question
foo.test.   IN MX

;; Answer
;; (empty)

;; Authority
.   SOA ...

;; Additional
;; OPT with Extended DNS Error: New Delegation Only
]]></artwork>
          </section>
          <section anchor="occluded-example">
            <name>Query for a.test</name>
            <t>A forgotten glue record under the "test." delegation point is occluded by DELEG RRset.</t>
            <artwork><![CDATA[
;; Header: QR AA RCODE=NXDOMAIN
;;

;; Question
a.test.   IN A

;; Answer
;; (empty)

;; Authority
.   SOA ...

;; Additional
;; OPT with Extended DNS Error: New Delegation Only
]]></artwork>
          </section>
        </section>
        <section anchor="do-bit-set-de-bit-clear">
          <name>DO bit set, DE bit clear</name>
          <section anchor="query-for-fooexample-1">
            <name>Query for foo.example</name>
            <artwork><![CDATA[
;; Header: QR DO RCODE=NOERROR
;;

;; Question
foo.example.   IN MX

;; Answer
;; (empty)

;; Authority

example.   NS    ns1.example.
example.   NS    ns2.example.net.
example.   NS    ns3.example.org.
example.   DS    44444 13 2 ABCDEF01234567...
example.   RRSIG DS 13 1 300 20260101000000 (
                        20250101000000 33333 . SigExampleDS )
;; Additional
ns1.example. A     192.0.2.1
ns1.example. AAAA  2001:db8::1
]]></artwork>
          </section>
          <section anchor="legacynxdomain">
            <name>Query for foo.test</name>
            <t>See <xref target="no-ns"/>.</t>
            <t>DELEG-unaware validators would treat this answer as DNSSEC-secure.</t>
            <t>DELEG-aware validators would treat it as DNSSEC-bogus because the DELEG bit in NSEC type bitmap would trigger downgrade attack detection (see <xref target="validator-downgrade-protection"/>).</t>
            <artwork><![CDATA[
;; Header: QR DO AA RCODE=NXDOMAIN
;;

;; Question
foo.test.      IN MX

;; Answer
;; (empty)

;; Authority
.          SOA ...
.          RRSIG SOA ...
test.      NSEC  . RRSIG NSEC DELEG
test.      RRSIG NSEC 13 1 300 20260101000000 (
                        20250101000000 33333 . SigTestNSEC/ )

;; Additional
;; OPT with Extended DNS Error: New Delegation Only
]]></artwork>
          </section>
          <section anchor="example-occluded">
            <name>Query for a.test</name>
            <t>A forgotten glue record under the "test." delegation point is occluded by DELEG RRset.
This is indicated by NSEC chain which "skips" over the owner name with A RRset.</t>
            <artwork><![CDATA[
;; Header: QR DO AA RCODE=NXDOMAIN
;;

;; Question
a.test.      IN A

;; Answer
;; (empty)

;; Authority
.          SOA ...
.          RRSIG SOA ...
test.      NSEC  . RRSIG NSEC DELEG
test.      RRSIG NSEC 13 1 300 20260101000000 (
                        20250101000000 33333 . SigTestNSEC/ )

;; Additional
;; OPT with Extended DNS Error: New Delegation Only
]]></artwork>
          </section>
        </section>
        <section anchor="do-bit-clear-de-bit-set">
          <name>DO bit clear, DE bit set</name>
          <section anchor="query-for-fooexample-2">
            <name>Query for foo.example</name>
            <artwork><![CDATA[
;; Header: QR DE RCODE=NOERROR
;;

;; Question
foo.example.  IN MX

;; Answer
;; (empty)

;; Authority
example.   DELEG server-ipv4=192.0.2.1 server-ipv6=2001:db8::1
example.   DELEG server-name=ns2.example.net.,ns3.example.org.

;; Additional
;; (empty)
]]></artwork>
          </section>
          <section anchor="query-for-footest-1">
            <name>Query for foo.test</name>
            <artwork><![CDATA[
;; Header: QR RCODE=NOERROR
;;

;; Question
foo.test.   IN MX

;; Answer
;; (empty)

;; Authority
test.      DELEG server-ipv6=3fff::33
test.      DELEG include-delegparam=Acfg.example.org.
test.      DELEG include-delegparam=config2.example.net.

;; Additional
;; (empty)
]]></artwork>
            <t>A follow-up example in <xref target="delegparam-example"/> explains the ultimate meaning of this response.</t>
          </section>
        </section>
        <section anchor="do-bit-set-de-bit-set">
          <name>DO bit set, DE bit set</name>
          <section anchor="query-for-fooexample-3">
            <name>Query for foo.example</name>
            <artwork><![CDATA[
;; Header: QR DO DE RCODE=NOERROR
;;

;; Question
foo.example.  IN MX

;; Answer
;; (empty)

;; Authority
example.   DELEG server-ipv4=192.0.2.1 server-ipv6=2001:db8::1
example.   DELEG server-name=ns2.example.net.,ns3.example.org.
example.   RRSIG DELEG 13 1 300 20260101000000 (
                        20250101000000 33333 . SigExampleDELEG/ )
example.   DS    44444 13 2 ABCDEF01234567...
example.   RRSIG DS 13 1 300 20260101000000 (
                        20250101000000 33333 . SigExampleDS )

;; Additional
;; (empty)
]]></artwork>
          </section>
          <section anchor="aware-new-delegation-only">
            <name>Query for foo.test</name>
            <artwork><![CDATA[
;; Header: QR DO DE RCODE=NOERROR
;;

;; Question
foo.test.      IN MX

;; Answer
;; (empty)

;; Authority
test.      DELEG server-ipv6=3fff::33
test.      DELEG include-delegparam=Acfg.example.org.
test.      DELEG include-delegparam=config2.example.net.
test.      RRSIG DELEG 13 1 300 20260101000000 (
                        20250101000000 33333 . SigTestDELEG )
test.      NSEC  . RRSIG NSEC DELEG
test.      RRSIG NSEC 13 1 300 20260101000000 (
                        20250101000000 33333 . SigTestNSEC/ )

