rfc9462.original.xml   rfc9462.xml 
<?xml version='1.0' encoding='utf-8'?> <?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [ <rfc xmlns:xi="http://www.w3.org/2001/XInclude" version="3" ipr="trust200902" do
<!ENTITY nbsp "&#160;"> cName="draft-ietf-add-ddr-10" number="9462" submissionType="IETF" category="std"
<!ENTITY zwsp "&#8203;"> consensus="true" tocInclude="true" sortRefs="true" symRefs="true" updates="" ob
<!ENTITY nbhy "&#8209;"> soletes="" xml:lang="en" prepTime="2023-11-06T13:06:12" indexInclude="true" scri
<!ENTITY wj "&#8288;"> pts="Common,Latin" tocDepth="3">
]> <link href="https://datatracker.ietf.org/doc/draft-ietf-add-ddr-10" rel="prev"
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> />
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.6.15 (Ruby 3.1. <link href="https://dx.doi.org/10.17487/rfc9462" rel="alternate"/>
2) --> <link href="urn:issn:2070-1721" rel="alternate"/>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft
-ietf-add-ddr-10" category="std" consensus="true" tocInclude="true" sortRefs="tr
ue" symRefs="true" version="3">
<!-- xml2rfc v2v3 conversion 3.13.1 -->
<front> <front>
<title abbrev="DDR">Discovery of Designated Resolvers</title> <title abbrev="DDR">Discovery of Designated Resolvers</title>
<seriesInfo name="Internet-Draft" value="draft-ietf-add-ddr-10"/> <seriesInfo name="RFC" value="9462" stream="IETF"/>
<author initials="T." surname="Pauly" fullname="Tommy Pauly"> <author initials="T." surname="Pauly" fullname="Tommy Pauly">
<organization>Apple Inc.</organization> <organization showOnFrontPage="true">Apple Inc.</organization>
<address> <address>
<postal> <postal>
<street>One Apple Park Way</street> <street>One Apple Park Way</street>
<city>Cupertino, California 95014</city> <city>Cupertino</city>
<region>California</region>
<code>95014</code>
<country>United States of America</country> <country>United States of America</country>
</postal> </postal>
<email>tpauly@apple.com</email> <email>tpauly@apple.com</email>
</address> </address>
</author> </author>
<author initials="E." surname="Kinnear" fullname="Eric Kinnear"> <author initials="E." surname="Kinnear" fullname="Eric Kinnear">
<organization>Apple Inc.</organization> <organization showOnFrontPage="true">Apple Inc.</organization>
<address> <address>
<postal> <postal>
<street>One Apple Park Way</street> <street>One Apple Park Way</street>
<city>Cupertino, California 95014</city> <city>Cupertino</city>
<region>California</region>
<code>95014</code>
<country>United States of America</country> <country>United States of America</country>
</postal> </postal>
<email>ekinnear@apple.com</email> <email>ekinnear@apple.com</email>
</address> </address>
</author> </author>
<author initials="C. A." surname="Wood" fullname="Christopher A. Wood"> <author initials="C. A." surname="Wood" fullname="Christopher A. Wood">
<organization>Cloudflare</organization> <organization showOnFrontPage="true">Cloudflare</organization>
<address> <address>
<postal> <postal>
<street>101 Townsend St</street> <street>101 Townsend St</street>
<city>San Francisco</city> <city>San Francisco</city>
<region>California</region>
<code>94107</code>
<country>United States of America</country> <country>United States of America</country>
</postal> </postal>
<email>caw@heapingbits.net</email> <email>caw@heapingbits.net</email>
</address> </address>
</author> </author>
<author initials="P." surname="McManus" fullname="Patrick McManus"> <author initials="P." surname="McManus" fullname="Patrick McManus">
<organization>Fastly</organization> <organization showOnFrontPage="true">Fastly</organization>
<address> <address>
<email>mcmanus@ducksong.com</email> <email>mcmanus@ducksong.com</email>
</address> </address>
</author> </author>
<author initials="T." surname="Jensen" fullname="Tommy Jensen"> <author initials="T." surname="Jensen" fullname="Tommy Jensen">
<organization>Microsoft</organization> <organization showOnFrontPage="true">Microsoft</organization>
<address> <address>
<email>tojens@microsoft.com</email> <email>tojens@microsoft.com</email>
</address> </address>
</author> </author>
<date year="2022" month="August" day="05"/> <date month="11" year="2023"/>
<area>Internet</area> <area>int</area>
<workgroup>ADD</workgroup> <workgroup>add</workgroup>
<abstract> <keyword>DNS</keyword>
<t>This document defines Discovery of Designated Resolvers (DDR), a <keyword>DoH</keyword>
mechanism for DNS clients to use DNS records to discover a resolver's encrypted <keyword>DoT</keyword>
DNS configuration. An encrypted DNS resolver discovered in this manner is referr <keyword>DoQ</keyword>
ed <abstract pn="section-abstract">
to as a "Designated Resolver". This mechanism can be used to move from unencrypt <t indent="0" pn="section-abstract-1">This document defines Discovery of D
ed esignated Resolvers (DDR), a
DNS to encrypted DNS when only the IP address of a resolver is known. This mecha set of mechanisms for DNS clients to use DNS records to discover a resolver's en
nism is crypted
designed to be limited to cases where unencrypted DNS resolvers and their design DNS configuration. An Encrypted DNS Resolver discovered in this manner is referr
ated ed
resolvers are operated by the same entity or cooperating entities. It can also b to as a "Designated Resolver". These mechanisms can be used to move from unencry
e used pted
to discover support for encrypted DNS protocols when the name of an encrypted DN DNS to encrypted DNS when only the IP address of a resolver is known. These mech
S resolver is known.</t> anisms are
designed to be limited to cases where Unencrypted DNS Resolvers and their Design
ated
Resolvers are operated by the same entity or cooperating entities. It can also b
e used
to discover support for encrypted DNS protocols when the name of an Encrypted DN
S Resolver is known.
</t>
</abstract> </abstract>
<note removeInRFC="true"> <boilerplate>
<name>Discussion Venues</name> <section anchor="status-of-memo" numbered="false" removeInRFC="false" toc=
<t>Discussion of this document takes place on the "exclude" pn="section-boilerplate.1">
Adaptive DNS Discovery Working Group mailing list (add@ietf.org), <name slugifiedName="name-status-of-this-memo">Status of This Memo</name
which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/ad >
d/"/>.</t> <t indent="0" pn="section-boilerplate.1-1">
<t>Source for this draft and an issue tracker can be found at This is an Internet Standards Track document.
<eref target="https://github.com/ietf-wg-add/draft-ietf-add-ddr"/>.</t> </t>
</note> <t indent="0" pn="section-boilerplate.1-2">
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by
the Internet Engineering Steering Group (IESG). Further
information on Internet Standards is available in Section 2 of
RFC 7841.
</t>
<t indent="0" pn="section-boilerplate.1-3">
Information about the current status of this document, any
errata, and how to provide feedback on it may be obtained at
<eref target="https://www.rfc-editor.org/info/rfc9462" brackets="non
e"/>.
</t>
</section>
<section anchor="copyright" numbered="false" removeInRFC="false" toc="excl
ude" pn="section-boilerplate.2">
<name slugifiedName="name-copyright-notice">Copyright Notice</name>
<t indent="0" pn="section-boilerplate.2-1">
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
</t>
<t indent="0" pn="section-boilerplate.2-2">
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<eref target="https://trustee.ietf.org/license-info" brackets="none
"/>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Revised BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Revised BSD License.
</t>
</section>
</boilerplate>
<toc>
<section anchor="toc" numbered="false" removeInRFC="false" toc="exclude" p
n="section-toc.1">
<name slugifiedName="name-table-of-contents">Table of Contents</name>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="section-to
c.1-1">
<li pn="section-toc.1-1.1">
<t indent="0" keepWithNext="true" pn="section-toc.1-1.1.1"><xref der
ivedContent="1" format="counter" sectionFormat="of" target="section-1"/>.  <xref
derivedContent="" format="title" sectionFormat="of" target="name-introduction">
Introduction</xref></t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="sectio
n-toc.1-1.1.2">
<li pn="section-toc.1-1.1.2.1">
<t indent="0" keepWithNext="true" pn="section-toc.1-1.1.2.1.1"><
xref derivedContent="1.1" format="counter" sectionFormat="of" target="section-1.
1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-sp
ecification-of-requiremen">Specification of Requirements</xref></t>
</li>
</ul>
</li>
<li pn="section-toc.1-1.2">
<t indent="0" keepWithNext="true" pn="section-toc.1-1.2.1"><xref der
ivedContent="2" format="counter" sectionFormat="of" target="section-2"/>.  <xref
derivedContent="" format="title" sectionFormat="of" target="name-terminology">T
erminology</xref></t>
</li>
<li pn="section-toc.1-1.3">
<t indent="0" pn="section-toc.1-1.3.1"><xref derivedContent="3" form
at="counter" sectionFormat="of" target="section-3"/>.  <xref derivedContent="" f
ormat="title" sectionFormat="of" target="name-dns-service-binding-records">DNS S
ervice Binding Records</xref></t>
</li>
<li pn="section-toc.1-1.4">
<t indent="0" pn="section-toc.1-1.4.1"><xref derivedContent="4" form
at="counter" sectionFormat="of" target="section-4"/>.  <xref derivedContent="" f
ormat="title" sectionFormat="of" target="name-discovery-using-resolver-ip">Disco
very Using Resolver IP Addresses</xref></t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="sectio
n-toc.1-1.4.2">
<li pn="section-toc.1-1.4.2.1">
<t indent="0" pn="section-toc.1-1.4.2.1.1"><xref derivedContent=
"4.1" format="counter" sectionFormat="of" target="section-4.1"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-use-of-designated-reso
lvers">Use of Designated Resolvers</xref></t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="se
ction-toc.1-1.4.2.1.2">
<li pn="section-toc.1-1.4.2.1.2.1">
<t indent="0" pn="section-toc.1-1.4.2.1.2.1.1"><xref derived
Content="4.1.1" format="counter" sectionFormat="of" target="section-4.1.1"/>.  <
xref derivedContent="" format="title" sectionFormat="of" target="name-use-of-des
ignated-resolvers-">Use of Designated Resolvers across Network Changes</xref></t
>
</li>
</ul>
</li>
<li pn="section-toc.1-1.4.2.2">
<t indent="0" pn="section-toc.1-1.4.2.2.1"><xref derivedContent=
"4.2" format="counter" sectionFormat="of" target="section-4.2"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-verified-discovery">Ve
rified Discovery</xref></t>
</li>
<li pn="section-toc.1-1.4.2.3">
<t indent="0" pn="section-toc.1-1.4.2.3.1"><xref derivedContent=
"4.3" format="counter" sectionFormat="of" target="section-4.3"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-opportunistic-discover
y">Opportunistic Discovery</xref></t>
</li>
</ul>
</li>
<li pn="section-toc.1-1.5">
<t indent="0" pn="section-toc.1-1.5.1"><xref derivedContent="5" form
at="counter" sectionFormat="of" target="section-5"/>.  <xref derivedContent="" f
ormat="title" sectionFormat="of" target="name-discovery-using-resolver-na">Disco
very Using Resolver Names</xref></t>
</li>
<li pn="section-toc.1-1.6">
<t indent="0" pn="section-toc.1-1.6.1"><xref derivedContent="6" form
at="counter" sectionFormat="of" target="section-6"/>.  <xref derivedContent="" f
ormat="title" sectionFormat="of" target="name-deployment-considerations">Deploym
ent Considerations</xref></t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="sectio
n-toc.1-1.6.2">
<li pn="section-toc.1-1.6.2.1">
<t indent="0" pn="section-toc.1-1.6.2.1.1"><xref derivedContent=
"6.1" format="counter" sectionFormat="of" target="section-6.1"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-caching-forwarders">Ca
ching Forwarders</xref></t>
</li>
<li pn="section-toc.1-1.6.2.2">
<t indent="0" pn="section-toc.1-1.6.2.2.1"><xref derivedContent=
"6.2" format="counter" sectionFormat="of" target="section-6.2"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-certificate-management
">Certificate Management</xref></t>
</li>
<li pn="section-toc.1-1.6.2.3">
<t indent="0" pn="section-toc.1-1.6.2.3.1"><xref derivedContent=
"6.3" format="counter" sectionFormat="of" target="section-6.3"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-server-name-handling">
Server Name Handling</xref></t>
</li>
<li pn="section-toc.1-1.6.2.4">
<t indent="0" pn="section-toc.1-1.6.2.4.1"><xref derivedContent=
"6.4" format="counter" sectionFormat="of" target="section-6.4"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-handling-non-ddr-queri
es-fo">Handling Non-DDR Queries for resolver.arpa</xref></t>
</li>
<li pn="section-toc.1-1.6.2.5">
<t indent="0" pn="section-toc.1-1.6.2.5.1"><xref derivedContent=
"6.5" format="counter" sectionFormat="of" target="section-6.5"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-interaction-with-netwo
rk-de">Interaction with Network-Designated Resolvers</xref></t>
</li>
</ul>
</li>
<li pn="section-toc.1-1.7">
<t indent="0" pn="section-toc.1-1.7.1"><xref derivedContent="7" form
at="counter" sectionFormat="of" target="section-7"/>.  <xref derivedContent="" f
ormat="title" sectionFormat="of" target="name-security-considerations">Security
Considerations</xref></t>
</li>
<li pn="section-toc.1-1.8">
<t indent="0" pn="section-toc.1-1.8.1"><xref derivedContent="8" form
at="counter" sectionFormat="of" target="section-8"/>.  <xref derivedContent="" f
ormat="title" sectionFormat="of" target="name-iana-considerations">IANA Consider
ations</xref></t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="sectio
n-toc.1-1.8.2">
<li pn="section-toc.1-1.8.2.1">
<t indent="0" pn="section-toc.1-1.8.2.1.1"><xref derivedContent=
"8.1" format="counter" sectionFormat="of" target="section-8.1"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-special-use-domain-nam
e-res">Special-Use Domain Name "resolver.arpa"</xref></t>
</li>
<li pn="section-toc.1-1.8.2.2">
<t indent="0" pn="section-toc.1-1.8.2.2.1"><xref derivedContent=
"8.2" format="counter" sectionFormat="of" target="section-8.2"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-domain-name-reservatio
n-con">Domain Name Reservation Considerations</xref></t>
</li>
</ul>
</li>
<li pn="section-toc.1-1.9">
<t indent="0" pn="section-toc.1-1.9.1"><xref derivedContent="9" form
at="counter" sectionFormat="of" target="section-9"/>.  <xref derivedContent="" f
ormat="title" sectionFormat="of" target="name-references">References</xref></t>
<ul bare="true" empty="true" indent="2" spacing="compact" pn="sectio
n-toc.1-1.9.2">
<li pn="section-toc.1-1.9.2.1">
<t indent="0" pn="section-toc.1-1.9.2.1.1"><xref derivedContent=
"9.1" format="counter" sectionFormat="of" target="section-9.1"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-normative-references">
Normative References</xref></t>
</li>
<li pn="section-toc.1-1.9.2.2">
<t indent="0" pn="section-toc.1-1.9.2.2.1"><xref derivedContent=
"9.2" format="counter" sectionFormat="of" target="section-9.2"/>.  <xref derived
Content="" format="title" sectionFormat="of" target="name-informative-references
">Informative References</xref></t>
</li>
</ul>
</li>
<li pn="section-toc.1-1.10">
<t indent="0" pn="section-toc.1-1.10.1"><xref derivedContent="Append
ix A" format="default" sectionFormat="of" target="section-appendix.a"/>.  <xref
derivedContent="" format="title" sectionFormat="of" target="name-rationale-for-u
sing-a-speci">Rationale for Using a Special-Use Domain Name</xref></t>
</li>
<li pn="section-toc.1-1.11">
<t indent="0" pn="section-toc.1-1.11.1"><xref derivedContent="Append
ix B" format="default" sectionFormat="of" target="section-appendix.b"/>.  <xref
derivedContent="" format="title" sectionFormat="of" target="name-rationale-for-u
sing-svcb-re">Rationale for Using SVCB Records</xref></t>
</li>
<li pn="section-toc.1-1.12">
<t indent="0" pn="section-toc.1-1.12.1"><xref derivedContent="" form
at="none" sectionFormat="of" target="section-appendix.c"/><xref derivedContent="
" format="title" sectionFormat="of" target="name-authors-addresses">Authors' Add
resses</xref></t>
</li>
</ul>
</section>
</toc>
</front> </front>
<middle> <middle>
<section anchor="introduction"> <section anchor="introduction" numbered="true" removeInRFC="false" toc="incl
<name>Introduction</name> ude" pn="section-1">
<t>When DNS clients wish to use encrypted DNS protocols such as DNS-over-T <name slugifiedName="name-introduction">Introduction</name>
LS (DoT) <t indent="0" pn="section-1-1">When DNS clients wish to use encrypted DNS
<xref target="RFC7858"/>, DNS-over-QUIC (DoQ) <xref target="RFC9250"/>, or DNS-o protocols such as DNS over TLS (DoT)
ver-HTTPS (DoH) <xref target="RFC8484"/>, <xref target="RFC7858" format="default" sectionFormat="of" derivedContent="RFC78
58"/>, DNS over QUIC (DoQ) <xref target="RFC9250" format="default" sectionFormat
="of" derivedContent="RFC9250"/>, or DNS over HTTPS (DoH) <xref target="RFC8484"
format="default" sectionFormat="of" derivedContent="RFC8484"/>,
they can require additional information beyond the IP address of the DNS server, they can require additional information beyond the IP address of the DNS server,
such as the resolver's hostname, alternate IP addresses, non-standard ports, or such as the resolver's hostname, alternate IP addresses, non-standard ports, or
URI templates. However, common configuration mechanisms only provide the resolve r's URI Templates. However, common configuration mechanisms only provide the resolve r's
IP address during configuration. Such mechanisms include network provisioning pr otocols IP address during configuration. Such mechanisms include network provisioning pr otocols
like DHCP <xref target="RFC2132"/> <xref target="RFC8415"/> and IPv6 Router Adve like DHCP <xref target="RFC2132" format="default" sectionFormat="of" derivedCont
rtisement (RA) options <xref target="RFC8106"/>, ent="RFC2132"/> <xref target="RFC8415" format="default" sectionFormat="of" deriv
as well as manual configuration.</t> edContent="RFC8415"/> and IPv6 Router Advertisement (RA) options <xref target="R
<t>This document defines two mechanisms for clients to discover designated FC8106" format="default" sectionFormat="of" derivedContent="RFC8106"/>,
resolvers that support these encrypted protocols using DNS server Service as well as manual configuration.