;; Additional
;; (empty)
]]></artwork>
            <t>A follow-up example in <xref target="delegparam-example"/> explains the ultimate meaning of this response.</t>
          </section>
        </section>
      </section>
      <section anchor="delegparam-example">
        <name>DELEGPARAM Interpretation</name>
        <t>In the examples above, the test. DELEG record uses indirection and points to other domain names with DELEGPARAM, A, AAAA, and CNAME records.
During resolution, a resolver will gradually build set of name servers to contact, as defined in <xref target="slist"/>.</t>
        <t>To visualize the end result of this process, the full set of name servers in form of a 'virtual' DELEG RRset is represented here.</t>
        <artwork><![CDATA[
test. DELEG server-ipv4=198.51.100.1
test. DELEG server-ipv4=203.0.113.1
test. DELEG server-ipv6=2001:db8::6666
test. DELEG server-ipv6=3fff::2
; IPv6 address 3fff::33 was de-duplicated (input RRsets listed it twice)
test. DELEG server-ipv6=3fff::33
]]></artwork>
        <t>Note the "cname.example.org." value in "include-delegparam=Acfg.example.org.,cname.example.org." DELEG record has no visible effect.
The included name loops via CNAME back to "Acfg.example.org." which is already included.
This would have caused duplication of all values if each SLIST was not treated as a set.</t>
        <t>Implementations are free to use alternative representations for this data, as it is not directly exposed via DNS protocol.</t>
      </section>
      <section anchor="failure-cases">
        <name>Failure Cases</name>
        <t>Several examples of misconfigured delegations which cannot be resolved follow.</t>
        <t>Self-references to names without any addresses:</t>
        <artwork><![CDATA[
1p.invalid. DELEG include-delegparam=params.invalid.,sub.params.invalid.
2n.invalid. DELEG server-name=ns1.invalid.,ns2.sub.invalid.
]]></artwork>
        <t>Cycles:</t>
        <artwork><![CDATA[
c1.invalid. DELEG server-name=ns1.c2.invalid.
c2.invalid. DELEG include-delegparam=params.c1.invalid.,c3.invalid.
c3.invalid. CNAME c2.invalid.
]]></artwork>
        <t>Syntactically valid DELEG records without any <xref target="nameserver-info"/> keys:</t>
        <artwork><![CDATA[
00.invalid. DELEG key65280=\032\037\041\045
00.invalid. DELEG key65281="char-string with whitespace"
]]></artwork>
        <t>A delegation missing the value for a mandatory key:</t>
        <artwork><![CDATA[
m1.invalid. DELEG mandatory=key65534
]]></artwork>
        <t>Records which are not even allowed in zone file (see also <xref target="RFC9460"/> appendix D.3) but might be sent in wire format:</t>
        <artwork><![CDATA[
m2.invalid. DELEG mandatory
ik.invalid. DELEG invalid
]]></artwork>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>This document is heavily based on past work done by Tim April in
<xref target="I-D.tapril-ns2"/> and thus extends the thanks to the people helping on this which are:
John Levine, Erik Nygren, Jon Reed, Ben Kaduk, Mashooq Muhaimen, Jason Moreau, Jerrod Wiesman, Billy Tiemann, Gordon Marx and Brian Wellington.</t>
      <t>Work on DELEG protocol has started at IETF 118 Hackaton.
Hackaton participants: Christian Elmerot, David Blacka, David Lawrence, Edward Lewis, Erik Nygren, George Michaelson, Jan Včelák, Klaus Darilion, Libor Peltan, Manu Bretelle, Peter van Dijk, Petr Špaček, Philip Homburg, Ralf Weber, Roy Arends, Shane Kerr, Shumon Huque, Vandan Adhvaryu, Vladimír Čunát, Andreas Schulze.</t>
      <t>Other people joined the effort after the initial hackaton: Ben Schwartz, Bob Halley, Paul Hoffman, Miek Gieben, Ray Hunter, Håvard Eidnes, Ted Hardie, Michael Richardson, Florian Obser, Evan Hunt, ...</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+1963IbR5LufzxFLxRxTK4BiDfJNhWKHUqkxtrRzSRtz5yY
Pw2gQfSo0Y3pCylYo32C3XfY/XF+nqeY3fc6ea3K6m5QtHyZ2ThLh20S6K5L
VlZWXr7MGo/Hgzqts+Q4OntXJ3mVTrMkOk2y5Cqu0yKPFkUZnb66GMTTaZlc
H0enZy/OfjuYxXVyVZSb46iq54PBvJjl8QramJfxoh6nSb0Yz7GN8f7eoGqm
q7SqoLF6s4Znnp9dPhs06zk0UR1H+3uHRyP874NRdET/ffjwiwP475dHe4O8
WU2T8niAzx4PZkVewQgbeKsum2QAozkcxGUSQ5t5nZR5Ug9uivLtVVk0axgL