Binding (SVCB, <xref target="I-D.ietf-dnsop-svcb-https"/>) records:</t> </t>
<ol spacing="normal" type="1"><li>When only an IP address of an Unencrypte <t indent="0" pn="section-1-2">This document defines two mechanisms for cl
d DNS Resolver is known, the client ients to discover Designated
queries a special use domain name (SUDN) <xref target="RFC6761"/> to discover DN Resolvers that support these encrypted protocols using DNS server Service
S SVCB Binding (SVCB) records <xref target="RFC9460" format="default" sectionFormat="of
" derivedContent="RFC9460"/>:</t>
<ol spacing="normal" type="1" indent="adaptive" start="1" pn="section-1-3"
><li pn="section-1-3.1" derivedCounter="1.">When only an IP address of an Unencr
ypted DNS Resolver is known, the client
queries a Special-Use Domain Name (SUDN) <xref target="RFC6761" format="default"
sectionFormat="of" derivedContent="RFC6761"/> to discover DNS SVCB
records associated with one or more Encrypted DNS Resolvers the Unencrypted DNS records associated with one or more Encrypted DNS Resolvers the Unencrypted DNS
Resolver has designated for use when support for DNS encryption is Resolver has designated for use when support for DNS encryption is
requested (<xref target="bootstrapping"/>).</li> requested (<xref target="bootstrapping" format="default" sectionFormat="of" deri
<li>When the hostname of an Encrypted DNS Resolver is known, the client vedContent="Section 4"/>).</li>
requests <li pn="section-1-3.2" derivedCounter="2.">When the hostname of an Encry
pted DNS Resolver is known, the client requests
details by sending a query for a DNS SVCB record. This can be used to discover details by sending a query for a DNS SVCB record. This can be used to discover
alternate encrypted DNS protocols supported by a known server, or to provide alternate encrypted DNS protocols supported by a known server, or to provide
details if a resolver name is provisioned by a network (<xref target="encrypted" />).</li> details if a resolver name is provisioned by a network (<xref target="encrypted" format="default" sectionFormat="of" derivedContent="Section 5"/>).</li>
</ol> </ol>
<t>Both of these approaches allow clients to confirm that a discovered Enc rypted DNS <t indent="0" pn="section-1-4">Both of these approaches allow clients to c onfirm that a discovered Encrypted DNS
Resolver is designated by the originally provisioned resolver. "Designated" in Resolver is designated by the originally provisioned resolver. "Designated" in
this context means that the resolvers are operated by the same entity or this context means that the resolvers are operated by the same entity or
cooperating entities; for example, the resolvers are accessible on the same cooperating entities; for example, the resolvers are accessible on the same
IP address, or there is a certificate that contains the IP address for the IP address, or there is a certificate that contains the IP address for the
original designating resolver.</t> original designating resolver.</t>
<section anchor="specification-of-requirements"> <section anchor="specification-of-requirements" numbered="true" removeInRF
<name>Specification of Requirements</name> C="false" toc="include" pn="section-1.1">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", <name slugifiedName="name-specification-of-requiremen">Specification of
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and Requirements</name>
"OPTIONAL" in this document are to be interpreted as described in BCP 14 <t indent="0" pn="section-1.1-1">The key words "<bcp14>MUST</bcp14>", "<
<xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, bcp14>MUST NOT</bcp14>",
they appear in all capitals, as shown here.</t> "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>",
"<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>",
"<bcp14>SHOULD NOT</bcp14>",
"<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document
are to be interpreted as described in BCP 14
<xref target="RFC2119" format="default" sectionFormat="of" derivedContent
="RFC2119"/> <xref target="RFC8174" format="default" sectionFormat="of" derivedC
ontent="RFC8174"/> when, and only
when, they appear in all capitals, as shown here.</t>
</section> </section>
</section> </section>
<section anchor="terminology"> <section anchor="terminology" numbered="true" removeInRFC="false" toc="inclu
<name>Terminology</name> de" pn="section-2">
<t>This document defines the following terms:</t> <name slugifiedName="name-terminology">Terminology</name>
<dl> <t indent="0" pn="section-2-1">This document defines the following terms:<
<dt>DDR:</dt> /t>
<dd> <dl indent="3" newline="false" spacing="normal" pn="section-2-2">
<t>Discovery of Designated Resolvers. Refers to the mechanisms defined <dt pn="section-2-2.1">DDR:</dt>
<dd pn="section-2-2.2">
<t indent="0" pn="section-2-2.2.1">Discovery of Designated Resolvers.
"DDR" refers to the mechanisms defined
in this document.</t> in this document.</t>
</dd> </dd>
<dt>Designated Resolver:</dt> <dt pn="section-2-2.3">Designated Resolver:</dt>
<dd> <dd pn="section-2-2.4">
<t>A resolver, presumably an Encrypted DNS Resolver, designated by ano <t indent="0" pn="section-2-2.4.1">A resolver, presumably an Encrypted
ther resolver DNS Resolver, designated by another resolver
for use in its own place. This designation can be verified with TLS certificates .</t> for use in its own place. This designation can be verified with TLS certificates .</t>
</dd> </dd>
<dt>Encrypted DNS Resolver:</dt> <dt pn="section-2-2.5">Encrypted DNS Resolver:</dt>
<dd> <dd pn="section-2-2.6">
<t>A DNS resolver using any encrypted DNS transport. This includes cur <t indent="0" pn="section-2-2.6.1">A DNS resolver using any encrypted
rent DNS transport. This includes current
mechanisms such as DoH, DoT, and DoQ, as well as future mechanisms.</t> mechanisms such as DoH, DoT, and DoQ, as well as future mechanisms.</t>
</dd> </dd>
<dt>Unencrypted DNS Resolver:</dt> <dt pn="section-2-2.7">Unencrypted DNS Resolver:</dt>
<dd> <dd pn="section-2-2.8">
<t>A DNS resolver using a transport without encryption, historically <t indent="0" pn="section-2-2.8.1">A DNS resolver using a transport wi
thout encryption, historically
TCP or UDP port 53.</t> TCP or UDP port 53.</t>
</dd> </dd>
</dl> </dl>
</section> </section>
<section anchor="dns-service-binding-records"> <section anchor="dns-service-binding-records" numbered="true" removeInRFC="f
<name>DNS Service Binding Records</name> alse" toc="include" pn="section-3">
<t>DNS resolvers can advertise one or more Designated Resolvers that <name slugifiedName="name-dns-service-binding-records">DNS Service Binding
Records</name>
<t indent="0" pn="section-3-1">DNS resolvers can advertise one or more Des
ignated Resolvers that
may offer support over encrypted channels and are controlled by the same may offer support over encrypted channels and are controlled by the same
entity.</t> entity.</t>
<t>When a client discovers Designated Resolvers, it learns information suc h as <t indent="0" pn="section-3-2">When a client discovers Designated Resolver s, it learns information such as
the supported protocols and ports. This information is provided in ServiceMode the supported protocols and ports. This information is provided in ServiceMode
Service Binding (SVCB) records for DNS Servers, although AliasMode SVCB records SVCB records for DNS servers, although AliasMode SVCB records
can be used to direct clients to the needed ServiceMode SVCB record per can be used to direct clients to the needed ServiceMode SVCB record per
<xref target="I-D.ietf-dnsop-svcb-https"/>. The formatting of these records, inc <xref target="RFC9460" format="default" sectionFormat="of" derivedContent="RFC94
luding the 60"/>. The formatting of these records, including the
DNS-unique parameters such as "dohpath", are defined by <xref target="I-D.ietf-a DNS-unique parameters such as "dohpath", are defined by <xref target="RFC9461" f
dd-svcb-dns"/>.</t> ormat="default" sectionFormat="of" derivedContent="RFC9461"/>.</t>
<t>The following is an example of an SVCB record describing a DoH server d <t indent="0" pn="section-3-3">The following is an example of a SVCB recor
iscovered d describing a DoH server discovered
by querying for <tt>_dns.example.net</tt>:</t> by querying for <tt>_dns.example.net</tt>:</t>
<artwork><![CDATA[ <artwork align="left" pn="section-3-4">
_dns.example.net. 7200 IN SVCB 1 example.net. ( _dns.example.net. 7200 IN SVCB 1 example.net. (
alpn=h2 dohpath=/dns-query{?dns} ) alpn=h2 dohpath=/dns-query{?dns} )
]]></artwork> </artwork>
<t>The following is an example of an SVCB record describing a DoT server d <t indent="0" pn="section-3-5">The following is an example of a SVCB recor
iscovered d describing a DoT server discovered
by querying for <tt>_dns.example.net</tt>:</t> by querying for <tt>_dns.example.net</tt>:</t>
<artwork><![CDATA[ <artwork align="left" pn="section-3-6">
_dns.example.net. 7200 IN SVCB 1 dot.example.net ( _dns.example.net. 7200 IN SVCB 1 dot.example.net (
alpn=dot port=8530 ) alpn=dot port=8530 )
]]></artwork> </artwork>
<t>The following is an example of an SVCB record describing a DoQ server d <t indent="0" pn="section-3-7">The following is an example of a SVCB recor
iscovered d describing a DoQ server discovered
by querying for <tt>_dns.example.net</tt>:</t> by querying for <tt>_dns.example.net</tt>:</t>
<artwork><![CDATA[ <artwork align="left" pn="section-3-8">
_dns.example.net. 7200 IN SVCB 1 doq.example.net ( _dns.example.net. 7200 IN SVCB 1 doq.example.net (
alpn=doq port=8530 ) alpn=doq port=8530 )
]]></artwork> </artwork>
<t>If multiple Designated Resolvers are available, using one or more <t indent="0" pn="section-3-9">If multiple Designated Resolvers are availa
ble, using one or more
encrypted DNS protocols, the resolver deployment can indicate a preference using encrypted DNS protocols, the resolver deployment can indicate a preference using
the priority fields in each SVCB record <xref target="I-D.ietf-dnsop-svcb-https" the priority fields in each SVCB record <xref target="RFC9460" format="default"
/>.</t> sectionFormat="of" derivedContent="RFC9460"/>.</t>
<t>If the client encounters a mandatory parameter in an SVCB record it doe <t indent="0" pn="section-3-10">If the client encounters a mandatory param
s not eter in a SVCB record it does not
understand, it MUST NOT use that record to discover a Designated Resolver, in ac understand, it <bcp14>MUST NOT</bcp14> use that record to discover a Designated
cordance Resolver, in accordance
with <xref section="8" sectionFormat="of" target="I-D.ietf-dnsop-svcb-https"/>. with <xref section="8" sectionFormat="of" target="RFC9460" format="default" deri
The vedLink="https://rfc-editor.org/rfc/rfc9460#section-8" derivedContent="RFC9460"/
>. The
client can still use other records in the same response if the client can unders tand client can still use other records in the same response if the client can unders tand
all of their mandatory parameters. This allows future encrypted deployments to all of their mandatory parameters. This allows future encrypted deployments to
simultaneously support protocols even if a given client is not aware of all thos e simultaneously support protocols even if a given client is not aware of all thos e
protocols. For example, if the Unencrypted DNS Resolver returns three SVCB recor protocols. For example, if the Unencrypted DNS Resolver returns three SVCB recor
ds, one ds -- one
for DoH, one for DoT, and one for a yet-to-exist protocol, a client which only s for DoH, one for DoT, and one for a yet-to-exist protocol -- a client that only
upports supports
DoH and DoT should be able to use those records while safely ignoring the third record.</t> DoH and DoT should be able to use those records while safely ignoring the third record.</t>
<t>To avoid name lookup deadlock, clients that use Designated Resolvers ne <t indent="0" pn="section-3-11">To avoid name lookup deadlock, clients tha
ed to ensure t use Designated Resolvers need to ensure
that a specific Encrypted Resolver is not used for any queries that are needed t that a specific Encrypted DNS Resolver is not used for any queries that are need
o ed to
resolve the name of the resolver itself or to perform certificate revocation che cks for resolve the name of the resolver itself or to perform certificate revocation che cks for
the resolver, as described in <xref section="10" sectionFormat="of" target="RFC8 the resolver, as described in <xref section="10" sectionFormat="of" target="RFC8
484"/>. Designated Resolvers need to ensure this deadlock is avoidable as descri 484" format="default" derivedLink="https://rfc-editor.org/rfc/rfc8484#section-10
bed in <xref section="10" sectionFormat="of" target="RFC8484"/>.</t> " derivedContent="RFC8484"/>. Designated Resolvers need to ensure that this dead
<t>This document focuses on discovering DoH, DoT, and DoQ Designated Resol lock is avoidable, as also described in <xref section="10" sectionFormat="of" ta
vers. rget="RFC8484" format="default" derivedLink="https://rfc-editor.org/rfc/rfc8484#
Other protocols can also use the format defined by <xref target="I-D.ietf-add-sv section-10" derivedContent="RFC8484"/>.</t>
cb-dns"/>. <t indent="0" pn="section-3-12">This document focuses on discovering DoH,
DoT, and DoQ Designated Resolvers.
Other protocols can also use the format defined by <xref target="RFC9461" format
="default" sectionFormat="of" derivedContent="RFC9461"/>.
However, if any such protocol does not involve some form of certificate However, if any such protocol does not involve some form of certificate
validation, new validation mechanisms will need to be defined to support validation, new validation mechanisms will need to be defined to support
validating designation as defined in <xref target="verified"/>.</t> validating designation as defined in <xref target="verified" format="default" se ctionFormat="of" derivedContent="Section 4.2"/>.</t>
</section> </section>
<section anchor="bootstrapping"> <section anchor="bootstrapping" numbered="true" removeInRFC="false" toc="inc
<name>Discovery Using Resolver IP Addresses</name> lude" pn="section-4">
<t>When a DNS client is configured with an Unencrypted DNS Resolver IP add <name slugifiedName="name-discovery-using-resolver-ip">Discovery Using Res
ress, it olver IP Addresses</name>
SHOULD query the resolver for SVCB records of a service with a scheme of "dns" a <t indent="0" pn="section-4-1">When a DNS client is configured with an Une
nd ncrypted DNS Resolver IP address, it
an Authority of "resolver.arpa" before making other queries. This allows the cli <bcp14>SHOULD</bcp14> query the resolver for SVCB records of a service with a sc
ent heme of "dns" and
to switch to using Encrypted DNS for all other queries, if possible. Specificall an authority of "resolver.arpa" before making other queries. This allows the cli
y, ent
the client issues a query for <tt>_dns.resolver.arpa.</tt> with the SVCB resourc to switch to using encrypted DNS for all other queries, if possible. Specificall
e record type y,
(64) <xref target="I-D.ietf-dnsop-svcb-https"/>.</t> the client issues a query for <tt>_dns.resolver.arpa.</tt> with the SVCB resourc
<t>Responses to the SVCB query for the "resolver.arpa" SUDN describe Desig e record type
nated Resolvers. (64) <xref target="RFC9460" format="default" sectionFormat="of" derivedContent="
RFC9460"/>.</t>
<t indent="0" pn="section-4-2">Responses to the SVCB query for the "resolv
er.arpa" SUDN describe Designated Resolvers.
To ensure that different Designated Resolver configurations can be correctly To ensure that different Designated Resolver configurations can be correctly
distinguished and associated with A and AAAA records for the resolver, ServiceMo de distinguished and associated with A and AAAA records for the resolver, ServiceMo de
SVCB responses to these queries MUST NOT use the "." or "resolver.arpa" value fo SVCB responses to these queries <bcp14>MUST NOT</bcp14> use the "." or "resolver
r .arpa" value for
the TargetName. Similarly, clients MUST NOT perform A or AAAA queries for the TargetName. Similarly, clients <bcp14>MUST NOT</bcp14> perform A or AAAA que
ries for
"resolver.arpa".</t> "resolver.arpa".</t>
<t>The following is an example of an SVCB record describing a DoH server d <t indent="0" pn="section-4-3">The following is an example of a SVCB recor
iscovered d describing a DoH server discovered
by querying for <tt>_dns.resolver.arpa</tt>:</t> by querying for <tt>_dns.resolver.arpa.</tt>:</t>
<artwork><![CDATA[ <artwork align="left" pn="section-4-4">
_dns.resolver.arpa. 7200 IN SVCB 1 doh.example.net ( _dns.resolver.arpa. 7200 IN SVCB 1 doh.example.net (
alpn=h2 dohpath=/dns-query{?dns} ) alpn=h2 dohpath=/dns-query{?dns} )
]]></artwork> </artwork>
<t>The following is an example of an SVCB record describing a DoT server d <t indent="0" pn="section-4-5">The following is an example of a SVCB recor
iscovered d describing a DoT server discovered
by querying for <tt>_dns.resolver.arpa</tt>:</t> by querying for <tt>_dns.resolver.arpa.</tt>:</t>
<artwork><![CDATA[ <artwork align="left" pn="section-4-6">
_dns.resolver.arpa. 7200 IN SVCB 1 dot.example.net ( _dns.resolver.arpa. 7200 IN SVCB 1 dot.example.net (
alpn=dot port=8530 ) alpn=dot port=8530 )
]]></artwork> </artwork>
<t>The following is an example of an SVCB record describing a DoQ server d <t indent="0" pn="section-4-7">The following is an example of a SVCB recor
iscovered d describing a DoQ server discovered
by querying for <tt>_dns.resolver.arpa</tt>:</t> by querying for <tt>_dns.resolver.arpa.</tt>:</t>
<artwork><![CDATA[ <artwork align="left" pn="section-4-8">
_dns.resolver.arpa. 7200 IN SVCB 1 doq.example.net ( _dns.resolver.arpa. 7200 IN SVCB 1 doq.example.net (
alpn=doq port=8530 ) alpn=doq port=8530 )
]]></artwork> </artwork>
<t>If the recursive resolver that receives this query has one or more Desi <t indent="0" pn="section-4-9">If the recursive resolver that receives thi
gnated s query has one or more Designated
Resolvers, it will return the corresponding SVCB records. When responding Resolvers, it will return the corresponding SVCB records. When responding
to these special queries for "resolver.arpa", the recursive resolver to these special queries for "resolver.arpa", the recursive resolver
SHOULD include the A and AAAA records for the name of the Designated Resolver <bcp14>SHOULD</bcp14> include the A and AAAA records for the name of the Designa ted Resolver
in the Additional Answers section. This will save the DNS client an additional in the Additional Answers section. This will save the DNS client an additional
round trip to retrieve the address of the designated resolver; see <xref section round trip to retrieve the address of the Designated Resolver; see <xref section
="5" sectionFormat="of" target="I-D.ietf-dnsop-svcb-https"/>.</t> ="5" sectionFormat="of" target="RFC9460" format="default" derivedLink="https://r
<t>Designated Resolvers SHOULD be accessible using the IP address families fc-editor.org/rfc/rfc9460#section-5" derivedContent="RFC9460"/>.</t>
that <t indent="0" pn="section-4-10">Designated Resolvers <bcp14>SHOULD</bcp14>
be accessible using the IP address families that
are supported by their associated Unencrypted DNS Resolvers. If an Unencrypted D NS Resolver are supported by their associated Unencrypted DNS Resolvers. If an Unencrypted D NS Resolver
is accessible using an IPv4 address, it ought to provide an A record for an is accessible using an IPv4 address, it ought to provide an A record for an
IPv4 address of the Designated Resolver; similarly, if it is accessible using an IPv4 address of the Designated Resolver; similarly, if it is accessible using an
IPv6 address, it ought to provide a AAAA record for an IPv6 address of the IPv6 address, it ought to provide a AAAA record for an IPv6 address of the
Designated Resolver. The Designated Resolver MAY support more address families Designated Resolver. The Designated Resolver <bcp14>MAY</bcp14> support more add
than the Unencrypted DNS Resolver, but it SHOULD NOT support fewer. If this is ress families
than the Unencrypted DNS Resolver, but it <bcp14>SHOULD NOT</bcp14> support fewe
r. If this is
not done, clients that only have connectivity over one address family might not not done, clients that only have connectivity over one address family might not
be able to access the Designated Resolver.</t> be able to access the Designated Resolver.</t>
<t>If the recursive resolver that receives this query has no Designated Re <t indent="0" pn="section-4-11">If the recursive resolver that receives th
solvers, is query has no Designated Resolvers,
it SHOULD return NODATA for queries to the "resolver.arpa" zone, to provide it <bcp14>SHOULD</bcp14> return NODATA for queries to the "resolver.arpa" zone,
to provide
a consistent and accurate signal to clients that it does not have a a consistent and accurate signal to clients that it does not have a
Designated Resolver.</t> Designated Resolver.</t>
<section anchor="use-of-designated-resolvers"> <section anchor="use-of-designated-resolvers" numbered="true" removeInRFC=
<name>Use of Designated Resolvers</name> "false" toc="include" pn="section-4.1">
<t>When a client discovers Designated Resolvers from an Unencrypted DNS <name slugifiedName="name-use-of-designated-resolvers">Use of Designated
Resolver IP Resolvers</name>
address, it can choose to use these Designated Resolvers either automatically, <t indent="0" pn="section-4.1-1">When a client discovers Designated Reso
or based on some other policy, heuristic, or user choice.</t> lvers from an Unencrypted DNS Resolver IP
<t>This document defines two preferred methods to automatically use Desi address, it can choose to use these Designated Resolvers either (1) automaticall
gnated y or (2) based on some other policy, heuristic, or user choice.</t>
<t indent="0" pn="section-4.1-2">This document defines two preferred met
hods for automatically using Designated
Resolvers:</t> Resolvers:</t>
<ul spacing="normal"> <ul spacing="normal" bare="false" empty="false" indent="3" pn="section-4
<li>Verified Discovery (<xref target="verified"/>), for when a TLS cer .1-3">
tificate can <li pn="section-4.1-3.1">Verified Discovery (<xref target="verified" f
ormat="default" sectionFormat="of" derivedContent="Section 4.2"/>), for when a T
LS certificate can
be used to validate the resolver's identity.</li> be used to validate the resolver's identity.</li>
<li>Opportunistic Discovery (<xref target="opportunistic"/>), for when a resolver's IP address <li pn="section-4.1-3.2">Opportunistic Discovery (<xref target="opport unistic" format="default" sectionFormat="of" derivedContent="Section 4.3"/>), fo r when a resolver's IP address
is a private or local address.</li> is a private or local address.</li>
</ul> </ul>
<t>A client MAY additionally use a discovered Designated Resolver withou t <t indent="0" pn="section-4.1-4">A client <bcp14>MAY</bcp14> additionall y use a discovered Designated Resolver without
either of these methods, based on implementation-specific policy or user input. either of these methods, based on implementation-specific policy or user input.
Details of such policy are out of scope of this document. Clients MUST NOT Details of such policy are out of scope for this document. Clients <bcp14>MUST N OT</bcp14>
automatically use a Designated Resolver without some sort of validation, automatically use a Designated Resolver without some sort of validation,
such as the two methods defined in this document or a future mechanism. Use such as the two methods defined in this document or a future mechanism. Use
without validation can allow an attacker to direct traffic to an Encrypted without validation can allow an attacker to direct traffic to an Encrypted DNS
Resolver that is unrelated to the original Unencrypted DNS Resolver, as Resolver that is unrelated to the original Unencrypted DNS Resolver, as
described in <xref target="security"/>.</t> described in <xref target="security" format="default" sectionFormat="of" derived
<t>A client MUST NOT re-use a designation discovered using the IP addres Content="Section 7"/>.</t>
s of one <t indent="0" pn="section-4.1-5">A client <bcp14>MUST NOT</bcp14> reuse
a designation discovered using the IP address of one
Unencrypted DNS Resolver in place of any other Unencrypted DNS Resolver. Instead , Unencrypted DNS Resolver in place of any other Unencrypted DNS Resolver. Instead ,
the client needs to repeat the discovery process to discover the Designated Reso lver the client needs to repeat the discovery process to discover the Designated Reso lver
of the other Unencrypted DNS Resolver. In other words, designations are of the other Unencrypted DNS Resolver. In other words, designations are
per-resolver and MUST NOT be used to configure the client's universal DNS per-resolver and <bcp14>MUST NOT</bcp14> be used to configure the client's unive rsal DNS
behavior. This ensures in all cases that queries are being sent to a party behavior. This ensures in all cases that queries are being sent to a party
designated by the resolver originally being used.</t> designated by the resolver originally being used.</t>
<section anchor="use-of-designated-resolvers-across-network-changes"> <section anchor="use-of-designated-resolvers-across-network-changes" num
<name>Use of Designated Resolvers across network changes</name> bered="true" removeInRFC="false" toc="include" pn="section-4.1.1">
<t>If a client is configured with the same Unencrypted DNS Resolver IP <name slugifiedName="name-use-of-designated-resolvers-">Use of Designa
address on ted Resolvers across Network Changes</name>
<t indent="0" pn="section-4.1.1-1">If a client is configured with the
same Unencrypted DNS Resolver IP address on
multiple different networks, a Designated Resolver that has been discovered on o ne multiple different networks, a Designated Resolver that has been discovered on o ne
network SHOULD NOT be reused on any of the other networks without repeating the network <bcp14>SHOULD NOT</bcp14> be reused on any of the other networks without repeating the
discovery process for each network, since the same IP address may be used for discovery process for each network, since the same IP address may be used for
different servers on the different networks.</t> different servers on the different networks.</t>
</section> </section>
</section> </section>
<section anchor="verified"> <section anchor="verified" numbered="true" removeInRFC="false" toc="includ
<name>Verified Discovery</name> e" pn="section-4.2">
<t>Verified Discovery is a mechanism that allows automatic use of a <name slugifiedName="name-verified-discovery">Verified Discovery</name>
<t indent="0" pn="section-4.2-1">Verified Discovery is a mechanism that
allows the automatic use of a
Designated Resolver that supports DNS encryption that performs a TLS handshake.< /t> Designated Resolver that supports DNS encryption that performs a TLS handshake.< /t>
<t>In order to be considered a verified Designated Resolver, the TLS cer tificate <t indent="0" pn="section-4.2-2">In order to be considered a verified De signated Resolver, the TLS certificate
presented by the Designated Resolver needs to pass the following checks made presented by the Designated Resolver needs to pass the following checks made
by the client:</t> by the client:</t>
<ol spacing="normal" type="1"><li>The client MUST verify the chain of ce <ol spacing="normal" type="1" indent="adaptive" start="1" pn="section-4.
rtificates up to a trust anchor 2-3"><li pn="section-4.2-3.1" derivedCounter="1.">The client <bcp14>MUST</bcp14>
as described in <xref section="6" sectionFormat="of" target="RFC5280"/>. This SH verify the chain of certificates up to a trust anchor
OULD use the default as described in <xref section="6" sectionFormat="of" target="RFC5280" format="de
fault" derivedLink="https://rfc-editor.org/rfc/rfc5280#section-6" derivedContent
="RFC5280"/>. The client <bcp14>SHOULD</bcp14> use the default
system or application trust anchors, unless otherwise configured.</li> system or application trust anchors, unless otherwise configured.</li>
<li>The client MUST verify that the certificate contains the IP addres s of the <li pn="section-4.2-3.2" derivedCounter="2.">The client <bcp14>MUST</b cp14> verify that the certificate contains the IP address of the
designating Unencrypted DNS Resolver in an iPAddress entry of the subjectAltName designating Unencrypted DNS Resolver in an iPAddress entry of the subjectAltName
extension as described in <xref section="4.2.1.6" sectionFormat="of" target="RFC 5280"/>.</li> extension as described in <xref section="4.2.1.6" sectionFormat="of" target="RFC 5280" format="default" derivedLink="https://rfc-editor.org/rfc/rfc5280#section-4 .2.1.6" derivedContent="RFC5280"/>.</li>
</ol> </ol>
<t>If these checks pass, the client SHOULD use the discovered Designated Resolver <t indent="0" pn="section-4.2-4">If these checks pass, the client <bcp14 >SHOULD</bcp14> use the discovered Designated Resolver
for any cases in which it would have otherwise used the Unencrypted DNS Resolver , for any cases in which it would have otherwise used the Unencrypted DNS Resolver ,
so as to prefer Encrypted DNS whenever possible.</t> so as to prefer encrypted DNS whenever possible.</t>
<t>If these checks fail, the client MUST NOT automatically use the disco <t indent="0" pn="section-4.2-5">If these checks fail, the client <bcp14
vered >MUST NOT</bcp14> automatically use the discovered
Designated Resolver if this designation was only discovered via a Designated Resolver if this designation was only discovered via a
<tt>_dns.resolver.arpa.</tt> query (if the designation was advertised directly <tt>_dns.resolver.arpa.</tt> query (if the designation was advertised directly
by the network as described in <xref target="dnr-interaction"/>, the server can by the network as described in <xref target="dnr-interaction" format="default" s
still ectionFormat="of" derivedContent="Section 6.5"/>, the server can still
be used). Additionally, the client SHOULD suppress any further be used). Additionally, the client <bcp14>SHOULD</bcp14> suppress any further
queries for Designated Resolvers using this Unencrypted DNS Resolver for the queries for Designated Resolvers using this Unencrypted DNS Resolver for the
length of time indicated by the SVCB record's Time to Live (TTL) in order length of time indicated by the SVCB record's Time to Live (TTL) in order
to avoid excessive queries that will lead to further failed validations. to avoid excessive queries that will lead to further failed validations.