DmDwNtnAZ/PjQTR2T41PcZj4Cc4M/jd38x1cJ3kDfUVR0EoU8di/h+bT/Cr6
LX4Jn67iNINn5r/BKU+KEp+My9nyOFrW9bo6vn8fn8BP0utkog/dxw/uT8vi
pkruz+f3sbe0XjbT44hId3PF1LvfIec0hjfg8QyJV/te+PXJrFjdv0sLdZkk
96+W43V8lVSDQbouiaRVfbC399XewWAQN/WyAMKPoa8oSnMg+ZvJf/37Ov7P
f0ve0me83m+SuoyCz2F6cZ7+QMSEdbl4Sp8mTKh1tY5nydvfpNWMiGWaP598
n8Bam7bP42wR+Q/Dhk/extBkdJnMlnmRFVcpzMN0VN7ge7+J6Skki+3qdPIi
vimTfJaY3k7j63QePY2Cr8I+L+IsqWA/yJfSVQ2f/mY+p/kMxuNxFE+ruoxn
9eBymVYRbI1mleR1VK2TWbqAcUZxlCc3UeK32yoBas9pq9XLxHBjVCwiXoq0
3tD3MTQI/eYwE3r2lP96BXOILjZVnayiHWDq3aipkE9pt0ZxPuff3pycn7yM
ymQGO6KaDAYnti9t8dVFlOQxjKuKksUinaU4emxinsLE0mlTJ3Ng/Bx4hyYG
Y9T3kJS0xBOYfAIsFc9TbDvO6GvbWRUhJ84j+B2+kSFFN8t0toxgo9c4qyLP
NtGyqGpqFzuqkvI6KSsaTl5EBXRcRuu4hO9ha1fcLVLXdKVtg6QwRB9FsziP
pgk0OWtKGMgNbCEc5cXZ0xG1n2TpKs1ho9H01mUBb61wEEtgFaBtfVNEVdEA
O9DQYP9AA7hGAU3hgxX9PmHuWKXzeZYMBvdQGpXFvJmR2Bk837aeI5hAtS5w
1GmmbJDEQCYQrMIMOHZZPvkEKRYt06REUbPRucrIYLZ1Acu5WCQlsSZTdSTk
X8VvYUrQ2MoxH8zgOlEGTYHkRan8iZ2adacVgFeuUl11pj88F9cwOmo5rZD8
WQYDic36j3TlK156bFqXn7ZChEydcX8y6ttZAUhXZPhUniTAAjBr+QTbrmTg
sErwRVMhz0fxfA6PVAnzGKwfvMxtl8mfmxQ5xXcygjUAgsVELWT3vELKILPU
xazIqI043+jo9ONFEtfAdDDIl0WZFDDAEbXgqVUlNTArbLiK9iWw2joD+lbj
cZHDIOu2oFgXMAnmW/yG+5PH4nXyTlfKc8AP0JBb8fRqWQMVa1j7Gv4OxlJ1
u2Pi4uJe4O5BrhTtAfiUBBDsol2abzKreTFx3LNivcGZFkB64VccHHNNRZts
nQBn8Y4yI8CtWLvVpIVschDT5WZN0ghWDI8ylCbfnr4hMlw+fUNsGj04VLqk
SEwQSMCYxGgwNNgYOO1pooMNJcFEBkb909RZjsQgvcoStpcT2l5UpmZf4zRQ
HCGpaj2rNrJLtghnlinKCDvn57ukfFTwySqZb3geKo6mG/wVji6USOZI8TyK
tErzeYoqW2s/2200i9cxCZhUWB82gspuI8U8xzOLdXm+4p0e+723ijewu5Jg
1jK7GWhvtTsSLYM9r/GMiK0qeglU0BdhAPNkkeYJ7tHo/ft/eD4+nbCak1fF
mpSdd/WHD66hYOJb9o+wSVO5syG9yrsMAc2xiASWXBcVExyofB1n6ZyonGVB
20ZepPksa2ixeBcAfywalAW6eMBhllD2xKZ55DCVd7BOcbnRj3kPk2hFXmaa
oqZghkA8QisbFWtZ1izeoHBbEHtAW47wMvum4oOiWiLLI8EqZJj+4y2KZyXQ
gqQdq+3YMgoZlJLpap2liw3OG3e47CSjRExxNrBpmDKJaaJK60aex73Gk22t
nh1HoCXdFE02J+GPE4E5zZZxfoXHTj8HTAbP8HR9F8N4QTqmLDRnoBkXK9xL
dAjhZuZZFKUwDp+KvjXadXHPEvKU5zhfVZq0KToCWCi61nElkNdk3BWxYtHU
chgptfwAoVtQT4gd2cTaMs2erWgWPc6K/KoChhlFSA6wiVBzrpMY9LXFKDiz
sacejuMTAhTvKapQIgmpv8/hVWDkRZPBoQAPrOFr3EC0yQpYLSflR9EinqFI
gidkorB9SmIYYN+yyDIkBZ1s0CJKENakYXrPeFOp9s07GubGslrkJOtTqwSJ
m1YrYp1VgeJ9fh2DDTB3B/UITgBchSLPcZ/gaHB9rQCl8UMn/lRyshHGc+8e
2Col6JN0ADD5wTSNbuh4G7789uJyOOL/R69e0+/nZ998+/z87BR/v/j65MUL
9ws/MYA/Xn/7Qr7H3/ybT1+/fHn26pRfhk+j1kcvT/4wpFNxMHz95vL561cn
L4Z8IluThbY9bZsULed1meC0SPRWM7AESPgOnsBBu38EMvifzp89Pdjf/+rD
B/njy/0vjuCPG2BrPoJJEeA/YR02cPivk7jERlBkwhEEa50BsaGLalnc5BEc
MXRueNIBe1zF5VwZosf+AZ6CjbIoixUOA0Z3gEMayQL5Uw1mtPKnCPZ0PBj8
Y4QcPNsYVgZj024gOt2ISnniFh14+vwcdDZ4v3VggWV5t3PKvjl22tQ4voFV
+DGN4B5zb8G4qmJR37AAh4EvcNPcVGrSsDpqTtKAASYD05pviNSoJZkOsJzb
R+2H0+QyoJOeIbmDi8d216H9I7yTj1mEiW09Y9nL827pI8C8Ig5Ze6LvSLzh
QG5ANYCxR/GiRqXGPoPTXTfTLK2WKLcb3hY43jLJ1JYK3gjX0vEGzN7/IVMX
bbwyVj4eec6wIymDjxtHAKswYrNhXyfBF/3dtUyBmE5mlEvRG53na2jvOk1u
BqziVKwQsBY2BV13ERXyhBoTfsKsZK2SOK9Jiq6TYo0yfVlEN/gZ6etzGG+t
Fooj7zRZFKxewKbDCcyTBI4/NspI6ZDFRb3oezwhY8vkXs2skhxE6Z+bBMaK
mhbatTVz+ulZNE1rNTnOgD32YMPHc1zrItrHL+Q9ongfoUkoxaQRouwgIUCT
NmOBAQb83t8SGQhwnKZoAW8iaJDnjzSn1skxY6fY1wweZsLaOiYw6VHLBEnJ
xxxaDbhU4j9IcMA3KQhapBSsGS+i/5Z3ISruYPSWccY2aW/nuGfzz2pRS1Dp
QwfEVRRP8UQG0R2xuQYto6Opp6s7dTNbJrO3lahhpbzHW57ZWq0vXj02aicR
dFcVIx4CHN+5MoF/z2szpLC6bSIcogOFlTgXC1S9Y63OeSO5A5GmDgsBQmtu
tYNKRgqrRc/vvH/P7lj6LxkIHz7sstJ0fnpyecJ+d6OfVaDXVagyPAYzo0ED
L4VWoR1yYVAnY1SDqRkQCkP9bH19NKTD13zycIgtVcbRhj4b1n2evzE+kJZL
MgknZbrBj6lR68LxjXon3u0tPmJecP2vQLFF/WOR1DMUv1WCtKqTbIN9szGV
GCLeMgTjGFM/I64psAdrzPRQYNAQL4fqM/YKKvwclfNNq7MYdMSKJDWbxkRh
8a/INOAQqthF4M0pdX3hEnnjxhvP+KqRnbhapQgu1mfjWtowSn1bNoqwCCfY
w9LIuvA9fa6zmSaVcxGSeKzeGto4V5/yNbI+iIIxvkbMKJvfduNo1reEo5AA
TjCTvRwykrGvqOFKNJbAzy0GkdKb54/SPNhej8jwF70UjYXwrdbGCwwod5Sp
kYZCgCxfUhXEiQCkod/KCqhCq63+AvoONDk4ccfyWUFPiRElrWJb6zJdxWUK
x8Y0mcW4/oas4pr6cZ4OM8JwTHHbaQIfx2TKY0ALGeHU+efoxCIGYE9i4Gpm
ww41/1CeoSqVF8bLNxlckG+JW2LTnWyP69T5WMLz1ZmKE3Kgu42hjkdPTbYH
5mBTXJVw7gNd6hiOllHL4qF9Qhb+787+EC2y+CqwdW7VvXGxkP7w7woPFeDm
unLRkZBT2EUmeqTsAa/khtpWyyfxMcVA+H22LNIZ6zPkQJiDUkUbM5oWtB6y
y2B7VbXzG+PGJHNZhk0rsUizhAfBe7Akzaki7S4D+w39BjXqzURjGSjpJhKS
QB0+pSHWQCvgoSQBSuqDRDtQRHvdoefqDuVzmEyqKnp/r3N69ng08MCEIZyf
syakhtvlk9P9rf7F0Z09iyowsDlWq/CcQgrgnPfePdvb2xvD//bPnkUl7uDJ
Fq9ea5hAeWjyQEfIKll3lLp/qWdy+xUr0z/1eFcXaZd0yg99o7Vi8SZFLoSH
5WRzLjgQsdVoMG3UNVYlsCdqUOKJ633oqeVMgKmyFYiMWqlLUkI51L+Ibxs/
tC6dzIpqOsFo2W/QYS0nVbZxdIFPhxfXszfIQdXQ6SYX3z194txbuCbszvjq
6OEekuvbnJxB+NSob3M7g5ZoRR2UKRl3oohdxuVVUr8ilWmRJtlcolWkMQSn
sg8kIZ2zykbtZH/hjiSnHbyIQ4Km4Iy+LtI57uZFg/Y4btCbRJyLFExS43gU
HPX2lHPxA2pc/ZXdUUkcjzj0OWgXEj0oKR42e6tiDZkAPTrPT16doA8HY8kc
yzS8/TwIlyJJPDeUTSaHYDyPyb9GzM6rgIxG54z6d0lHOB4MxhG2ApIqU8Ua
USQUV7MBRSKAzGTopzKcQANmZvZdVHOu03mDUU59oqsmjKMzDNX6J/Bz3vL+
w9+hKwyJpuGEjXfSu4e+w2Z7GuS2FF3QuxNZt8StmuSzAg+Bbjs4Bm4qaICU
cx4bL1qCEVDUe9lD322Ixsk+ItrNNAC14SkYBfSz3eLZjQfBSjtlZ22ZqLuW
JA2MmxQAYEz42G1aPi9C3iNdY501VzwEv2P62Dwtq2Df3//68vLNhT+G7ndF
4CIGFShNVAnUkKK4aezUKhWkaalCkeWflcsdA47dxW/sMjyjlwfGPuxb5kDX
uD2uWG3fByNDTz0bPIH7+k39kQmH+qyW0D2tG7CUXywUUeJWOpjsY8+BZI1+
nh1vRktHPFhVNcMTxmo/zpkXqIEk3E9CFwpVLVq79HGLy5F92IcYkXWGcZOk
xdwIO3OSImE2dyqRxpMtuSxJEIjGIswPsNoA+d/h1PqIzJQh1wdxPeqA/l3p
v7IOEH3TfTnpdorS4fZ+aa76njyK+6rJ3+Yo9/Vsu2X9MRzA+6rTP5P79hGI
gNR3mXuIY07WpPu+i056u6RFOskypxGnpaPSR8eL4ssw3MuTP6Ae+ENSFuMs
ya/q5SMBHlTWdLoRXTRGXvdnt7GnUATwTv8eBXePAAghOHcCE0CP12A+EtCF
R8dIJ9DMyoTCcT0ywZ6HyiOwzxAC9/n4J/5DrdyPtv0Ywt7yc/9nGosoHIEo
9QPQrYtrOUeKzdjnWnde8vIu2O4q7w0DeeY6GA0sNKDFh7iREHtHopVioDHB
++AMTuBTb/i+1TMnp9+jeQM7aib+LOY1tNU/yusHW3n9citVMFAB1iRInK3q
kRM/OETZKslqXW9Y/yUVxdMyzm9tpS0H2B3blmZshPxEeTjoY7vP96KdlxdP
dm9jzc/3o50X8Ixr4OfZMXvHUfSX7b0GYnvbz19+5jEd9I1JhIxVi1iU/zpj
Ojq+Tbq0xzSZTHoeuv8zjom4fI0hGkENMX0q8c6oMRus3zUfaxdk3jOqgXY5
oqrIwIStHk5EUX3Gg8bwr7kHKbxDuQC7Yk+GwDrnhVrpbePLBAGrZrVC8BGh
cflxp2Lj5rKmZu+hRGC2CSlq9LXHgBkvJW5mNBRAdUD0JmzxwPVYLyXQSa1N
XFvYlf+cDYlZQUBKdYWSuPDN+nfvihLrDOTUdch+mYb9A9vGKHE+XA2MZgpQ
W4DHP61pi2bkSMMdIKA/rUu0Gcm6AxG9LgvgAJoPrt80IdYx3s04r27YW/u0
yNFXCUrHyHECsweD3AqEeCCbQYeEPZeAoxxZFLXrdjsJm7oVEtflsNbbQkzH
PHGHE1ov8BqOcXEpFprPRe8aE3aXzixv03SOLoQJm1kHZHakYXiW4I3JjdTv
Yf6sP7biwU6jjutNA/7v31doHJEd+qqoxXGaJylFtbibPAy+gGpydQVfnnh0
jeoShieIjzANoEjE4UWkQtyGKA3sjHfChHhBYoFzDdDRZPPkXW38gyC6GAHE
YWPjRmp7mN7fa5vbt2JxTQBpAZo0S16BbkjEtxsytAFNnue6KdeC9hQUsonC
kY9+XaybTOF6Fy+eX1xGO+wml8XYZdkdRGcN+j6IMzt0x6WgAMRh5TvdBqtB
ziQUlIkeH+N+bHLSMRN0KmZZ4sDNz99cH7Xixa0IsYk6f6ylh3dqifN1bmkp
yBj55Ohyd/fc2mkQXmbEESNDi26UcvTp8WfBoxMfEliQ3o0JC0WadMdhyAxo
vTakUYhR4ZeZmN8sFjt3CzjsW14TIutWxIDwJJgLZbEGUxNYmvxlGxIx5CRB
rzrsX1TqRdlnS+PBVw8OHHbwaG9vH0VQyy6427BDU8SODxHYID1qzBOMpps6
Ydtp5HyACP3AVb12jCLjvxslnb+0yz48su0cRIjY8Z+BLOzIDTiKD5NMIrHm
m1HkV2e64QUDqXOuz2qGi4CuenzDZQveOZsVgq8sTIRfTi5jJT5Qj8g/wHJh
AicuF1hOlUMl9zAPaT/OV21aO7GtaaSlL8geewBjwyIVsaMU6W0RphPJc+Mk
cmrP+6bjg/0vHdf1EUulEgOxnQYCZypm/KH8FQWl4jDrvGhAzR/DWRGvKfa6
YUPauzfR4NxCUMTO1gUc8UuFF1OkS9syDq4OES0Ng+hxXIH+nhisCkaDLNnE
CZuWVR3kksG6DQnGn0yksSE/Cqdwkc/bzxJiJRq6ZzEEg3k0yaJegXiOsnia
ELRyGE9nQ7E0mIVjnmLiqRrtfPs5iIMnu6PgwSGs7nDUepeYrvXc1TKlwaaV
uH3JMFoWLDq7Oxrp0prsCIb5xz/uHXwBff5xBA16Kgw6vosfIQ/I+YyjztFA
y2mfbBMQ2MVYugg5/YaQByS+ikKJ63I+SNPkXWhjgeow/5hpSw/8hVe2/T80
mf/y8RY4LdNKIksuBb1TfkaxWrO+N0JDWTbD4YOvvnC8TMKKMiQEwO+2hsMM
xdkVmnHLlRUAHf12NFAwYajN2oRFDon1nK72+CUzykWe2KhixVxwjPZYx6N7
hPAMYDofr3emNkUw8HS1Zxy80/n0oXwac0gxDFv0NCAD7GvCfJoL2Ek+7eFa
/JIRwkBu8kkSe+LMxX8vqGX2Hm8n8KOon/wCEVMIlksNxlVu56x2KDsZnPRi
YtDZWCYLCikWUVbEc0FosSYmWtQ8rdQj30pd0fCFmxcPSyHJbMRbGhKjtok3
aimgqnQEWwNn39ZMYwXBArcnBHwSE4kEnIVQPRFcmOhhYHi+xd9vtcxGAq9l
QBLIS5CBQ0d4kSMuP13TZoHJCweXE7eDPx8R4DwPso+cSoNE4y1rEjJ7gPwj
n+6NILUakS7JuzUnaXJeSony06NAnH5JCQCYlUh+CDyJTVroKHpwOImi75cp
5vuqUy3oGk8m25Wqgq2kx0oWXtJ78ZMRORUwZYoU3BD3wjida5LtktoCpuvL
pI4RXMdM9v6eA5h+UCh+MDQWaSiWKIGI+JcIVUUSvxdNaUuak0QI2TPCiX/Z
hh0LSC3JjBWnlLdjByf55jZx6TYsgQOAB+YBVFYsnqrtbsKnhVfJG8IKRN6n
CG5TyPBdPrdJJE8TVQPaumfLbmGdMYjXjyJxczDeJS0t6sHva9Y+ObI5xhnw
aLaoAn58nShJ4OnVaI5YFVsMFasqjNio+khgSIbVBi7DYBRlIuF0lGSc1CCk
Znl1fo7dyALWkrQl5x9hkhRGjop4O3BGKAgjrrB0hQWAiJV67lK75VjN55jn
D+cuagRZikkkcDBEcct8sM6qE68AOJUCRSGD69j13aVC7lWHxspFdHzi/+4y
KUFH2bZbsQWSYM0aRYRDRLnhfgaLHSBgJoML6/uhPJ0LyvLwRT0uuDXCQo6n
aa3CwrlynCViTCX8ldNfTs8Y3kq6aV214o2cPHcLYtDQWnGVFphK9Je8FJtc
I2kzQgmbl+HzgTZ4ArqMT0ndoTSdtsfyDphGelmQ7XsuEFKF6qLIQjMBV0mh
5OwkFG6k4kxFpZi79BXRTGy5BFS0SIqQVA8M6m05a5PBa3pDLcpqBju8TAtp