The client MAY issue new queries if the SVCB record's TTL is excessively The client <bcp14>MAY</bcp14> issue new queries if the SVCB record's TTL is exce ssively
long (as determined by client policy) to minimize the length of time an long (as determined by client policy) to minimize the length of time an
intermittent attacker can prevent use of encrypted DNS.</t> intermittent attacker can prevent the use of encrypted DNS.</t>
<t>If the Designated Resolver and the Unencrypted DNS Resolver share an <t indent="0" pn="section-4.2-6">If the Designated Resolver and the Unen
IP crypted DNS Resolver share an IP
address, clients MAY choose to opportunistically use the Designated Resolver eve address, clients <bcp14>MAY</bcp14> choose to opportunistically use the Designat
n ed Resolver even
without this certificate check (<xref target="opportunistic"/>). If the IP addre without this certificate check (<xref target="opportunistic" format="default" se
ss is not shared, ctionFormat="of" derivedContent="Section 4.3"/>). If the IP address is not share
opportunistic use allows for attackers to redirect queries to an unrelated Encry d,
pted opportunistic use allows for attackers to redirect queries to an unrelated Encry
Resolver, as described in <xref target="security"/>.</t> pted DNS
<t>Connections to a Designated Resolver can use a different IP address t Resolver, as described in <xref target="security" format="default" sectionFormat
han ="of" derivedContent="Section 7"/>.</t>
the IP address of the Unencrypted DNS Resolver, such as if the process of <t indent="0" pn="section-4.2-7">Connections to a Designated Resolver ca
n use a different IP address than
the IP address of the Unencrypted DNS Resolver -- for example, if the process of
resolving the SVCB service yields additional addresses. Even when a different resolving the SVCB service yields additional addresses. Even when a different
IP address is used for the connection, the TLS certificate checks described IP address is used for the connection, the TLS certificate checks described
in this section still apply for the original IP address of the Unencrypted in this section still apply for the original IP address of the Unencrypted
DNS Resolver.</t> DNS Resolver.</t>
</section> </section>
<section anchor="opportunistic"> <section anchor="opportunistic" numbered="true" removeInRFC="false" toc="i
<name>Opportunistic Discovery</name> nclude" pn="section-4.3">
<t>There are situations where Verified Discovery of encrypted DNS <name slugifiedName="name-opportunistic-discovery">Opportunistic Discove
configuration over unencrypted DNS is not possible. This includes Unencrypted DN ry</name>
S <t indent="0" pn="section-4.3-1">There are situations where Verified Dis
Resolvers on private IP addresses <xref target="RFC1918"/>, Unique Local Address covery of encrypted DNS
es (ULAs) configuration over unencrypted DNS is not possible. For example, the identities
<xref target="RFC4193"/>, and Link Local Addresses <xref target="RFC3927"/> <xre of Unencrypted DNS
f target="RFC4291"/>, whose Resolvers on private IP addresses <xref target="RFC1918" format="default" sectio
identity cannot be safely confirmed using TLS certificates under most conditions nFormat="of" derivedContent="RFC1918"/>, Unique Local Addresses (ULAs)
.</t> <xref target="RFC4193" format="default" sectionFormat="of" derivedContent="RFC41
<t>An Opportunistic Privacy Profile is defined for DoT in <xref section= 93"/>, and Link-Local addresses <xref target="RFC3927" format="default" sectionF
"4.1" sectionFormat="of" target="RFC7858"/> ormat="of" derivedContent="RFC3927"/> <xref target="RFC4291" format="default" se
ctionFormat="of" derivedContent="RFC4291"/> cannot be safely confirmed using TLS
certificates under most conditions.</t>
<t indent="0" pn="section-4.3-2">An opportunistic privacy profile is def
ined for DoT in <xref section="4.1" sectionFormat="of" target="RFC7858" format="
default" derivedLink="https://rfc-editor.org/rfc/rfc7858#section-4.1" derivedCon
tent="RFC7858"/>
as a mode in which clients do not validate the name of the resolver presented in as a mode in which clients do not validate the name of the resolver presented in
the certificate. This Opportunistic Privacy Profile similarly applies to the certificate. This opportunistic privacy profile similarly applies to
DoQ <xref target="RFC9250"/>. For this profile, <xref section="4.1" sectionForma DoQ <xref target="RFC9250" format="default" sectionFormat="of" derivedContent="R
t="of" target="RFC7858"/> explains that FC9250"/>. For this profile, <xref section="4.1" sectionFormat="of" target="RFC7
858" format="default" derivedLink="https://rfc-editor.org/rfc/rfc7858#section-4.
1" derivedContent="RFC7858"/> explains that
clients might or might not validate the resolver; however, even if clients choos e clients might or might not validate the resolver; however, even if clients choos e
to perform some certificate validation checks, they will not be able to validate to perform some certificate validation checks, they will not be able to validate
the names presented in the SubjectAlternativeName field of the certificate for the names presented in the SubjectAltName (SAN) field of the certificate for
private and local IP addresses.</t> private and local IP addresses.</t>
<t>A client MAY use information from the SVCB record for "_dns.resolver. <t indent="0" pn="section-4.3-3">A client <bcp14>MAY</bcp14> use informa
arpa" with tion from the SVCB record for <tt>_dns.resolver.arpa.</tt> with
this Opportunistic Privacy Profile as long as the IP address of the Encrypted this opportunistic privacy profile as long as the IP address of the Encrypted
DNS Resolver does not differ from the IP address of the Unencrypted DNS Resolver does not differ from the IP address of the Unencrypted
DNS Resolver. Clients SHOULD use this mode only for resolvers using private or DNS Resolver. Clients <bcp14>SHOULD</bcp14> use this mode only for resolvers usi ng private or
local IP addresses, since resolvers that use other addresses are able to provisi on local IP addresses, since resolvers that use other addresses are able to provisi on
TLS certificates for their addresses.</t> TLS certificates for their addresses.</t>
</section> </section>
</section> </section>
<section anchor="encrypted"> <section anchor="encrypted" numbered="true" removeInRFC="false" toc="include
<name>Discovery Using Resolver Names</name> " pn="section-5">
<t>A DNS client that already knows the name of an Encrypted DNS Resolver c <name slugifiedName="name-discovery-using-resolver-na">Discovery Using Res
an use DDR olver Names</name>
<t indent="0" pn="section-5-1">A DNS client that already knows the name of
an Encrypted DNS Resolver can use DDR
to discover details about all supported encrypted DNS protocols. This situation to discover details about all supported encrypted DNS protocols. This situation
can arise if a client has been configured to use a given Encrypted DNS Resolver, or can arise if a client has been configured to use a given Encrypted DNS Resolver, or
if a network provisioning protocol (such as DHCP or IPv6 Router Advertisements) if a network provisioning protocol (such as DHCP or IPv6 RAs)
provides a name for an Encrypted DNS Resolver alongside the resolver IP address, provides a name for an Encrypted DNS Resolver alongside the resolver IP address,
such as by using Discovery of Network Resolvers (DNR) <xref target="I-D.ietf-add such as by using Discovery of Network-designated Resolvers (DNR) <xref target="R
-dnr"/>.</t> FC9463" format="default" sectionFormat="of" derivedContent="RFC9463"/>.</t>
<t>For these cases, the client simply sends a DNS SVCB query using the kno <t indent="0" pn="section-5-2">For these cases, the client simply sends a
wn name DNS SVCB query using the known name
of the resolver. This query can be issued to the named Encrypted DNS Resolver it self of the resolver. This query can be issued to the named Encrypted DNS Resolver it self
or to any other resolver. Unlike the case of bootstrapping from an Unencrypted D NS or to any other resolver. Unlike the case of bootstrapping from an Unencrypted D NS
Resolver (<xref target="bootstrapping"/>), these records SHOULD be available in the public Resolver (<xref target="bootstrapping" format="default" sectionFormat="of" deriv edContent="Section 4"/>), these records <bcp14>SHOULD</bcp14> be available in th e public
DNS if the same domain name's A or AAAA records are available in the DNS if the same domain name's A or AAAA records are available in the
public DNS to allow using any resolver to discover another resolver's Designated public DNS to allow using any resolver to discover another resolver's Designated
Resolvers. When the name can only be resolved in private namespaces, Resolvers. When the name can only be resolved in private namespaces,
these records SHOULD be available to the same audience as the A and AAAA records these records <bcp14>SHOULD</bcp14> be available to the same audience as the A a
.</t> nd AAAA records.</t>
<t>For example, if the client already knows about a DoT server <t indent="0" pn="section-5-3">For example, if the client already knows ab
<tt>resolver.example.com</tt>, it can issue an SVCB query for out a DoT server
<tt>resolver.example.com</tt>, it can issue a SVCB query for
<tt>_dns.resolver.example.com</tt> to discover if there are other encrypted DNS <tt>_dns.resolver.example.com</tt> to discover if there are other encrypted DNS
protocols available. In the following example, the SVCB answers indicate that protocols available. In the following example, the SVCB answers indicate that
<tt>resolver.example.com</tt> supports both DoH and DoT, and that the DoH server <tt>resolver.example.com</tt> supports both DoH and DoT and that the DoH server
indicates a higher priority than the DoT server.</t> indicates a higher priority than the DoT server.</t>
<artwork><![CDATA[ <artwork align="left" pn="section-5-4">
_dns.resolver.example.com. 7200 IN SVCB 1 resolver.example.com. ( _dns.resolver.example.com. 7200 IN SVCB 1 resolver.example.com. (
alpn=h2 dohpath=/dns-query{?dns} ) alpn=h2 dohpath=/dns-query{?dns} )
_dns.resolver.example.com. 7200 IN SVCB 2 resolver.example.com. ( _dns.resolver.example.com. 7200 IN SVCB 2 resolver.example.com. (
alpn=dot ) alpn=dot )
]]></artwork> </artwork>
<t>Clients MUST validate that for any Encrypted DNS Resolver discovered us <t indent="0" pn="section-5-5">Clients <bcp14>MUST</bcp14> validate that f
ing a or any Encrypted DNS Resolver discovered using a
known resolver name, the TLS certificate of the resolver contains the known resolver name, the TLS certificate of the resolver contains the
known name in a subjectAltName extension. In the example above, known name in a subjectAltName extension. In the example above,
this means that both servers need to have certificates that cover this means that both servers need to have certificates that cover
the name <tt>resolver.example.com</tt>. Often, the various supported encrypted the name <tt>resolver.example.com</tt>. Often, the various supported encrypted
DNS protocols will be specified such that the SVCB TargetName matches the DNS protocols will be specified such that the SVCB TargetName matches the
known name, as is true in the example above. However, even when the known name, as is true in the example above. However, even when the
TargetName is different (for example, if the DoH server had a TargetName of TargetName is different (for example, if the DoH server had a TargetName of
<tt>doh.example.com</tt>), the clients still check for the original known resolv er <tt>doh.example.com</tt>), the clients still check for the original known resolv er
name in the certificate.</t> name in the certificate.</t>
<t>Note that this resolver validation is not related to the DNS resolver t hat <t indent="0" pn="section-5-6">Note that this resolver validation is not r elated to the DNS resolver that
provided the SVCB answer.</t> provided the SVCB answer.</t>
<t>As another example, being able to discover a Designated Resolver for a known <t indent="0" pn="section-5-7">As another example, being able to discover a Designated Resolver for a known
Encrypted DNS Resolver is useful when a client has a DoT configuration for Encrypted DNS Resolver is useful when a client has a DoT configuration for
<tt>foo.resolver.example.com</tt> but is on a network that blocks DoT traffic. T he <tt>foo.resolver.example.com</tt> but is on a network that blocks DoT traffic. T he
client can still send a query to any other accessible resolver (either the local client can still send a query to any other accessible resolver (either the local
network resolver or an accessible DoH server) to discover if there is a designat ed network resolver or an accessible DoH server) to discover if there is a designat ed
DoH server for <tt>foo.resolver.example.com</tt>.</t> DoH server for <tt>foo.resolver.example.com</tt>.</t>
</section> </section>
<section anchor="deployment-considerations"> <section anchor="deployment-considerations" numbered="true" removeInRFC="fal
<name>Deployment Considerations</name> se" toc="include" pn="section-6">
<t>Resolver deployments that support DDR are advised to consider the follo <name slugifiedName="name-deployment-considerations">Deployment Considerat
wing ions</name>
<t indent="0" pn="section-6-1">Resolver deployments that support DDR are a
dvised to consider the following
points.</t> points.</t>
<section anchor="caching-forwarders"> <section anchor="caching-forwarders" numbered="true" removeInRFC="false" t
<name>Caching Forwarders</name> oc="include" pn="section-6.1">
<t>A DNS forwarder SHOULD NOT forward queries for "resolver.arpa" (or an <name slugifiedName="name-caching-forwarders">Caching Forwarders</name>
y subdomains) <t indent="0" pn="section-6.1-1">A DNS forwarder <bcp14>SHOULD NOT</bcp1
upstream. This prevents a client from receiving an SVCB record that will fail to 4> forward queries for "resolver.arpa" (or any subdomains)
authenticate because the forwarder's IP address is not in the upstream resolver' upstream. This prevents a client from receiving a SVCB record that will fail to
s authenticate because the forwarder's IP address is not in the SubjectAltName (SA
Designated Resolver's TLS certificate SAN field. A DNS forwarder which already a N) field of the upstream resolver's Designated Resolver's TLS certificate. A DNS
cts as a forwarder that already acts as a
completely transparent forwarder MAY choose to forward these queries when the op completely transparent forwarder <bcp14>MAY</bcp14> choose to forward these quer
erator ies when the operator
expects that this does not apply, either because the operator knows that the ups expects that this does not apply, because the operator either knows that the ups
tream tream
resolver does have the forwarder's IP address in its TLS certificate's SAN field resolver does have the forwarder's IP address in its TLS certificate's SAN field
or that the operator expects clients to validate the connection via some future or expects clients to validate the connection via some future mechanism.</t>
mechanism.</t> <t indent="0" pn="section-6.1-2">Operators who choose to forward queries
<t>Operators who choose to forward queries for "resolver.arpa" upstream for "resolver.arpa" upstream should note
should note that client behavior is never guaranteed and that the use of DDR by a resolver d
that client behavior is never guaranteed and use of DDR by a resolver does not oes not
communicate a requirement for clients to use the SVCB record when it cannot be communicate a requirement for clients to use the SVCB record when it cannot be
verified.</t> verified.</t>
</section> </section>
<section anchor="certificate-management"> <section anchor="certificate-management" numbered="true" removeInRFC="fals
<name>Certificate Management</name> e" toc="include" pn="section-6.2">
<t>Resolver owners that support Verified Discovery will need to list val <name slugifiedName="name-certificate-management">Certificate Management
id </name>
<t indent="0" pn="section-6.2-1">Resolver owners that support Verified D
iscovery will need to list valid
referring IP addresses in their TLS certificates. This may pose challenges for referring IP addresses in their TLS certificates. This may pose challenges for
resolvers with a large number of referring IP addresses.</t> resolvers with a large number of referring IP addresses.</t>
</section> </section>
<section anchor="server-name-handling"> <section anchor="server-name-handling" numbered="true" removeInRFC="false"
<name>Server Name Handling</name> toc="include" pn="section-6.3">
<t>Clients MUST NOT use "resolver.arpa" as the server name either in the <name slugifiedName="name-server-name-handling">Server Name Handling</na
TLS me>
Server Name Indication (SNI) (<xref target="RFC8446"/>) for DoT, DoQ, or DoH con <t indent="0" pn="section-6.3-1">Clients <bcp14>MUST NOT</bcp14> use "re
nections, solver.arpa" as the server name in either (1) the TLS
or in the URI host for DoH requests.</t> Server Name Indication (SNI) <xref target="RFC8446" format="default" sectionForm
<t>When performing discovery using resolver IP addresses, clients MUST at="of" derivedContent="RFC8446"/> for DoT, DoQ, or DoH connections or (2) the U
RI host for DoH requests.</t>
<t indent="0" pn="section-6.3-2">When performing discovery using resolve
r IP addresses, clients <bcp14>MUST</bcp14>
use the original IP address of the Unencrypted DNS Resolver as the URI use the original IP address of the Unencrypted DNS Resolver as the URI
host for DoH requests.</t> host for DoH requests.</t>
<t>Note that since IP addresses are not supported by default in the TLS SNI, <t indent="0" pn="section-6.3-3">Note that since IP addresses are not su pported by default in the TLS SNI,
resolvers that support discovery using IP addresses will need to be resolvers that support discovery using IP addresses will need to be
configured to present the appropriate TLS certificate when no SNI is present configured to present the appropriate TLS certificate when no SNI is present
for DoT, DoQ, and DoH.</t> for DoT, DoQ, and DoH.</t>
</section> </section>
<section anchor="handling-non-ddr-queries-for-resolverarpa"> <section anchor="handling-non-ddr-queries-for-resolverarpa" numbered="true
<name>Handling non-DDR queries for resolver.arpa</name> " removeInRFC="false" toc="include" pn="section-6.4">
<t>DNS resolvers that support DDR by responding to queries for _dns.reso <name slugifiedName="name-handling-non-ddr-queries-fo">Handling Non-DDR
lver.arpa Queries for resolver.arpa</name>
MUST treat resolver.arpa as a locally served zone per <xref target="RFC6303"/>. <t indent="0" pn="section-6.4-1">DNS resolvers that support DDR by respo
In practice, this means that resolvers SHOULD respond to queries of any type nding to queries for <tt>_dns.resolver.arpa.</tt> <bcp14>MUST</bcp14> treat reso
other than SVCB for _dns.resolver.arpa with NODATA and queries of any lver.arpa as a locally served zone per <xref target="RFC6303" format="default" s
ectionFormat="of" derivedContent="RFC6303"/>.