/fTs8Z5NUeoDAacOLKMeUyJRENMYizhXzO23zBYCIg9TXTQxrLJmOCtnqE3p
pl81WZ2unUaEGljnWROQYDR46RKZMQG65KADQ9i3BV3w8aulfU/pXaPcCoHh
LsPQwWPxVBAMuZYAKcP5dmMjms+lY3NSRfJWKSiAD8IG5joWSCjgCvioaCpW
ACub/Oyz8cxrPEiB81MMQYHrdNDFaca1Qi6267JclAHj5XyofSSyw3qHl7nv
7zkk/YeBkcU+wUBpheeZ53wfIKxDxM3fn+yAlsShLuKS0ytIA/VCQbjP5824
xBvbn1HqJDRFLEZlBixfFprS6pPd/kcw3UEw3QPmPG0JAI5jjKJvLv/w5uwx
V6GT5DwJcRhQdyeO243dgSLVlJLCLJvDRX+0rzIhCed0U6UBaScU4msdSB5A
89B78o7ENdrKDfXFbHANMZBnoN0as5GAKW07M3NH8QADj3Dv9KopndHK1mRJ
5YW0bAsoebSeneRVSUBz35Jm14mJk2tL05OrVmpK3JLC26vNqNVdkfhK5i0p
c53GNHhyZLLzxwEJmTa+aAM785hQzhW04k3hEkfJaA6SjfSgsQADrtbkG+LE
fluODVu7SatEmPTE+ZmQLsNnnPpG7T7BtBqV2LAxTqq3Q5CzQXZcW2OToogE
Riq5gBAv/cI03JOOR7kimOKgtmXgpT+cHHbcytb/fTg5so5nLL+IRRvUqYah
mmh4MIlwdltHMNRKScHYieziosG8C57gnOU0936kWDO/VZzR5A+sSDJJjGdP
Uo9x2ly4ap44WMukXXsP1esNG8RzLkDGcX3yySdY0K0ovTPO9KtHpxze/CFu
oyTLmGG0WlrqcRAz2JVmLEHWumgAUttLitUERfhiOb37EjkrTRcPspa7ObVa
3It3s5tYJw3Qzno7RgSmQBh/83qWXCeZt/njaJW+IzeK03RaUJyRF6+dOTmz
XRQ0OTVhhSmJdxEU1tESgeie0zALywSkXQnHaokIipt4w04LFU+MaZU4kSnn
USaJOMEfsff8B1fY49XFmMSI6Z4enEQXr0/Q901/YSXOCU4VP5CG+DPb0udM
lXZT/KBtrsrmk6DJ8ENuxnTlv7pt4K1WbId5BQJ90ulWmm9/6zvhtezrh/6k
14JXzdAJmED1Vy5enbw8Y3lEqAfyQzlvpHHfW4F20BZok+ibpsAasYOxtCjg
UBuWuhEzPKF6rAxSIhwa98zOGRJeyMhSVUuO96qLtNAcOaZIN3Mb2jMqRrkR
RQuPbg4mWwmlTj0eCjs3qfLHhNNrDBA2dHWViVhWiQs/zBxMZkGZ2dwmV3Fa
UBEIEGCYCdTk7NhyJlydout23lBhKX4N4woq0BEQJP4xOpnlMMmLsoUi4dlQ
HrSpA0fJtdTqI/YbC++4Zy0OhgRnWAaDB+QqORqBscS6URjJ7AO7jALxoRwV
uM1Zj+9/KtBMJL9chZt9haCGjDObbWYZoiIJ1AmElpJ694FOGYKMsVKHALMx
JasmVY45yIFGvNJJ7GY9ZFrOLMmpGC3oY6BiEZoUqxQynKgkDzSYZKiKbSwK
S/mgKlYJci4qYWCoFqU4glWLRDxMsXJeI7IYtCKc4ulyWc6Bpji4USO9VsAL
YsTicgG78YaJV8h5FNFE52ZMb9L53a+3+F0+GFzUyTo6CKPm3QexwT9hCOXj
egtpsL3HkuaGkwRYS+iUikuBmPnjY/1nMPhf997t7R0ePLq9K3jpYLIPUtDV
aKFCN5WpIUiSZEaeWDrjYjymMR87Je2JuRwJyDoqKw9XKS7oDokV0WMZvDnL
4qratYEsGQIM4qKOS/HFsLhMEHeCI/0G/5zwgwdUSoXsDpaOQR713QoN7DgZ
OEK9Som9i9bVqpBc4hYsgDENPJC+enzfqIQf0sEiX0+GTiS7Ift4xQXHZHm2
MM+he4smC1N9URRviaZZQZV5xvE11u6eZklbo2EMV4U0JCuwVkGvg6YGgczP
zArRVyMuaeOrhqIaqMGAQEOkuhmpKoqtmhgk/Buq6FNpzn4gPWlbTgZfFzcJ
WX9ptwYHUEcMqkIwrhIWanIphbuzaNGebcYFbWTYquKrenJyCqwK86JMOB1N
mAKCrnvbtAJeMV5R5Lt900M/m2ZliBdfif9Iv+h7r0bZxFuX9HAOnbojXkkk
WPgmpxAiDcqHunD5mPmD1ePISIF/k8ekVuXX0hWpSC4h/s6Pum+wWBDXQ6u5
AhE0LctH4zikcbjxw5L5OSATFms4zzOqSt+seZWx2CyotdLA0SSyfGBaqm1L
d9mOtAWuQJZjVBkrg5I0nhyMJA5KOlJyA7KqWmKkA49Q3RJWYl4yIYhLWKJ/
FgrajxwErjDCYsEh2ukmapWHa0eUpBgVbX2SH48n0X3rUxk6p4p1+Sziaklg
zIpVllubuXBtiH/gDZNXScOkJ3JuKXbB2sj7exz4EbPLJkHZIg0SYg/Yjwt2
9r0VVpJ19qjBXHBJdPZDC04hVVcSJjS6wKmqLIZTjU9XdA0sH3/b6KVm+c84
es+DpoYEcBee1yCMo9O0miE4ACN6PSlgbNR0Um+0nrGE730QT4J+Xt9vhfBg
19rUHN9RmZBNYmoNLtIMfickBm1oo65xF4w1ea3uJy6UnuZNogAELZfuh9ft
eEJkeB4kNbtkOufv6Q1i/o7jxS4szKdYXyD30sZJv/NRb5N7r7quB1CR9kkb
i+Kbfel5hhCOcoknnEG4XqcYe6GFp0WgxApBw+Bp20caJw91gt1lIMCTYH6U
jKaCy4qL+MVcTE0rufSjlKKd5J3N9UQQ/X3Cv+OJpfVxuoXdaHvwOUxdqtm2
BQsV4CpYJzTVwljpzvAVTAq9uMuEEQEi1zy0wt8t+Fgk+k0/fozQNapwFqVY
3q7oZccHJZ/vpJNkYvQYmQd5cHc/fW5RxNBQ5mm1q9dJya9H8RW6oVrVzrzb
OMy/kf7VyCK3vCrAY5WMczPMviLRrmSNy50SWePvVTCdMQy3nWIiO7RiQ7Gi
YshieaDfc+bcnpPoFTI+T9dRh18X3zp541rFrRV8RZoT1/WlagxJSTETUgid
MijGb+zrgMSB51wYuEoU7coqh5wtzHwtzP/9IA3goWQ+l7bGngOg+dslQNsy
eA5FdTnAjT/Q7rQdOlzvRWQosUYu5kyHm2KcDDAIu+ZcGp5amA0zGTwVRbGy
8MEfPeD8lg35aQP3Z25wHkuU+Rxvh6hAgRZw6Kblww+CZ7WpOjsSGU9syD2I
gbmK36WrZgVGGsyXXFhtTEhdFONVM1uO0bsAuuJSIgRTBD0LYNCRJCdAmLDD
FBVgAbGOQkV5VcwZc6SaJlZ3S2cNhtcdlU96HQkUr3fKAejUP2zw3MoEqkvd
+PjclDxiSUmHmllPquOKYpCg/6wo2ursTl2SzCcunLhR57tT/OMMy7dxrZ+b
TrybUMRU3A0Fsl5pAeuWYa4hmAsFbR7PgnWhgEF39cucjiL1iBbo+jSRSHeW
W98kQtGa2u3XCjaqyQf0Oj2G3AKvgwbY3t/rjyaH0BU+lj1+0vlbEEUnWAn0
lkl+pU13faJBIvUMotjS92lOLp60LZKuO6Aw77EjrVVeS/npBDmP5KsJYXhP
mwYwZwoy2WmqhhxF8WxGJSrwj13bh/HO2EuXRMpXfEOCfzwMyvaG0RVUQaOA
k2osQyV4xTkDQkhSMyojXL0T9mPtnJzsan1mDXjTaERRbnKp8XPcE4tbxsbr
qAE48gGspL5cAHv5ePVEvBXGReKlXL2P+KuN6I04F+2eZSmpkjtck83BI3ZZ
LTRv3Pr8/q6i/xSoQmbi+/ceouMwEqa1p9Ia7AT8e6wokA8SfiRNJJMLagLA
SxcJYGA0OCDdsSRQ7lKAkl0wLe6prAbhbyqyEO+gNYnh4q0Obp/iYq+llh7V
x0TDol2vn4nTT51zrneJMwuAJCemJALLTReDDiO/vXuAVCnKJwWJR1nOcbsV
x4PHZtae2+3Egec6AVsYLwdiTwjOtkXAaG8dnArIDWVcYjP1V4hIIl2cRZOh
ygRLqkq1h5EdtYSA7J0yIR9YdxiJzBlIVrovp+JUGvV6yqUMJczyGhG+4lGE