In practice, this means that resolvers <bcp14>SHOULD</bcp14> respond to queries
of any type
other than SVCB for <tt>_dns.resolver.arpa.</tt> with NODATA and queries of any
type for any domain name under resolver.arpa with NODATA.</t> type for any domain name under resolver.arpa with NODATA.</t>
</section> </section>
<section anchor="dnr-interaction"> <section anchor="dnr-interaction" numbered="true" removeInRFC="false" toc=
<name>Interaction with Network-Designated Resolvers</name> "include" pn="section-6.5">
<t>Discovery of network-designated resolvers (DNR, <xref target="I-D.iet <name slugifiedName="name-interaction-with-network-de">Interaction with
f-add-dnr"/>) allows Network-Designated Resolvers</name>
a network to provide designation of resolvers directly through DHCP <xref target <t indent="0" pn="section-6.5-1">DNR <xref target="RFC9463" format="defa
="RFC2132"/> ult" sectionFormat="of" derivedContent="RFC9463"/> allows
<xref target="RFC8415"/> and IPv6 Router Advertisement (RA) <xref targ a network to provide designation of resolvers directly through DHCP <xref target
et="RFC4861"/> options. When such ="RFC2132" format="default" sectionFormat="of" derivedContent="RFC2132"/>
<xref target="RFC8415" format="default" sectionFormat="of" derivedCont
ent="RFC8415"/> and through IPv6 RA options <xref target="RFC8106" format="defau
lt" sectionFormat="of" derivedContent="RFC8106"/>. When such
indications are present, clients can suppress queries for "resolver.arpa" to the indications are present, clients can suppress queries for "resolver.arpa" to the
unencrypted DNS server indicated by the network over DHCP or RAs, and the DNR unencrypted DNS server indicated by the network over DHCP or RAs, and the DNR
indications SHOULD take precedence over those discovered using "resolver.arpa" indications <bcp14>SHOULD</bcp14> take precedence over those discovered using "r esolver.arpa"
for the same resolver if there is a conflict, since DNR is considered a more for the same resolver if there is a conflict, since DNR is considered a more
reliable source.</t> reliable source.</t>
<t>The designated resolver information in DNR might not contain a full s <t indent="0" pn="section-6.5-2">The Designated Resolver information in
et of DNR might not contain a full set of
SvcParams needed to connect to an encrypted DNS resolver. In such a case, the cl SvcParams needed to connect to an Encrypted DNS Resolver. In such a case, the cl
ient ient
can use an SVCB query using a resolver name, as described in <xref target="encry can use a SVCB query using a resolver name, as described in <xref target="encryp
pted"/>, to the ted" format="default" sectionFormat="of" derivedContent="Section 5"/>, to the
authentication-domain-name (ADN).</t> Authentication Domain Name (ADN).</t>
</section> </section>
</section> </section>
<section anchor="security"> <section anchor="security" numbered="true" removeInRFC="false" toc="include"
<name>Security Considerations</name> pn="section-7">
<t>Since clients can receive DNS SVCB answers over unencrypted DNS, on-pat <name slugifiedName="name-security-considerations">Security Considerations
h </name>
attackers can prevent successful discovery by dropping SVCB queries or answers, <t indent="0" pn="section-7-1">Since clients can receive DNS SVCB answers
and thus prevent clients from switching to use encrypted DNS. over unencrypted DNS, on-path
attackers can prevent successful discovery by dropping SVCB queries or answers
and thus can prevent clients from switching to using encrypted DNS.
Clients should be aware that it might not be possible to distinguish between Clients should be aware that it might not be possible to distinguish between
resolvers that do not have any Designated Resolver and such an active attack. resolvers that do not have any Designated Resolver and such an active attack.
To limit the impact of discovery queries being dropped either maliciously or To limit the impact of discovery queries being dropped either maliciously or
unintentionally, clients can re-send their SVCB queries periodically.</t> unintentionally, clients can re-send their SVCB queries periodically.</t>
<t><xref section="8.2" sectionFormat="of" target="I-D.ietf-add-svcb-dns"/> describes a second downgrade attack <t indent="0" pn="section-7-2"><xref section="8.2" sectionFormat="of" targ et="RFC9461" format="default" derivedLink="https://rfc-editor.org/rfc/rfc9461#se ction-8.2" derivedContent="RFC9461"/> describes another type of downgrade attack
where an attacker can block connections to the encrypted DNS server. For DDR, where an attacker can block connections to the encrypted DNS server. For DDR,
clients need to validate a Designated Resolver using a connection to the clients need to validate a Designated Resolver using a connection to the
server before trusting it, so attackers that can block these connections can server before trusting it, so attackers that can block these connections can
prevent clients from switching to use encrypted DNS.</t> prevent clients from switching to using encrypted DNS.</t>
<t>Encrypted DNS Resolvers that allow discovery using DNS SVCB answers ove <t indent="0" pn="section-7-3">Encrypted DNS Resolvers that allow discover
r unencrypted y using DNS SVCB answers over unencrypted
DNS MUST NOT provide differentiated behavior based solely on metadata in DNS <bcp14>MUST NOT</bcp14> provide differentiated behavior based solely on meta
data in
the SVCB record, such as the HTTP path or alternate port number, which the SVCB record, such as the HTTP path or alternate port number, which
are parameters that an attacker could modify. For example, if a are parameters that an attacker could modify. For example, if a
DoH resolver provides a filtering service for one URI path, and DoH resolver provides a filtering service for one URI path and
a non-filtered service for another URI path, an attacker could select a non-filtered service for another URI path, an attacker could select
which of these services is used by modifying the "dohpath" parameter. which of these services is used by modifying the "dohpath" parameter.
These attacks can be mitigated by providing separate resolver IP These attacks can be mitigated by providing separate resolver IP
addresses or hostnames.</t> addresses or hostnames.</t>
<t>While the IP address of the Unencrypted DNS Resolver is often provision ed over <t indent="0" pn="section-7-4">While the IP address of the Unencrypted DNS Resolver is often provisioned over
insecure mechanisms, it can also be provisioned securely, such as via manual insecure mechanisms, it can also be provisioned securely, such as via manual
configuration, a VPN, or on a network with protections like RA-Guard configuration, on a VPN, or on a network with protections like RA-Guard
<xref target="RFC6105"/>. An attacker might try to direct Encrypted DNS traffic <xref target="RFC6105" format="default" sectionFormat="of" derivedContent="RFC61
to itself by 05"/>. An attacker might try to direct encrypted DNS traffic to itself by
causing the client to think that a discovered Designated Resolver uses causing the client to think that a discovered Designated Resolver uses
a different IP address from the Unencrypted DNS Resolver. Such a Designated Reso lver a different IP address from the Unencrypted DNS Resolver. Such a Designated Reso lver
might have a valid certificate, but be operated by an attacker that is trying to might have a valid certificate but might be operated by an attacker that is tryi ng to
observe or modify user queries without the knowledge of the client or network.</ t> observe or modify user queries without the knowledge of the client or network.</ t>
<t>If the IP address of a Designated Resolver differs from that of an <t indent="0" pn="section-7-5">If the IP address of a Designated Resolver
Unencrypted DNS Resolver, clients applying Verified Discovery (<xref target="ver differs from that of an
ified"/>) MUST Unencrypted DNS Resolver, clients applying Verified Discovery (<xref target="ver
ified" format="default" sectionFormat="of" derivedContent="Section 4.2"/>) <bcp1
4>MUST</bcp14>
validate that the IP address of the Unencrypted DNS Resolver is covered by the validate that the IP address of the Unencrypted DNS Resolver is covered by the
SubjectAlternativeName of the Designated Resolver's TLS certificate. If that SubjectAltName (SAN) of the Designated Resolver's TLS certificate. If that
validation fails, the client MUST NOT automatically use the discovered Designate validation fails, the client <bcp14>MUST NOT</bcp14> automatically use the disco
d vered Designated
Resolver.</t> Resolver.</t>
<t>Clients using Opportunistic Discovery (<xref target="opportunistic"/>) MUST be limited to cases <t indent="0" pn="section-7-6">Clients using Opportunistic Discovery (<xre f target="opportunistic" format="default" sectionFormat="of" derivedContent="Sec tion 4.3"/>) <bcp14>MUST</bcp14> be limited to cases
where the Unencrypted DNS Resolver and Designated Resolver have the same IP addr ess, where the Unencrypted DNS Resolver and Designated Resolver have the same IP addr ess,
which SHOULD be a private or local IP address. which <bcp14>SHOULD</bcp14> be a private or local IP address.
Clients which do not follow Opportunistic Discovery (<xref target="opportunistic Clients that do not follow Opportunistic Discovery (<xref target="opportunistic"
"/>) and instead format="default" sectionFormat="of" derivedContent="Section 4.3"/>) and instead
try to connect without first checking for a designation run the possible risk of try to connect without first checking for a designation run the possible risk of
being intercepted by an attacker hosting an Encrypted DNS Resolver on an IP addr ess of being intercepted by an attacker hosting an Encrypted DNS Resolver on an IP addr ess of
an Unencrypted DNS Resolver where the attacker has failed to gain control of the an Unencrypted DNS Resolver where the attacker has failed to gain control of the
Unencrypted DNS Resolver.</t> Unencrypted DNS Resolver.</t>
<t>The constraints on the use of Designated Resolvers specified here apply <t indent="0" pn="section-7-7">The constraints on the use of Designated Re solvers specified here apply
specifically to the automatic discovery mechanisms defined in this document, whi ch are specifically to the automatic discovery mechanisms defined in this document, whi ch are
referred to as Verified Discovery and Opportunistic Discovery. Clients referred to as Verified Discovery and Opportunistic Discovery. Clients
MAY use some other mechanism to verify and use Designated Resolvers discovered <bcp14>MAY</bcp14> use some other mechanism to verify and use Designated Resolve
using the DNS SVCB record. However, use of such an alternate mechanism needs rs discovered
using the DNS SVCB record. However, the use of such an alternate mechanism needs
to take into account the attack scenarios detailed here.</t> to take into account the attack scenarios detailed here.</t>
</section> </section>
<section anchor="iana"> <section anchor="iana" numbered="true" removeInRFC="false" toc="include" pn=
<name>IANA Considerations</name> "section-8">
<section anchor="special-use-domain-name-resolverarpa"> <name slugifiedName="name-iana-considerations">IANA Considerations</name>
<name>Special Use Domain Name "resolver.arpa"</name> <section anchor="special-use-domain-name-resolverarpa" numbered="true" rem
<t>This document calls for the addition of "resolver.arpa" to the Specia oveInRFC="false" toc="include" pn="section-8.1">
l-Use <name slugifiedName="name-special-use-domain-name-res">Special-Use Domai
Domain Names (SUDN) registry established by <xref target="RFC6761"/>.</t> n Name "resolver.arpa"</name>
<t>IANA is requested to add an entry in "Transport-Independent Locally-S <t indent="0" pn="section-8.1-1">IANA has registered "resolver.arpa" in
erved the "Special-Use
DNS Zones" registry for 'resolver.arpa.' with the description "DNS Resolver Domain Names" registry established by <xref target="RFC6761" format="default" se
Special-Use Domain", listing this document as the reference.</t> ctionFormat="of" derivedContent="RFC6761"/>.</t>
<t indent="0" pn="section-8.1-2">IANA has added an entry in the "Transpo
rt-Independent Locally-Served
DNS Zone Registry" for 'resolver.arpa.' with the description "DNS Resolver
Special-Use Domain" and listed this document as the reference.</t>
</section> </section>
<section anchor="domain-name-reservation-considerations"> <section anchor="domain-name-reservation-considerations" numbered="true" r
<name>Domain Name Reservation Considerations</name> emoveInRFC="false" toc="include" pn="section-8.2">
<t>In accordance with <xref section="5" sectionFormat="of" target="RFC67 <name slugifiedName="name-domain-name-reservation-con">Domain Name Reser
61"/>, the answers to the following vation Considerations</name>
<t indent="0" pn="section-8.2-1">In accordance with <xref section="5" se
ctionFormat="of" target="RFC6761" format="default" derivedLink="https://rfc-edit
or.org/rfc/rfc6761#section-5" derivedContent="RFC6761"/>, the answers to the fol
lowing
questions are provided relative to this document:</t> questions are provided relative to this document:</t>
<t>1) Are human users expected to recognize these names as special and u <ol spacing="normal" type="1" indent="adaptive" start="1" pn="section-8.
se them 2-2">
<li pn="section-8.2-2.1" derivedCounter="1.">
<t indent="0" pn="section-8.2-2.1.1">Are human users expected to rec
ognize these names as special and use them
differently? In what way?</t> differently? In what way?</t>
<t>No. This name is used automatically by DNS stub resolvers running on <t indent="0" pn="section-8.2-2.1.2">No. This name is used automatic
client devices on behalf of users, and users will never see this name directly.< ally by DNS stub resolvers running on client devices on behalf of users, and use
/t> rs will never see this name directly.</t>
<t>2) Are writers of application software expected to make their softwar </li>
e <li pn="section-8.2-2.2" derivedCounter="2.">
<t indent="0" pn="section-8.2-2.2.1">Are writers of application soft
ware expected to make their software
recognize these names as special and treat them differently? In what way?</t> recognize these names as special and treat them differently? In what way?</t>
<t>No. There is no use case where a non-DNS application (covered by the next <t indent="0" pn="section-8.2-2.2.2">No. There is no use case where a non-DNS application (covered by the next
question) would need to use this name.</t> question) would need to use this name.</t>
<t>3) Are writers of name resolution APIs and libraries expected to make </li>
their <li pn="section-8.2-2.3" derivedCounter="3.">
<t indent="0" pn="section-8.2-2.3.1">Are writers of name resolution
APIs and libraries expected to make their
software recognize these names as special and treat them differently? If so, how ?</t> software recognize these names as special and treat them differently? If so, how ?</t>
<t>Yes. DNS client implementors are expected to use this name when query ing for <t indent="0" pn="section-8.2-2.3.2">Yes.  DNS client implementors a re expected to use this name when querying for
a resolver's properties instead of records for the name itself. DNS servers a resolver's properties instead of records for the name itself. DNS servers
are expected to respond to queries for this name with their own properties are expected to respond to queries for this name with their own properties
instead of checking the matching zone as it would for normal domain names.</t> instead of checking the matching zone as it would for normal domain names.</t>
<t>4) Are developers of caching domain name servers expected to make the </li>
ir <li pn="section-8.2-2.4" derivedCounter="4.">
<t indent="0" pn="section-8.2-2.4.1">Are developers of caching domai
n name servers expected to make their
implementations recognize these names as special and treat them differently? implementations recognize these names as special and treat them differently?