lotFxTtPKpRKeVrnknWL7NfCByUHWnPYrJSU3LO+Bjrz+8qOkw2wFsRB4DPV
mvQnrlx/5fOz+CRVnNfz3DshA/IZ7ybJzLb/r78DSsbXdRc69Sz/+fnF898a
4KERqQxpCeYruMYdD75w8znEQMGuM4c0nw5kEx+U6M8vnXw/9cM3PXskGvNZ
AN72N+DIkstVAts3r8LZ0Jks1fHI2/qq8IuECf7VOC9Ywf3Qxwlhec5P4onQ
W2vfuYUhLknFrBJX66CFqVXDkx3Md6AVe9E7NZoxSnbnNSI47Ces0pssQec6
kDGhJIQ1ZmqmM1PWQmH0vgwGC3mNIdI82WNsRQJVHC90J7OHVGMuwbGnx65w
B2rfVwkY5VQQBKZInhFXJPzW88qoU4GHt41nk/NzujEOxu24yUG/ejAv5PKQ
WXGVpz+0AbZx1XfCaElVcnpTc+rbaYt6s95h4PoSJ2cKyYdRizisuqJgO684
2bOgNWJ3HQoWM2ArTHkq0psUDDi0RZDRwAODttBKrZJ2xx9HeTICqHdDG4fj
tqGxclloNkq9LJOEbkEF9qrNxWQEO7FSKLFJNGBndo6C3hHZu3m2s9U4vNel
u5KowOEG+rHduzsCXON0AHsACBme7XUdtUDgWwceoVJLar0phC+qrS0FPo5O
thCSs5RMRE2M84k48IJqMdsKxWyTH0Z96Dtg5NiB06UY52hX9qeZYlEuYM8k
vXa11W+1FcIb7WbLNGPEXU98PZ9zndWgrL4fL7ngdiQ2P3JpEh4nuBuW18eH
phtTiHQkmxiNDBej7R31ZPBM9dM1TFrLZfgIdusF5jmnxPfavBIgdrX+5bjs
49NqSfaqymkKBqHVTnNnNCZeE95zXYAbP9+rwH7ZkVyqQCmQHDJ2tj15eeVw
IG2Bc4b1kr1QHHXuMwjPFboHyaSZkQBHw4/bNHjlFmJK8lP1Krr+ek/egeTv
n+M4sKaqyqx7SQoDNRfEUWS3WavDirPDtopxD+NUzDQD8778ah8jtXQn2FxG
c1aWWBLW+Qx3sBr4+PLJ6a64E4ev8LJUL8RfA1WG3hzqaexpgSaIFhSfeGu3
lBuN7IIEcFsHk40/qiJ0Qsj9u1kJIPgcjhvOZg3XFGphCd3x0adpKFEZ/6LW
ZC84F9cnyRYOXcA3LOmlAk9fn57RXbqvz87PX58/EhKIb1ArHFDwioL9wbUN
IZlub//3p69fnjx/5avd5p1a9b7oLbsgAy3TOYWroFiLgtWrZsp5sw4lPxm8
QpVUFESrjDhFJDyZnIPOVbJp5Wfccjj0+w0o93LPmRrbpGK/2tPjXQgtE5dx
E2QbifRjl4M4G3K6N7NdPM5JhMvfX6I4xcsqAi8A5e5gm3ZKyulNxv44v+Qe
lDZNzD0xVHWlb4oErX1ur+4KsTBp5a7NcF4cZy1Fn3LEOGqmdHU9v4SQ2JkP
o+kIEPvsfMOdfUfTrFGSFFNObRZ/taaH9NOi7bdxW9T7lw2gpBW38PkP1gY/
gn9bdMwLrwFJXkTP3WgdEueUhdGSb351Nf4fNHEXO2f74KQQ8W2DchUbchL5
dkR3srEuXdxGKiuqj32LZ1KhHPiBuwwHS6iUiZpZVg27sfcNtsxAvm8w7uRl
bThQISbzBau6iOkRpbfnupU7oymJogYArTc3VbTZJ4OzUMb5jJZeh5HWdPa2
3TFrffI0F7IcOUhdW145W98ETQJv+88UfCHtngqNIoqNb2/XKgoKJqGrX+UC
oo8EYshcQ0eqD+Jj2dqsMJ5mMrFVbLjLdgxEBIdNBxBnqWgJefGo8ZjUMrYV
f7eurO2wLgrZPHUA8A/6lMSotF7Fa/T5JIm/e4kEivw1xqyWtqk11r7o5Puk
u7NcPq1+MZYvsFglR+7KeEE+srKYN7NEr3m3t2udnF5GO6Et1brrqFI8jBvQ
2Pcog4VnOZ8XyAa7N6EaeTpcoF6KYgbdzaZEaxJWAHI1LLpOOfwFx0kD1mRi
WEd0gdWRCSDLxFzhHHdrrBij7ML/byUbLhly0L6z5Jbs7p+dl0a39Bcyl1kD
Wiu9mog+GsMS/lIcYm4udsrl7VTyTPCdpw2ok51bALUEAR09OTpU7ZR9Vaeg
fgcXspMmxGv6FASsWV8MAcPknNv1DcVctmWkXrhsTZsp+uXRHpUodJGM4SuP
8B/6rDykixFWBMnmGKQYwn3p2QQ1Zodu+oOc7PCKVDOi3GggQU3xJf8uzoKO
f5LFMgR36t/BY2h8KOyGNnnhciEjZcSmchO4uSZZs1tjLYyAJ81JHg17Rjpk
QQ5D3IHP8fdD+GOXkBCSYEfHlJ6FAgtiXpDSASP3AKdzYJkvF4bYuXgtUfUZ
3tHHl73j83yHMbob8eaxSLM5GLBdevOvi3CTEY8QMSeRxj48nEYhdVLkg+0u
FbVm5m7Ka0x9lIDrVQ5yy6pyaS++wqe2v1cXjm5fXJd5kjkB4QsDeq5nyCOt
60VzJ5a5Y3JLwB2SQC79maEZ4vDt9VRYCKmqtTjuRc9Bo5mhn8ccf3fdk0e3
7Ulq1pcNctAhuvhFYt4I2K89IuD1uh6/9jXCdOdlrXRoHw26XGrJUISUgVBd
L5lp+jcIBZ3i+TEqLQry72aBq3tA968XaSPWyykAjfk3A5tAzWNmYo78gRjm
3bTjcBcUhMCs2Gnq4cbEom5/7loZJn4OSrpnwRpmqR6ZSqy8Ju2cdF1Ga/ix
ihYsI1Nh4/E+jgq2AFcwOdYXZ2bfRgGYwVyFvoprToVtTxUFk9JXuy7Zawyi
O8GEESs7dxGZAOIjJ0/XqDVQqmZIt5ASDtVNZd4K3scGlkTps1LOAF0MLDAO
B1rJC99XPqXDnmz6Wzk3sEQG4QW61n90t71vskQGzv3srR9qSvb2uUZNvMrh
FVc49T+i2bogtkYGVEcRHqfQgENno/Zjb29VgJTXgpheO3fQqLVAzX7bSdpi
Qh/LNRsr1JP6g4KihIZ4Sik58L2EMDweeUTOVVIMCauIjjCsfrfuBNOp3bjb
o0Sj6T4GyoQWtmtyvaWZLjM1SZerGCVk0VS73q+x06+oTiSvCVPaZDMarN6W
ajt92veod+idsbJaoHq+L6Hl3IjusgyvJgq0pmDkqx6pLl2pSgMfTCXIKDEc
WmG5cJ+k+cgOZypSoIVgckWpxEvjUQl63YG7I5sAtZ7RLr5+/e2LU9IP2B9B
t2WmPV6sTmRb9su0uGoqrZbEm59SgWhjVNZI87fctneNVmzqu6vaXb1CO0jd
gT22zhabearM7iqSpO6aRl86jTSV2/kH9E5jcakXwtYzxVSAGSFBtPmZZL5R
njdKE3EyoCgpm6pWZyfocbGYtWpYLBmVjMslxgyVD6ibqSsx5tRMK0RIdNBy
4FKwnlJvOtVBnPZu3p20sNam37DLRsrswlNzlwvo+gziPnSPQDAG/57JvQql
r1iIfO05lmpD6qpDWHmandv5O85j0evfpZ0072mpmJLH0i5Q7YBcCrnFEti8
rceKkODl580jFVQf7j0MlCm63Txq3wzI6UHnZxfPXz17PRILCvRXswyFOjSi
3lsqsAZ1vGb7TAoewAZF4clF5dNKWUh1e26GhqMRND5EibHRJmnn2unIOTRm
kw7FCai14YK5i+QAKUiNDEkkSfXPRVBSLtRrH/l6TyMhm7h+/X5HmIxXaGzt
jxa3lrez5ckfOMlZl0AjdIXL2klcPpEv0GBa6GwQf3cPV1L3zgnVEyllpqfC
ysPAoPji4eGHDyNfSot9/J89/ozDQ9DIiCMlqdwCOC0KsDjpoC5TkGks89Et
z/cmkqqMmQ4JpziYupB5odedDe6Bduf4O3oa8DeoTLcwv4SAHRfN4bgvNqix
ovPRvBiFL3JUQvxeXByaVeQ/Cd6YKFDhKvNNPXI9hjboQ31Sg1JiDlQx0dSU
cMEairoqZk0KxtvhKaZOHVBcy1KKf3CgQ88xUnazLAjGc4gl4IlLk2JDie2M
+rrGYAjSZmFKfiA0ISSQXLR0QQlj56xb0NbUSqG4I+k89OEvSnSUDCC56SzQ
t9OqDTuB9vzp1joLBFWLBRdiSVJWndjoO3MH0Gijam8rcXWhJUPh5VWcx1cK
WdGCBpKN5G0bYQqW29bzauxclqLiRnSYHBMi8/ezOfK+jDfQiCNwio4A5gS8
ulPqoCoZMWm/ErNPYKHGFUh73QMgRl4MicwzSEFbKrXJU6R3LBjTKCtQb03x
Lguftew6pAxmujBEthprwvzXSqpBMCO2ykWZy/9wc3pMhEsgMjXIt/nxeIjG
gJC9JEUKFahOT2QbLlKBMRAGZTiMgruc7nvaosMKbEeCpA/xFf5zjN3CavLH
cs/KV1/BIWOvQAxvc5SDVthOkihCIFAvbWQP+8a0nBvW2C+6B47DhdKtfX6v
YfLgak2XjWh4aOtysHnkb0Ay5Sd7Y6AUDGirN51Kb/Zhzk6BxR77bmkY7n4P
tGPX4s8kCB/G5/D2bqdE4g0g+dxdAnCVFVOy1VxC6kjkKKq/ApiIr4t0voXQ
dFUQSb6u/NQJK8kYkSMF/+OyrjrD7Om8Rt/HTISLZOMyM+cbuZGZ3dpkJatx
7Bz9WGRwXUW+RpMcPUJXq3Y52HF7ZdMquJOLM3a5zlqWeYrCYSLKhCsO4xVl
6igL5DGdKKyzTlkgk2SWuDmD6IQahIBzkd9u/nDBKcCkCzvYGl/MpbV6RKzM
0kpwU3OYkAV4OXRMdNWkgviwR+oKjPPGRUkWfv/Ec66F34+uc6LZl4h9ygUI
523vrHGpyk1VDjM4tYdO32HoDgj06fEDfm6PrCmtdicqTS20fIg/pKbczc/+
jGOsJJ5yQV6WO+WqW465badcKLrQEMey1r78FFF8B79x+NTd6B+jnVcXAinf
9Wh1dHnRxAKiWy+dAwUTJXgupfIigS2d19cbuZgbWRaVlI10lZya6Z/QHKZq
2nitN9ktG9WXgts3yPdQ9YxN65dX9nRBXykXgav1OHCnJpXQdNdTO6cNfL9M
0UUb88GFrE6VTDYe4sBKI1/2kwc2nA/rkojqy5k9dcfyYPCEq0ijg4i4io/x
MP6cs58GJutwgGiuY30Nyw4o4/KRS+SmGPCxplmzJoWLoeIFjcDjQBZ6kLB9
LtBfobEzKz2zNpxJNQWF95A7j4TJgsqE7Ppe+hqnpP62l5X8Wd2hShStben9
iFYCCEGAHdjqtFV/7CR6xmXhSQgWESXLImaPfDhZweGldoS7m3oUpBLRuuG4
H0Vbo/Hi8znL0Qmkmf9+kM9gkKCktq8Q7HdyUlYv1eGEtypxGQdk4LxfThzE
EjSXcmEFgXHc/RZ8EU6JIVcHmZXyB+iKHfVS0t9ZpMWBcUpcTDs2Pk+6Y0fk
Mp/6OiiZmyvO4w59rnUOO5f3Bq1ZzwiEj0irhrmbPc3KMFnWceV0IfQJX5F+
a6cr54Rxy3Hm1ZzvDBCDDD0vVbxAkaR39FQG8reFy4IyJmzYhblzeac85mVT
5iyWtlGdjkES2WBYLStXwmBDl8pMRSD1SqJAJXKpd3pTQ19sxQJBWzESmn13
yjbdxE8fi+UB0d30cTtrEJpq9UltcKxoOac7oNh/pRUUpCbnWD1odn3DS5hr
NDwpGPoGnn8jz/9vJNiFXCyNO+Fcln9kCmljZUcLz/iC77JkF36NWg+X90Th
KLEt1AixsIdqcCywXxSIcRU6XV6+IC7mgm7MrhjAhQFgGTiSeCfzeYjt6ifu
SIrj9ZDQcSNTmlp9CQcfgwacHUmXdldVg6yNh8E72HSpr18l51hLWRCvuuBK
LE8HG0mcCJgPQ97tELuMXAXyYcWqy7yMGe4Dcx55NyEVOISF1Bk8o7Y6XdF3
54SISEIYhac5IvrkUg+3Sk7iOcnJdb8Kfc/DblHgM7dgId2nipesNThLy2j9
Je1ZtSRxWnF1Wa0yPN1Y/vjcsQWtqv9Tj15fP8WOlLWT51iFOJ6ZHO4N2FLp
jFSOb9egYyoGSldU/ciigBIInrefSkgWVnTJxbb7ZMzlKNZBoh61uQxCw/RU
qhbe9i1zvg/pda7q38kWu9o7jEljCgPd/ekWU59rfNuD5iDDL8hZ7q8AVJfu
F5P9Q5/xcLB/+NABEsRkUj9ilK5WyZxsROH4qkMTXBhHF5+GhucelY2EZxdN
to30jkpBzSu1tznXcq6ZDRu3sFJj5x7OiYI0Lacw8dIbrnuMfP8aKzPRqp1I
3O39vbA0UKdGpFZN9pmdaiK7giogKavOPRuSwVX6YLGL9blqiis6ArjKFuF7
qVgEjU/qHOBQYOBtnIjJGrohZYI1Jblhgf376ULzZGuUMQnVusJV1XLThSOG
DAwo+QJ9er7Gfk9lKBvn2ekvSMfamKtfMktLdsHdtd2RbuZpAwZDjk4YAmnq
UqDk7iucSsKor22OWprCSQwV8oU4ueJQEIV+SrVNzTutDKRHAxMICsbCVE7e
LWMMkarzXDLmyO+HeUoaiNk63srfpEBjuX9KI2Ibi7f96hGpBxx05kzeWAZO
VVgpVNwQStzB8n3JC95q9CDRw5WCUwJRMddibZIuJAAMjPLUl/Rl4mmpgnni
ypjPbdVxdNZ4i1m3ghG4T787Gx/sHTwcHz746kAcvVp11AfKCnlVRAAbwJVW
xwluUhFIrdn+Xh30279rz8DJwuA46hnn3tT9FtLIBHvQAbjolj2RXEFcymbN
fdNSSNqqiS+EcRlVet2prnUWSa4I0sAoQSKxeTvnc+ff7rpcRTyL47AV7hZv
t6sNXIcuexsO+CikwdZI7LjOLj0QPIyduzlKTEcA1txA4J/tQZL4iAvbIj3G
9EcNHLAVvRnNdhrGMvARBnqHOpABiIhvz+KRCNXoaih30EjmWq4ATl5r0gyl
R1l8UqAZKsrHNOvSTd2lJxYaRPrVaUGuo0IUEEq58qvnfEUVHBtcbk4Np4Ki
GXPR89B4dzEAPKAEId3jSLjh65BdfW3eCPOQlJUEH52kMj07oF7gFPqs8kih
ZYxBGrHJ6dnWBcYK44iuGpCxILwk6N1b/gwY1BQzEc9MBPqL08bbFkKe4DkR
c3heswmIQ/tMUEM3vEFXr8W+I4eGZuQj4ySjYo5iDVMUt22EWP+d78Jq3kzn
51V0QesPM7xckmrq7z10NdYqfcRMbcdxh9Q4668vR0h+zO42N0TSHIjW4fV5
WlnUhoP7k63vgoLh2iJB2QRfqjTEQw9I3klJoAqvq8KoAJ8/VVMucEPOOI4m
tWFake7bffGaquiReK224UDpVDKjKsYrk6rDN0W4DAgWFBImaFM5LMDEssIJ
Cq54CpPWW5npLmgChTmq87bfoSIRZNa1slT9ZXcHuxK6c5cFkBwVGQkEo0um
WalwuEZEQVLmnRaHdTUlqUiNFa2fVaraTgZnaL77JMUAhtXCh8a5KBU4FqGa
1KtM8wa09IwuRnm3cWnRGv7kyiYDRWEBzXAHKr4fxOlKXBNsLPMlzbYu6zWq
MHNNRXDxMfQipNe4yHiLc1LyTMC4p8K7YXmKBV7lLKMmLgbem5FywkqgnLxh
rBlL1MRUrTTJXCLEXYtrRliNoc+qeuo9ni6J7JwrLiDV3t9L4zweq8sUi6MQ
UOWGOEATjlzZDgmTd/qn3tMq8hXfOP8DWc/f7SMn5rni1+QKyB1MnsFEXF8L
Ak0WTon4Cth1l9Jp6F4QOTJeJjHpv8MzuSc9s8kXw5HJkGtlJEYlXT13t4y4
iEHBOid3EfjD/aOjvUkwJtLSPzaw6Hku+4kGySXWL5+cHmjFY5OQWPK6reLy
LWOuhuS5IDoNP0Ly2JUmpqY+WnpDyc11P5jciGQbU4kIGODhyB93b6RadW+9
j20Dk1uHeD/TIFemYDGOy2E/nxvLVS7rDkfJ0MDd4+gVqh8CCRzBUPwdFMPL
nlwKvjI8qJ/ZUoAsbnEyHHDkGGZ5riMg4WWX0w31Y/OGgQrot/f1oSmDcsnx
D+lSs65DOEVLJWqXjx+JucrXKJRc/kl845okiimnctX8W3dhgqLJNQzBQE0a
CrdO9qOtfuitTkpKw7y5V81qmpTHUfQ9MPuYR+b6ckDCMtrhvbg3fvjgweGD