If so, how?</t> If so, how?</t>
<t>Yes. Caching domain name servers should not forward queries for this name to <t indent="0" pn="section-8.2-2.4.2">Yes.  Caching domain name serve rs should not forward queries for this name, to
avoid causing validation failures due to IP address mismatch.</t> avoid causing validation failures due to IP address mismatch.</t>
<t>5) Are developers of authoritative domain name servers expected to ma </li>
ke their <li pn="section-8.2-2.5" derivedCounter="5.">
<t indent="0" pn="section-8.2-2.5.1">Are developers of authoritative
domain name servers expected to make their
implementations recognize these names as special and treat them differently? implementations recognize these names as special and treat them differently?
If so, how?</t> If so, how?</t>
<t>No. DDR is designed for use by recursive resolvers. Theoretically, an authoritative <t indent="0" pn="section-8.2-2.5.2">No. DDR is designed for use by recursive resolvers. Theoretically, an authoritative
server could choose to support this name if it wants to advertise support for server could choose to support this name if it wants to advertise support for
encrypted DNS protocols over plain-text DNS, but that scenario is covered encrypted DNS protocols over plaintext DNS, but that scenario is covered
by other work in the IETF DNSOP working group.</t> by other work in the IETF DNSOP Working Group.</t>
<t>6) Does this reserved Special-Use Domain Name have any potential impa </li>
ct on <li pn="section-8.2-2.6" derivedCounter="6.">
<t indent="0" pn="section-8.2-2.6.1">Does this reserved Special-Use
Domain Name have any potential impact on
DNS server operators? If they try to configure their authoritative DNS server DNS server operators? If they try to configure their authoritative DNS server
as authoritative for this reserved name, will compliant name server software as authoritative for this reserved name, will compliant name server software
reject it as invalid? Do DNS server operators need to know about that and reject it as invalid? Do DNS server operators need to know about that and
understand why? Even if the name server software doesn't prevent them from understand why? Even if the name server software doesn't prevent them from
using this reserved name, are there other ways that it may not work as expected, using this reserved name, are there other ways that it may not work as expected,
of which the DNS server operator should be aware?</t> of which the DNS server operator should be aware?</t>
<t>This name is locally served, and any resolver which supports this nam e should <t indent="0" pn="section-8.2-2.6.2">This name is locally served, an d any resolver that supports this name should
never forward the query. DNS server operators should be aware that records for never forward the query. DNS server operators should be aware that records for
this name will be used by clients to modify the way they connect to their this name will be used by clients to modify the way they connect to their
resolvers.</t> resolvers.</t>
<t>7) How should DNS Registries/Registrars treat requests to register th </li>
is reserved <li pn="section-8.2-2.7" derivedCounter="7.">
<t indent="0" pn="section-8.2-2.7.1">How should DNS Registries/Regis
trars treat requests to register this reserved
domain name? Should such requests be denied? Should such requests be allowed, domain name? Should such requests be denied? Should such requests be allowed,
but only to a specially-designated entity?</t> but only to a specially designated entity?</t>
<t>IANA should hold the registration for this name. Non-IANA requests to <t indent="0" pn="section-8.2-2.7.2">IANA holds the registration for
register this name. Non-IANA requests to register
this name should always be denied by DNS Registries/Registrars.</t> this name should always be denied by DNS Registries/Registrars.</t>
</li>
</ol>
</section> </section>
</section> </section>
</middle> </middle>
<back> <back>
<references> <displayreference target="I-D.schinazi-httpbis-doh-preference-hints" to="DoH
<name>References</name> -HINTS"/>
<references> <displayreference target="I-D.ietf-tls-esni" to="ECH"/>
<name>Normative References</name> <references pn="section-9">
<reference anchor="RFC7858"> <name slugifiedName="name-references">References</name>
<references pn="section-9.1">
<name slugifiedName="name-normative-references">Normative References</na
me>
<reference anchor="RFC1918" target="https://www.rfc-editor.org/info/rfc1
918" quoteTitle="true" derivedAnchor="RFC1918">
<front> <front>
<title>Specification for DNS over Transport Layer Security (TLS)</ti <title>Address Allocation for Private Internets</title>
tle> <author fullname="Y. Rekhter" initials="Y." surname="Rekhter"/>
<author fullname="Z. Hu" initials="Z." surname="Hu"> <author fullname="B. Moskowitz" initials="B." surname="Moskowitz"/>
<organization/> <author fullname="D. Karrenberg" initials="D." surname="Karrenberg"/
</author> >
<author fullname="L. Zhu" initials="L." surname="Zhu"> <author fullname="G. J. de Groot" initials="G. J." surname="de Groot
<organization/> "/>
</author> <author fullname="E. Lear" initials="E." surname="Lear"/>
<author fullname="J. Heidemann" initials="J." surname="Heidemann"> <date month="February" year="1996"/>
<organization/>
</author>
<author fullname="A. Mankin" initials="A." surname="Mankin">
<organization/>
</author>
<author fullname="D. Wessels" initials="D." surname="Wessels">
<organization/>
</author>
<author fullname="P. Hoffman" initials="P." surname="Hoffman">
<organization/>
</author>
<date month="May" year="2016"/>
<abstract> <abstract>
<t>This document describes the use of Transport Layer Security (TL <t indent="0">This document describes address allocation for priva
S) to provide privacy for DNS. Encryption provided by TLS eliminates opportunit te internets. This document specifies an Internet Best Current Practices for the
ies for eavesdropping and on-path tampering with DNS queries in the network, suc Internet Community, and requests discussion and suggestions for improvements.</
h as discussed in RFC 7626. In addition, this document specifies two usage prof t>
iles for DNS over TLS and provides advice on performance considerations to minim
ize overhead from using TCP and TLS with DNS.</t>
<t>This document focuses on securing stub-to-recursive traffic, as
per the charter of the DPRIVE Working Group. It does not prevent future applic
ations of the protocol to recursive-to-authoritative traffic.</t>
</abstract> </abstract>
</front> </front>
<seriesInfo name="RFC" value="7858"/> <seriesInfo name="BCP" value="5"/>
<seriesInfo name="DOI" value="10.17487/RFC7858"/> <seriesInfo name="RFC" value="1918"/>
<seriesInfo name="DOI" value="10.17487/RFC1918"/>
</reference> </reference>
<reference anchor="RFC9250"> <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2 119" quoteTitle="true" derivedAnchor="RFC2119">
<front> <front>
<title>DNS over Dedicated QUIC Connections</title> <title>Key words for use in RFCs to Indicate Requirement Levels</tit
<author fullname="C. Huitema" initials="C." surname="Huitema"> le>
<organization/> <author fullname="S. Bradner" initials="S." surname="Bradner"/>
</author> <date month="March" year="1997"/>
<author fullname="S. Dickinson" initials="S." surname="Dickinson">
<organization/>
</author>
<author fullname="A. Mankin" initials="A." surname="Mankin">
<organization/>
</author>
<date month="May" year="2022"/>
<abstract> <abstract>
<t>This document describes the use of QUIC to provide transport co nfidentiality for DNS. The encryption provided by QUIC has similar properties to those provided by TLS, while QUIC transport eliminates the head-of-line blockin g issues inherent with TCP and provides more efficient packet-loss recovery than UDP. DNS over QUIC (DoQ) has privacy properties similar to DNS over TLS (DoT) s pecified in RFC 7858, and latency characteristics similar to classic DNS over UD P. This specification describes the use of DoQ as a general-purpose transport fo r DNS and includes the use of DoQ for stub to recursive, recursive to authoritat ive, and zone transfer scenarios.</t> <t indent="0">In many standards track documents several words are used to signify the requirements in the specification. These words are often cap italized. This document defines these words as they should be interpreted in IET F documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t >
</abstract> </abstract>
</front> </front>
<seriesInfo name="RFC" value="9250"/> <seriesInfo name="BCP" value="14"/>
<seriesInfo name="DOI" value="10.17487/RFC9250"/> <seriesInfo name="RFC" value="2119"/>
<seriesInfo name="DOI" value="10.17487/RFC2119"/>
</reference> </reference>
<reference anchor="RFC8484"> <reference anchor="RFC3927" target="https://www.rfc-editor.org/info/rfc3 927" quoteTitle="true" derivedAnchor="RFC3927">
<front> <front>
<title>DNS Queries over HTTPS (DoH)</title> <title>Dynamic Configuration of IPv4 Link-Local Addresses</title>
<author fullname="P. Hoffman" initials="P." surname="Hoffman"> <author fullname="S. Cheshire" initials="S." surname="Cheshire"/>
<organization/> <author fullname="B. Aboba" initials="B." surname="Aboba"/>
</author> <author fullname="E. Guttman" initials="E." surname="Guttman"/>
<author fullname="P. McManus" initials="P." surname="McManus"> <date month="May" year="2005"/>
<organization/>
</author>
<date month="October" year="2018"/>
<abstract> <abstract>
<t>This document defines a protocol for sending DNS queries and ge <t indent="0">To participate in wide-area IP networking, a host ne
tting DNS responses over HTTPS. Each DNS query-response pair is mapped into an eds to be configured with IP addresses for its interfaces, either manually by th
HTTP exchange.</t> e user or automatically from a source on the network such as a Dynamic Host Conf
iguration Protocol (DHCP) server. Unfortunately, such address configuration info
rmation may not always be available. It is therefore beneficial for a host to be
able to depend on a useful subset of IP networking functions even when no addre
ss configuration is available. This document describes how a host may automatica
lly configure an interface with an IPv4 address within the 169.254/16 prefix tha
t is valid for communication with other devices connected to the same physical (
or logical) link.</t>
<t indent="0">IPv4 Link-Local addresses are not suitable for commu
nication with devices not directly connected to the same physical (or logical) l
ink, and are only used where stable, routable addresses are not available (such
as on ad hoc or isolated networks). This document does not recommend that IPv4 L
ink-Local addresses and routable addresses be configured simultaneously on the s
ame interface. [STANDARDS-TRACK]</t>
</abstract> </abstract>
</front> </front>
<seriesInfo name="RFC" value="8484"/> <seriesInfo name="RFC" value="3927"/>
<seriesInfo name="DOI" value="10.17487/RFC8484"/> <seriesInfo name="DOI" value="10.17487/RFC3927"/>
</reference> </reference>
<reference anchor="RFC6761"> <reference anchor="RFC4193" target="https://www.rfc-editor.org/info/rfc4 193" quoteTitle="true" derivedAnchor="RFC4193">
<front> <front>
<title>Special-Use Domain Names</title> <title>Unique Local IPv6 Unicast Addresses</title>
<author fullname="S. Cheshire" initials="S." surname="Cheshire"> <author fullname="R. Hinden" initials="R." surname="Hinden"/>
<organization/> <author fullname="B. Haberman" initials="B." surname="Haberman"/>
</author> <date month="October" year="2005"/>
<author fullname="M. Krochmal" initials="M." surname="Krochmal">
<organization/>
</author>
<date month="February" year="2013"/>
<abstract> <abstract>
<t>This document describes what it means to say that a Domain Name (DNS name) is reserved for special use, when reserving such a name is appropria te, and the procedure for doing so. It establishes an IANA registry for such do main names, and seeds it with entries for some of the already established specia l domain names.</t> <t indent="0">This document defines an IPv6 unicast address format that is globally unique and is intended for local communications, usually insid e of a site. These addresses are not expected to be routable on the global Inter net. [STANDARDS-TRACK]</t>
</abstract> </abstract>
</front> </front>
<seriesInfo name="RFC" value="6761"/> <seriesInfo name="RFC" value="4193"/>
<seriesInfo name="DOI" value="10.17487/RFC6761"/> <seriesInfo name="DOI" value="10.17487/RFC4193"/>
</reference> </reference>
<reference anchor="RFC2119"> <reference anchor="RFC4291" target="https://www.rfc-editor.org/info/rfc4 291" quoteTitle="true" derivedAnchor="RFC4291">
<front> <front>
<title>Key words for use in RFCs to Indicate Requirement Levels</tit <title>IP Version 6 Addressing Architecture</title>
le> <author fullname="R. Hinden" initials="R." surname="Hinden"/>
<author fullname="S. Bradner" initials="S." surname="Bradner"> <author fullname="S. Deering" initials="S." surname="Deering"/>
<organization/> <date month="February" year="2006"/>
</author>
<date month="March" year="1997"/>
<abstract> <abstract>
<t>In many standards track documents several words are used to sig <t indent="0">This specification defines the addressing architectu
nify the requirements in the specification. These words are often capitalized. re of the IP Version 6 (IPv6) protocol. The document includes the IPv6 addressin
This document defines these words as they should be interpreted in IETF document g model, text representations of IPv6 addresses, definition of IPv6 unicast addr
s. This document specifies an Internet Best Current Practices for the Internet esses, anycast addresses, and multicast addresses, and an IPv6 node's required a
Community, and requests discussion and suggestions for improvements.</t> ddresses.</t>
<t indent="0">This document obsoletes RFC 3513, "IP Version 6 Addr
essing Architecture". [STANDARDS-TRACK]</t>
</abstract> </abstract>
</front> </front>
<seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="4291"/>
<seriesInfo name="RFC" value="2119"/> <seriesInfo name="DOI" value="10.17487/RFC4291"/>
<seriesInfo name="DOI" value="10.17487/RFC2119"/>
</reference> </reference>
<reference anchor="RFC8174"> <reference anchor="RFC5280" target="https://www.rfc-editor.org/info/rfc5 280" quoteTitle="true" derivedAnchor="RFC5280">
<front> <front>
<title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</ti <title>Internet X.509 Public Key Infrastructure Certificate and Cert
tle> ificate Revocation List (CRL) Profile</title>
<author fullname="B. Leiba" initials="B." surname="Leiba"> <author fullname="D. Cooper" initials="D." surname="Cooper"/>
<organization/> <author fullname="S. Santesson" initials="S." surname="Santesson"/>
</author> <author fullname="S. Farrell" initials="S." surname="Farrell"/>
<date month="May" year="2017"/> <author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
<author fullname="R. Housley" initials="R." surname="Housley"/>
<author fullname="W. Polk" initials="W." surname="Polk"/>
<date month="May" year="2008"/>
<abstract> <abstract>
<t>RFC 2119 specifies common key words that may be used in protoco l specifications. This document aims to reduce the ambiguity by clarifying tha t only UPPERCASE usage of the key words have the defined special meanings.</t> <t indent="0">This memo profiles the X.509 v3 certificate and X.50 9 v2 certificate revocation list (CRL) for use in the Internet. An overview of t his approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are descri bed and two Internet-specific extensions are defined. A set of required certific ate extensions is specified. The X.509 v2 CRL format is described in detail alon g with standard and Internet-specific extensions. An algorithm for X.509 certifi cation path validation is described. An ASN.1 module and examples are provided i n the appendices. [STANDARDS-TRACK]</t>
</abstract> </abstract>
</front> </front>
<seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="5280"/>
<seriesInfo name="RFC" value="8174"/> <seriesInfo name="DOI" value="10.17487/RFC5280"/>
<seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference> </reference>
<reference anchor="I-D.ietf-dnsop-svcb-https"> <reference anchor="RFC6303" target="https://www.rfc-editor.org/info/rfc6 303" quoteTitle="true" derivedAnchor="RFC6303">
<front> <front>
<title>Service binding and parameter specification via the DNS (DNS <title>Locally Served DNS Zones</title>
SVCB and HTTPS RRs)</title> <author fullname="M. Andrews" initials="M." surname="Andrews"/>
<author fullname="Ben Schwartz"> <date month="July" year="2011"/>
<organization>Google</organization>
</author>
<author fullname="Mike Bishop">
<organization>Akamai Technologies</organization>
</author>
<author fullname="Erik Nygren">
<organization>Akamai Technologies</organization>
</author>
<date day="24" month="May" year="2022"/>
<abstract> <abstract>
<t> This document specifies the "SVCB" and "HTTPS" DNS resource <t indent="0">Experience with the Domain Name System (DNS) has sho
record wn that there are a number of DNS zones that all iterative resolvers and recursi
(RR) types to facilitate the lookup of information needed to make ve nameservers should automatically serve, unless configured otherwise. RFC 4193
connections to network services, such as for HTTP origins. SVCB specifies that this should occur for D.F.IP6.ARPA. This document extends the pr
records allow a service to be provided from multiple alternative actice to cover the IN-ADDR.ARPA zones for RFC 1918 address space and other well
endpoints, each with associated parameters (such as transport -known zones with similar characteristics. This memo documents an Internet Best
protocol configuration and keys for encrypting the TLS ClientHello). Current Practice.</t>
They also enable aliasing of apex domains, which is not possible with
CNAME. The HTTPS RR is a variation of SVCB for use with HTTP [HTTP].
By providing more information to the client before it attempts to
establish a connection, these records offer potential benefits to
both performance and privacy.
TO BE REMOVED: This document is being collaborated on in Github at:
https://github.com/MikeBishop/dns-alt-svc
(https://github.com/MikeBishop/dns-alt-svc). The most recent working
version of the document, open issues, etc. should all be available
there. The authors (gratefully) accept pull requests.
</t>
</abstract> </abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-ietf-dnsop-svcb-https-1 <seriesInfo name="BCP" value="163"/>
0"/> <seriesInfo name="RFC" value="6303"/>
<seriesInfo name="DOI" value="10.17487/RFC6303"/>
</reference> </reference>
<reference anchor="I-D.ietf-add-svcb-dns"> <reference anchor="RFC6761" target="https://www.rfc-editor.org/info/rfc6 761" quoteTitle="true" derivedAnchor="RFC6761">
<front> <front>
<title>Service Binding Mapping for DNS Servers</title> <title>Special-Use Domain Names</title>
<author fullname="Benjamin Schwartz"> <author fullname="S. Cheshire" initials="S." surname="Cheshire"/>
<organization>Google LLC</organization> <author fullname="M. Krochmal" initials="M." surname="Krochmal"/>
</author> <date month="February" year="2013"/>
<date day="5" month="July" year="2022"/>
<abstract> <abstract>
<t> The SVCB DNS resource record type expresses a bound collecti <t indent="0">This document describes what it means to say that a
on of Domain Name (DNS name) is reserved for special use, when reserving such a name i
endpoint metadata, for use when establishing a connection to a named s appropriate, and the procedure for doing so. It establishes an IANA registry f
service. DNS itself can be such a service, when the server is or such domain names, and seeds it with entries for some of the already establis
identified by a domain name. This document provides the SVCB mapping hed special domain names.</t>
for named DNS servers, allowing them to indicate support for
encrypted transport protocols.
</t>
</abstract> </abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-ietf-add-svcb-dns-06"/> <seriesInfo name="RFC" value="6761"/>
<seriesInfo name="DOI" value="10.17487/RFC6761"/>
</reference> </reference>
<reference anchor="RFC5280"> <reference anchor="RFC7858" target="https://www.rfc-editor.org/info/rfc7 858" quoteTitle="true" derivedAnchor="RFC7858">
<front> <front>
<title>Internet X.509 Public Key Infrastructure Certificate and Cert <title>Specification for DNS over Transport Layer Security (TLS)</ti
ificate Revocation List (CRL) Profile</title> tle>
<author fullname="D. Cooper" initials="D." surname="Cooper"> <author fullname="Z. Hu" initials="Z." surname="Hu"/>
<organization/> <author fullname="L. Zhu" initials="L." surname="Zhu"/>
</author> <author fullname="J. Heidemann" initials="J." surname="Heidemann"/>
<author fullname="S. Santesson" initials="S." surname="Santesson"> <author fullname="A. Mankin" initials="A." surname="Mankin"/>
<organization/> <author fullname="D. Wessels" initials="D." surname="Wessels"/>
</author> <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
<author fullname="S. Farrell" initials="S." surname="Farrell"> <date month="May" year="2016"/>
<organization/>
</author>
<author fullname="S. Boeyen" initials="S." surname="Boeyen">
<organization/>
</author>
<author fullname="R. Housley" initials="R." surname="Housley">
<organization/>
</author>
<author fullname="W. Polk" initials="W." surname="Polk">
<organization/>
</author>
<date month="May" year="2008"/>
<abstract> <abstract>
<t>This memo profiles the X.509 v3 certificate and X.509 v2 certif <t indent="0">This document describes the use of Transport Layer S
icate revocation list (CRL) for use in the Internet. An overview of this approa ecurity (TLS) to provide privacy for DNS. Encryption provided by TLS eliminates
ch and model is provided as an introduction. The X.509 v3 certificate format is opportunities for eavesdropping and on-path tampering with DNS queries in the ne
described in detail, with additional information regarding the format and seman twork, such as discussed in RFC 7626. In addition, this document specifies two u
tics of Internet name forms. Standard certificate extensions are described and sage profiles for DNS over TLS and provides advice on performance considerations
two Internet-specific extensions are defined. A set of required certificate ext to minimize overhead from using TCP and TLS with DNS.</t>
ensions is specified. The X.509 v2 CRL format is described in detail along with <t indent="0">This document focuses on securing stub-to-recursive
standard and Internet-specific extensions. An algorithm for X.509 certificatio traffic, as per the charter of the DPRIVE Working Group. It does not prevent fut
n path validation is described. An ASN.1 module and examples are provided in th ure applications of the protocol to recursive-to-authoritative traffic.</t>
e appendices. [STANDARDS-TRACK]</t>
</abstract> </abstract>
</front> </front>
<seriesInfo name="RFC" value="5280"/> <seriesInfo name="RFC" value="7858"/>
<seriesInfo name="DOI" value="10.17487/RFC5280"/> <seriesInfo name="DOI" value="10.17487/RFC7858"/>
</reference> </reference>
<reference anchor="RFC1918"> <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8 174" quoteTitle="true" derivedAnchor="RFC8174">
<front> <front>
<title>Address Allocation for Private Internets</title> <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</ti
<author fullname="Y. Rekhter" initials="Y." surname="Rekhter"> tle>
<organization/> <author fullname="B. Leiba" initials="B." surname="Leiba"/>
</author> <date month="May" year="2017"/>
<author fullname="B. Moskowitz" initials="B." surname="Moskowitz">
<organization/>
</author>
<author fullname="D. Karrenberg" initials="D." surname="Karrenberg">
<organization/>
</author>
<author fullname="G. J. de Groot" initials="G. J." surname="de Groot
">
<organization/>
</author>
<author fullname="E. Lear" initials="E." surname="Lear">
<organization/>
</author>
<date month="February" year="1996"/>
<abstract> <abstract>
<t>This document describes address allocation for private internet s. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t> <t indent="0">RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clari fying that only UPPERCASE usage of the key words have the defined special meanin gs.</t>
</abstract> </abstract>
</front> </front>
<seriesInfo name="BCP" value="5"/> <seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="1918"/> <seriesInfo name="RFC" value="8174"/>
<seriesInfo name="DOI" value="10.17487/RFC1918"/> <seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference> </reference>
<reference anchor="RFC4193"> <reference anchor="RFC8484" target="https://www.rfc-editor.org/info/rfc8 484" quoteTitle="true" derivedAnchor="RFC8484">
<front> <front>
<title>Unique Local IPv6 Unicast Addresses</title> <title>DNS Queries over HTTPS (DoH)</title>
<author fullname="R. Hinden" initials="R." surname="Hinden"> <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
<organization/> <author fullname="P. McManus" initials="P." surname="McManus"/>
</author> <date month="October" year="2018"/>
<author fullname="B. Haberman" initials="B." surname="Haberman">
<organization/>
</author>
<date month="October" year="2005"/>
<abstract> <abstract>
<t>This document defines an IPv6 unicast address format that is gl obally unique and is intended for local communications, usually inside of a site . These addresses are not expected to be routable on the global Internet. [STAN DARDS-TRACK]</t> <t indent="0">This document defines a protocol for sending DNS que ries and getting DNS responses over HTTPS. Each DNS query-response pair is mappe d into an HTTP exchange.</t>
</abstract> </abstract>
</front> </front>
<seriesInfo name="RFC" value="4193"/> <seriesInfo name="RFC" value="8484"/>
<seriesInfo name="DOI" value="10.17487/RFC4193"/> <seriesInfo name="DOI" value="10.17487/RFC8484"/>
</reference> </reference>
<reference anchor="RFC3927"> <reference anchor="RFC9250" target="https://www.rfc-editor.org/info/rfc9 250" quoteTitle="true" derivedAnchor="RFC9250">
<front> <front>
<title>Dynamic Configuration of IPv4 Link-Local Addresses</title> <title>DNS over Dedicated QUIC Connections</title>
<author fullname="S. Cheshire" initials="S." surname="Cheshire"> <author fullname="C. Huitema" initials="C." surname="Huitema"/>
<organization/> <author fullname="S. Dickinson" initials="S." surname="Dickinson"/>
</author> <author fullname="A. Mankin" initials="A." surname="Mankin"/>
<author fullname="B. Aboba" initials="B." surname="Aboba"> <date month="May" year="2022"/>
<organization/>
</author>
<author fullname="E. Guttman" initials="E." surname="Guttman">
<organization/>
</author>
<date month="May" year="2005"/>
<abstract> <abstract>
<t>To participate in wide-area IP networking, a host needs to be c <t indent="0">This document describes the use of QUIC to provide t
onfigured with IP addresses for its interfaces, either manually by the user or a ransport confidentiality for DNS. The encryption provided by QUIC has similar pr
utomatically from a source on the network such as a Dynamic Host Configuration P operties to those provided by TLS, while QUIC transport eliminates the head-of-l
rotocol (DHCP) server. Unfortunately, such address configuration information ma ine blocking issues inherent with TCP and provides more efficient packet-loss re
y not always be available. It is therefore beneficial for a host to be able to d covery than UDP. DNS over QUIC (DoQ) has privacy properties similar to DNS over
epend on a useful subset of IP networking functions even when no address configu TLS (DoT) specified in RFC 7858, and latency characteristics similar to classic
ration is available. This document describes how a host may automatically confi DNS over UDP. This specification describes the use of DoQ as a general-purpose t
gure an interface with an IPv4 address within the 169.254/16 prefix that is vali ransport for DNS and includes the use of DoQ for stub to recursive, recursive to
d for communication with other devices connected to the same physical (or logica authoritative, and zone transfer scenarios.</t>
l) link.</t>
<t>IPv4 Link-Local addresses are not suitable for communication wi
th devices not directly connected to the same physical (or logical) link, and ar
e only used where stable, routable addresses are not available (such as on ad ho
c or isolated networks). This document does not recommend that IPv4 Link-Local
addresses and routable addresses be configured simultaneously on the same interf
ace. [STANDARDS-TRACK]</t>
</abstract> </abstract>
</front> </front>
<seriesInfo name="RFC" value="3927"/> <seriesInfo name="RFC" value="9250"/>
<seriesInfo name="DOI" value="10.17487/RFC3927"/> <seriesInfo name="DOI" value="10.17487/RFC9250"/>
</reference> </reference>
<reference anchor="RFC4291"> <reference anchor="RFC9460" target="https://www.rfc-editor.org/info/rfc9 460" quoteTitle="true" derivedAnchor="RFC9460">
<front> <front>
<title>IP Version 6 Addressing Architecture</title> <title>Service Binding and Parameter Specification via the DNS (SVCB
<author fullname="R. Hinden" initials="R." surname="Hinden"> and HTTPS Resource Records)</title>
<organization/> <author initials="B" surname="Schwartz" fullname="Benjamin Schwartz"
>
<organization showOnFrontPage="true"/>
</author> </author>
<author fullname="S. Deering" initials="S." surname="Deering"> <author initials="M" surname="Bishop" fullname="Mike Bishop">
<organization/> <organization showOnFrontPage="true"/>
</author> </author>
<date month="February" year="2006"/> <author initials="E" surname="Nygren" fullname="Erik Nygren">
<abstract> <organization showOnFrontPage="true"/>
<t>This specification defines the addressing architecture of the I </author>
P Version 6 (IPv6) protocol. The document includes the IPv6 addressing model, t <date month="November" year="2023"/>
ext representations of IPv6 addresses, definition of IPv6 unicast addresses, any
cast addresses, and multicast addresses, and an IPv6 node's required addresses.<
/t>
<t>This document obsoletes RFC 3513, "IP Version 6 Addressing Arch
itecture". [STANDARDS-TRACK]</t>
</abstract>
</front> </front>
<seriesInfo name="RFC" value="4291"/> <seriesInfo name="RFC" value="9460"/>
<seriesInfo name="DOI" value="10.17487/RFC4291"/> <seriesInfo name="DOI" value="10.17487/RFC9460"/>
</reference> </reference>
<reference anchor="I-D.ietf-add-dnr"> <reference anchor="RFC9461" target="https://www.rfc-editor.org/info/rfc9
461" quoteTitle="true" derivedAnchor="RFC9461">
<front>
<title>Service Binding Mapping for DNS Servers</title>
<author initials="B." surname="Schwartz" fullname="Benjamin Schwartz
">
</author>
<date month="November" year="2023"/>
</front>
<seriesInfo name="RFC" value="9461"/>
<seriesInfo name="DOI" value="10.17487/RFC9461"/>
</reference>
<reference anchor="RFC9463" target="https://www.rfc-editor.org/info/rfc9
463" quoteTitle="true" derivedAnchor="RFC9463">
<front> <front>
<title>DHCP and Router Advertisement Options for the Discovery of Ne twork-designated Resolvers (DNR)</title> <title>DHCP and Router Advertisement Options for the Discovery of Ne twork-designated Resolvers (DNR)</title>
<author fullname="Mohamed Boucadair"> <author initials="M." surname="Boucadair" fullname="Mohamed Boucadai
<organization>Orange</organization> r" role="editor">
</author> </author>
<author fullname="Tirumaleswar Reddy"> <author initials="T." surname="Reddy.K" fullname="Tirumaleswar Reddy
<organization>Akamai</organization> .K" role="editor">
</author> </author>
<author fullname="Dan Wing"> <author initials="D." surname="Wing" fullname="Dan Wing">
<organization>Citrix Systems, Inc.</organization> </author>
<author initials="N." surname="Cook" fullname="Neil Cook">
</author>
<author initials="T." surname="Jensen" fullname="Tommy Jensen">
</author>
<date month="November" year="2023"/>
</front>
<seriesInfo name="RFC" value="9463"/>
<seriesInfo name="DOI" value="10.17487/RFC9463"/>
</reference>
</references>
<references pn="section-9.2">
<name slugifiedName="name-informative-references">Informative References
</name>
<reference anchor="I-D.schinazi-httpbis-doh-preference-hints" target="ht
tps://datatracker.ietf.org/doc/html/draft-schinazi-httpbis-doh-preference-hints-
02" quoteTitle="true" derivedAnchor="DoH-HINTS">
<front>
<title>DoH Preference Hints for HTTP</title>
<author fullname="David Schinazi" initials="D." surname="Schinazi">
<organization showOnFrontPage="true">Google LLC</organization>
</author> </author>
<author fullname="Neil Cook"> <author fullname="Nick Sullivan" initials="N." surname="Sullivan">
<organization>Open-Xchange</organization> <organization showOnFrontPage="true">Cloudflare</organization>
</author> </author>
<author fullname="Tommy Jensen"> <author fullname="Jesse Kipp" initials="J." surname="Kipp">
<organization>Microsoft</organization> <organization showOnFrontPage="true">Cloudflare</organization>
</author> </author>
<date day="24" month="July" year="2022"/> <date day="13" month="July" year="2020"/>
<abstract> <abstract>
<t> The document specifies new DHCP and IPv6 Router Advertisemen <t indent="0">When using a publicly available DNS-over-HTTPS (DoH)
t options server, some clients may suffer poor performance when the authoritative DNS ser
to discover encrypted DNS resolvers (e.g., DNS-over-HTTPS, DNS-over- ver is located far from the DoH server. For example, a publicly available DoH se
TLS, DNS-over-QUIC). Particularly, it allows a host to learn an rver provided by a Content Delivery Network (CDN) should be able to resolve name
authentication domain name together with a list of IP addresses and a s hosted by that CDN with good performance but might take longer to resolve name
set of service parameters to reach such encrypted DNS resolvers. s provided by other CDNs, or might provide suboptimal results if that CDN is usi
ng DNS- based load balancing and returns different address records depending or
</t> where the DNS query originated from. This document attempts to lessen these issu
es by allowing the web server to indicate to the client which DoH server can bes
t resolve its addresses. This document defines an HTTP header field that enables
web host operators to inform user agents of the preferred DoH servers to use fo
r subsequent DNS lookups for the host's domain. Discussion of this work is encou
raged to happen on the ADD IETF mailing list add@ietf.org or on the GitHub repos
itory which contains the draft: https://github.com/DavidSchinazi/draft-httpbis-d
oh- preference-hints.</t>
</abstract> </abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-ietf-add-dnr-12"/> <seriesInfo name="Internet-Draft" value="draft-schinazi-httpbis-doh-pr
eference-hints-02"/>
<refcontent>Work in Progress</refcontent>
</reference> </reference>
<reference anchor="RFC6303"> <reference anchor="I-D.ietf-tls-esni" target="https://datatracker.ietf.o rg/doc/html/draft-ietf-tls-esni-17" quoteTitle="true" derivedAnchor="ECH">
<front> <front>
<title>Locally Served DNS Zones</title> <title>TLS Encrypted Client Hello</title>
<author fullname="M. Andrews" initials="M." surname="Andrews"> <author fullname="Eric Rescorla" initials="E." surname="Rescorla">
<organization/> <organization showOnFrontPage="true">RTFM, Inc.</organization>
</author> </author>
<date month="July" year="2011"/> <author fullname="Kazuho Oku" initials="K." surname="Oku">
<organization showOnFrontPage="true">Fastly</organization>
</author>
<author fullname="Nick Sullivan" initials="N." surname="Sullivan">
<organization showOnFrontPage="true">Cloudflare</organization>
</author>
<author fullname="Christopher A. Wood" initials="C. A." surname="Woo
d">
<organization showOnFrontPage="true">Cloudflare</organization>
</author>
<date day="9" month="October" year="2023"/>
<abstract> <abstract>
<t>Experience with the Domain Name System (DNS) has shown that the re are a number of DNS zones that all iterative resolvers and recursive nameserv ers should automatically serve, unless configured otherwise. RFC 4193 specifies that this should occur for D.F.IP6.ARPA. This document extends the practice to cover the IN-ADDR.ARPA zones for RFC 1918 address space and other well-known zon es with similar characteristics. This memo documents an Internet Best Current P ractice.</t> <t indent="0">This document describes a mechanism in Transport Lay er Security (TLS) for encrypting a ClientHello message under a server public key . Discussion Venues This note is to be removed before publishing as an RFC. Sour ce for this draft and an issue tracker can be found at https://github.com/tlswg/ draft-ietf-tls-esni (https://github.com/tlswg/draft-ietf-tls-esni).</t>
</abstract> </abstract>
</front> </front>
<seriesInfo name="BCP" value="163"/> <seriesInfo name="Internet-Draft" value="draft-ietf-tls-esni-17"/>
<seriesInfo name="RFC" value="6303"/> <refcontent>Work in Progress</refcontent>
<seriesInfo name="DOI" value="10.17487/RFC6303"/>
</reference> </reference>
</references> <reference anchor="RFC2132" target="https://www.rfc-editor.org/info/rfc2
<references> 132" quoteTitle="true" derivedAnchor="RFC2132">
<name>Informative References</name>
<reference anchor="RFC2132">
<front> <front>
<title>DHCP Options and BOOTP Vendor Extensions</title> <title>DHCP Options and BOOTP Vendor Extensions</title>
<author fullname="S. Alexander" initials="S." surname="Alexander"> <author fullname="S. Alexander" initials="S." surname="Alexander"/>
<organization/> <author fullname="R. Droms" initials="R." surname="Droms"/>
</author>
<author fullname="R. Droms" initials="R." surname="Droms">
<organization/>
</author>
<date month="March" year="1997"/> <date month="March" year="1997"/>
<abstract> <abstract>
<t>This document specifies the current set of DHCP options. Futur e options will be specified in separate RFCs. The current list of valid options is also available in ftp://ftp.isi.edu/in-notes/iana/assignments. [STANDARDS-TR ACK]</t> <t indent="0">This document specifies the current set of DHCP opti ons. Future options will be specified in separate RFCs. The current list of vali d options is also available in ftp://ftp.isi.edu/in-notes/iana/assignments. [STA NDARDS-TRACK]</t>
</abstract> </abstract>
</front> </front>
<seriesInfo name="RFC" value="2132"/> <seriesInfo name="RFC" value="2132"/>
<seriesInfo name="DOI" value="10.17487/RFC2132"/> <seriesInfo name="DOI" value="10.17487/RFC2132"/>
</reference> </reference>
<reference anchor="RFC8415"> <reference anchor="RFC6105" target="https://www.rfc-editor.org/info/rfc6 105" quoteTitle="true" derivedAnchor="RFC6105">
<front> <front>
<title>Dynamic Host Configuration Protocol for IPv6 (DHCPv6)</title> <title>IPv6 Router Advertisement Guard</title>
<author fullname="T. Mrugalski" initials="T." surname="Mrugalski"> <author fullname="E. Levy-Abegnoli" initials="E." surname="Levy-Abeg
<organization/> noli"/>
</author> <author fullname="G. Van de Velde" initials="G." surname="Van de Vel
<author fullname="M. Siodelski" initials="M." surname="Siodelski"> de"/>
<organization/> <author fullname="C. Popoviciu" initials="C." surname="Popoviciu"/>
</author> <author fullname="J. Mohacsi" initials="J." surname="Mohacsi"/>
<author fullname="B. Volz" initials="B." surname="Volz"> <date month="February" year="2011"/>
<organization/>
</author>
<author fullname="A. Yourtchenko" initials="A." surname="Yourtchenko
">
<organization/>
</author>
<author fullname="M. Richardson" initials="M." surname="Richardson">
<organization/>
</author>
<author fullname="S. Jiang" initials="S." surname="Jiang">
<organization/>
</author>
<author fullname="T. Lemon" initials="T." surname="Lemon">
<organization/>
</author>
<author fullname="T. Winters" initials="T." surname="Winters">
<organization/>
</author>
<date month="November" year="2018"/>
<abstract> <abstract>
<t>This document describes the Dynamic Host Configuration Protocol <t indent="0">Routed protocols are often susceptible to spoof atta
for IPv6 (DHCPv6): an extensible mechanism for configuring nodes with network c cks. The canonical solution for IPv6 is Secure Neighbor Discovery (SEND), a solu
onfiguration parameters, IP addresses, and prefixes. Parameters can be provided tion that is non-trivial to deploy. This document proposes a light-weight altern
statelessly, or in combination with stateful assignment of one or more IPv6 addr ative and complement to SEND based on filtering in the layer-2 network fabric, u
esses and/or IPv6 prefixes. DHCPv6 can operate either in place of or in additio sing a variety of filtering criteria, including, for example, SEND status. This
n to stateless address autoconfiguration (SLAAC).</t> document is not an Internet Standards Track specification; it is published for i
<t>This document updates the text from RFC 3315 (the original DHCP nformational purposes.</t>
v6 specification) and incorporates prefix delegation (RFC 3633), stateless DHCPv
6 (RFC 3736), an option to specify an upper bound for how long a client should w
ait before refreshing information (RFC 4242), a mechanism for throttling DHCPv6
clients when DHCPv6 service is not available (RFC 7083), and relay agent handlin
g of unknown messages (RFC 7283). In addition, this document clarifies the inte
ractions between models of operation (RFC 7550). As such, this document obsolet
es RFC 3315, RFC 3633, RFC 3736, RFC 4242, RFC 7083, RFC 7283, and RFC 7550.</t>
</abstract> </abstract>
</front> </front>
<seriesInfo name="RFC" value="8415"/> <seriesInfo name="RFC" value="6105"/>
<seriesInfo name="DOI" value="10.17487/RFC8415"/> <seriesInfo name="DOI" value="10.17487/RFC6105"/>
</reference> </reference>
<reference anchor="RFC8106"> <reference anchor="RFC8106" target="https://www.rfc-editor.org/info/rfc8 106" quoteTitle="true" derivedAnchor="RFC8106">
<front> <front>
<title>IPv6 Router Advertisement Options for DNS Configuration</titl e> <title>IPv6 Router Advertisement Options for DNS Configuration</titl e>
<author fullname="J. Jeong" initials="J." surname="Jeong"> <author fullname="J. Jeong" initials="J." surname="Jeong"/>
<organization/> <author fullname="S. Park" initials="S." surname="Park"/>
</author> <author fullname="L. Beloeil" initials="L." surname="Beloeil"/>
<author fullname="S. Park" initials="S." surname="Park"> <author fullname="S. Madanapalli" initials="S." surname="Madanapalli
<organization/> "/>
</author>
<author fullname="L. Beloeil" initials="L." surname="Beloeil">
<organization/>
</author>
<author fullname="S. Madanapalli" initials="S." surname="Madanapalli
">
<organization/>
</author>
<date month="March" year="2017"/> <date month="March" year="2017"/>
<abstract> <abstract>
<t>This document specifies IPv6 Router Advertisement (RA) options <t indent="0">This document specifies IPv6 Router Advertisement (R
(called "DNS RA options") to allow IPv6 routers to advertise a list of DNS Recur A) options (called "DNS RA options") to allow IPv6 routers to advertise a list o
sive Server Addresses and a DNS Search List to IPv6 hosts.</t> f DNS Recursive Server Addresses and a DNS Search List to IPv6 hosts.</t>
<t>This document, which obsoletes RFC 6106, defines a higher defau <t indent="0">This document, which obsoletes RFC 6106, defines a h
lt value of the lifetime of the DNS RA options to reduce the likelihood of expir igher default value of the lifetime of the DNS RA options to reduce the likeliho
y of the options on links with a relatively high rate of packet loss.</t> od of expiry of the options on links with a relatively high rate of packet loss.
</t>
</abstract> </abstract>
</front> </front>
<seriesInfo name="RFC" value="8106"/> <seriesInfo name="RFC" value="8106"/>
<seriesInfo name="DOI" value="10.17487/RFC8106"/> <seriesInfo name="DOI" value="10.17487/RFC8106"/>
</reference> </reference>
<reference anchor="RFC8446"> <reference anchor="RFC8415" target="https://www.rfc-editor.org/info/rfc8
<front> 415" quoteTitle="true" derivedAnchor="RFC8415">
<title>The Transport Layer Security (TLS) Protocol Version 1.3</titl
e>
<author fullname="E. Rescorla" initials="E." surname="Rescorla">
<organization/>
</author>
<date month="August" year="2018"/>
<abstract>
<t>This document specifies version 1.3 of the Transport Layer Secu
rity (TLS) protocol. TLS allows client/server applications to communicate over
the Internet in a way that is designed to prevent eavesdropping, tampering, and
message forgery.</t>
<t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 50
77, 5246, and 6961. This document also specifies new requirements for TLS 1.2 i
mplementations.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8446"/>
<seriesInfo name="DOI" value="10.17487/RFC8446"/>
</reference>
<reference anchor="RFC4861">
<front> <front>
<title>Neighbor Discovery for IP version 6 (IPv6)</title> <title>Dynamic Host Configuration Protocol for IPv6 (DHCPv6)</title>
<author fullname="T. Narten" initials="T." surname="Narten"> <author fullname="T. Mrugalski" initials="T." surname="Mrugalski"/>
<organization/> <author fullname="M. Siodelski" initials="M." surname="Siodelski"/>
</author> <author fullname="B. Volz" initials="B." surname="Volz"/>
<author fullname="E. Nordmark" initials="E." surname="Nordmark"> <author fullname="A. Yourtchenko" initials="A." surname="Yourtchenko
<organization/> "/>
</author> <author fullname="M. Richardson" initials="M." surname="Richardson"/
<author fullname="W. Simpson" initials="W." surname="Simpson"> >
<organization/> <author fullname="S. Jiang" initials="S." surname="Jiang"/>
</author> <author fullname="T. Lemon" initials="T." surname="Lemon"/>
<author fullname="H. Soliman" initials="H." surname="Soliman"> <author fullname="T. Winters" initials="T." surname="Winters"/>
<organization/> <date month="November" year="2018"/>
</author>
<date month="September" year="2007"/>
<abstract> <abstract>
<t>This document specifies the Neighbor Discovery protocol for IP <t indent="0">This document describes the Dynamic Host Configurati
Version 6. IPv6 nodes on the same link use Neighbor Discovery to discover each on Protocol for IPv6 (DHCPv6): an extensible mechanism for configuring nodes wit
other's presence, to determine each other's link-layer addresses, to find router h network configuration parameters, IP addresses, and prefixes. Parameters can b
s, and to maintain reachability information about the paths to active neighbors. e provided statelessly, or in combination with stateful assignment of one or mor
[STANDARDS-TRACK]</t> e IPv6 addresses and/or IPv6 prefixes. DHCPv6 can operate either in place of or
in addition to stateless address autoconfiguration (SLAAC).</t>
<t indent="0">This document updates the text from RFC 3315 (the or
iginal DHCPv6 specification) and incorporates prefix delegation (RFC 3633), stat
eless DHCPv6 (RFC 3736), an option to specify an upper bound for how long a clie
nt should wait before refreshing information (RFC 4242), a mechanism for throttl
ing DHCPv6 clients when DHCPv6 service is not available (RFC 7083), and relay ag
ent handling of unknown messages (RFC 7283). In addition, this document clarifie
s the interactions between models of operation (RFC 7550). As such, this documen
t obsoletes RFC 3315, RFC 3633, RFC 3736, RFC 4242, RFC 7083, RFC 7283, and RFC
7550.</t>
</abstract> </abstract>
</front> </front>
<seriesInfo name="RFC" value="4861"/> <seriesInfo name="RFC" value="8415"/>
<seriesInfo name="DOI" value="10.17487/RFC4861"/> <seriesInfo name="DOI" value="10.17487/RFC8415"/>
</reference> </reference>
<reference anchor="RFC6105"> <reference anchor="RFC8446" target="https://www.rfc-editor.org/info/rfc8 446" quoteTitle="true" derivedAnchor="RFC8446">
<front> <front>
<title>IPv6 Router Advertisement Guard</title> <title>The Transport Layer