3QGuJ7z1bZ4CBSM7XJr5QDYXPHLCPm1778jgXKUTfP+i8AmKYQyYEH1mPiyK
BiwmUYCyFwZH/wZsLH4DR1xvRmqRUc3kgOYYnvAIDTKbOCYFT1MIDw8zLoz+
3dMnGBaqFFEYZn8u3PhIhScOh5NZbvdab8KnqYrERhGzRw/3TAGK/aPJ4WT/
mMslLWP00poKzu0+OKEQLwfZOBcBAg9KvocnWwN9ZAERUDXmO0M5L87l/lX+
ZqohsBRjr+Ra6+FEr44xxOdYPU0ajxy9mwTYn6IDiFQkcKOKp/2Dhy5XgxUb
ASrSwzSOdqjXn1m4uVlDIsMbozMzRHq4m6LYHyY3VTvMtVxuB6t+jZ20vKKG
CT6rQpYVvif/PAPS4U/NM9FByQ3r6DXwdcChJXKsg3YyPqU8fK59pG5FzpBx
/lU5TYnu6qjB3MuScldpC9Sx0UZkxvTBhCJMvOwwFM1Yi80QRXqS83N4Ib6p
He4aBQfywO5Q4NiuEJ2YhoYedEexp0QldQtttFavVoxLkgzsMbF3hs8Rd1Gs
FZeITEOuuIR4+4aAv8QBLveNNP1Fisg58VbKbXXwBtkfriAt0DzFxKFIfGYV
M+wdxbaBL7WuqQqFZCqd2H2AMvNf/uVfvNzcU1Ho7nPxsu+lfsSBYMVsnJ8H
AvD9e/cqyIS2xtgr7p6fXT4zsntfx2Aub7ASGJOZCCgC85xhG650Kt+F4DRq
XCdz92ZrmB3H9CcN9qA72Id3HuzDX3mwh63Bts+27YM1N6L+OkM90qF2vd+f
NuJO8OhnHXfngKGThSYDSvuDgy9Z1ThiNY264dsAyLSrCdk0ua2ViDQV+/qE
du5gPB7TzWpoip0pVPf9PVcck1TJc3dFMQok/zVXeWHL0QkKvTcA5MqNCEqw
OtcuP1K8he7aY7pInB/ui9zxLefhdYt8BeNQ5Jz/rlV6u98nQu9wA/0vdGoq
yr3E2g/8KhV+vIB5vP/VwWQPL2C0O/nxwd7e/vF8+uXx8f6tTSDzPM6rA3et
JJygk1FeHboPivJq0m6C625zQ/uH0X50uLcXYYhjbx/+oZ9oh17a9gMPPzAP
H+IP3jSdXgkvUOP3o90OBYA6dI3zvhvhtifCSW17qjXTDrXosSP8wakeRCdP
np6ePdvbPzg8evDwC71Wukuci1+MMhe9VDl7GqFzhm60JucxjoI+JlL2j5K+
/4XGiW1/7lbwkXfXk9+Orh5lF+DOq4vd9qXajwRUhEpybw2qQZsLwMLBH7cd
eh6AHxy33xnbtiTvf1tEX+9i4xpvUvhli1f9eOAK9Ib3saPQV3d6SubJygUU
wTDBCy0xA25FNYjVCA7SDINgXfs+RUnFFx7mW8jppy00Hj4+XCwWx8eHh/1P
do+uxyezxVWwUUYzFB1dKXGXxhhS0LM9zcu/pIi5hG645d0OrXgjTfr3T2d8
v8j+weFhw2bvxLhfrooaMWnG7c0n20/ZRuxspWe0Rhq9GE/cXNv7anBqXPZ0
pd2VVOOqFRuySuta9IQpXlFYS5XAM88t/lT/cae4qQiQtFoTxu+wquNFwQX0
HpMP4efHvC4HZ885+bEGejZE1UzbL3mpuUyyNQKMCCKVzJZ5Shc207JnDIqg
Z7sbEj5kzETUO66BiMjDzmhFVNKPExX0dM9ItxD3CIh7CCyzv3/Y0k24xYOA
I5R5fh6O0NbcFENZE3m2Ft7+cvJgfwJbEdmbaNkjobYxwbRFVNJbfUmJcC7i
a6IAwY0PD6nWeyx3Pry2taxOz/xfUrf3G3ffzqIotH9hmUfR10mM6QjRN+dc
svix1EOW791z31CVXxEVpiEg0PNX0cvfuwf56ir9aydZrevNrv9Wy3D9LVQ1
7N+FGX8epaCHwigMBwLF4Zr4HyZ95Ia2hOJSIfqjJFcx++kEx7exlhOqoltI
Ap+8fnPJzpVuaOM46olLdMjAJwImo7cvP0OPd//xxLHN+jYlyxw8/hI2jdr/
VALHlrwnf1fUtfucsDB33+U9ZIGGPnWnfyLn/cp7vfXU36lV9gsJpG0SCTZj
Kxu5K6NCOIkplMMYKS12TMYKFfuOWxW3WtcIbmkh7ZYeUhy1N1ikFBtpn7ZC
pjaUXiHkpo23E6QGQXDuXBu3f498unj+yRJaflSUtD5m7rRf/r2bJL/sGdOp
2/yLnTFqqmuYW8rmO/uIUSXD6m26roactU1IRV/kkrN/bjmzfjTjxS22+/ST
63+4rvfs3a5kwxr++MP37G+rZv+NfMLbV8SNfKsm3SXij6PgT9eaf2H32E/z
hd2BtCdiVI6btTOQCZrl2/a3E1OdBsq8QNnVZHW6QvfiSqBXGi9SMOBkq3b6
0e3Rszte//+6QVpN/JpBk/bo/z7V5U+XIO7i577SOj8XF/4sut/ftZxpvfxr
+dxb3f630TR+PeFrfY0EbFqXiYCC8BauTicDLhVnil7RNUGS/UwkDOJYDQO3
HbRW6lemVJWyEJRUgETwSQSC2z0ZkanKMHF2M7tomKSZ+bJfXONXq1di7gFa
bXwP97TBC4ikipnFZyh8PZ7VUjrAIJCrLJVMuMsiuk6rhi5OYBowrh3v9FLi
SrYj04OyXfr6SxmCxuUnPrtOyxqhZe1CwPaKGszDCeJtfUeNcS7f9qBxl9/y
XG/MYtuj6mkn/g2AO86tT0XdUVT43MadNMern6VSAdI5oRhRfZPOkt07dIjB
AkkDBausG5cYerD18BNjjcOQnzFUmxMfEH6cq2Aw4kI6mPNSZ0WxruA5zSZF
BAry2bDT6dAnFOgVftqUWI3stqAkGvJ0zCMlokB5sGIPg4QR64f1vySl9Cbm
HJRaLgelQDObj89XchOlgo4R/oc38UptslgKz3Mh6BCg7MraIO6dtkzqisPz
VsfKL+8Qiz4nGqChFFb90gzBpzEGLy7kBipbSs+khOOMbRUsvSZO8ihlw+vN
hHRrU7YYO5xk5bNi7AWuDlp2zBtrfz0RROxk+/FG/63cg6OqmU5an1FjB3m7
sVCn2/dNoIKHzbj3B083s8wNa7b/sZZmB2Hf5u+PTsS0PpodttrxfwsX254G
FxsSmRIlpE+3VV7LN734MYRJyixBarXGDF8SLuzxH/cOD+DfL/64d7QP/z64
/fn9x0PEVI8FW0/HCTBMzej8IZ6pxm9DF4hJojLLCi57ubJQThniqrMQ7qnH
1PmDwyMsfiBzD+4qo/IoUjAOxZGHmpGrUS5w9lDxeI35R+m76HRyyCXMXbaT
xtYNYFcH2Fl3D1LF79O3Xb6gPxEadzLD0oRZMr8iAPvg/THj6pL54+ECxpcM
P7SL8uH1cUl8jQiTaVxxkac1JgtT4hZVI5puost0FZ2syxTLIQ7ev/8nzOip
Y/xgDJwvdS2p9FRCfpVKUq7i/K2rBrVOClR9MELtyiClhsbHg38ulnn0IrlO
scjHWZm+jV5trkosnfbP8PQ5Xa3xBNbgd6ANvB1FL+NqWRR/jl42yxgr3cBj
dL/AywIkZQN/JWVZzKPv06QCGsKrKfL4ZYqXhsKfv4Ulxqfj8h0N/0mZxnn0
fZJh9a6a7sT+XiqbtPJYOOkzpvLbcU3gyGh//8voazgfYnpTf5PSq+ka6zse
R0+XJaKxoZuzbJVAc2ArA+2h7wxf0L9exDck84AIcyxiDTS5wZzigCS/TeDg
SaKXQL04yaiY1z9Dw9/9578l2V//A8jzuwzOGWgRFomUqhfpFLbFmySrkRgv
47yBKWMtPsxKfIMQb9g9MNf0T2/p7zL6r39fx9Ac/rmERtbR18Vq2pRXo+g8
zhZAqikmx58Xm+ikxEUfRRew4kn0OyA8/t6sgAJfN39uEkzGAi7OQU9eXsfl
Blbnuyyep6u//t8y+s9/bfK//gfQ4iSfY12y6GK2bLIfUFei0vLKOX8qSKMj
rW2xwPwUrbibONz3Ugh/TIwCDQH96h9g7YspLA9MdQOTiZsMprJYEFe8TJO3
0W9TmEuO89rAgFGHHkVf//X/XCPxz9I5JVBeQt9fwwdpMlKqR+f4f5AUSN9n
WUEc9BpTI2GxkJjY1ogcpv8PqXyAQk74AAA=

-->

</rfc>
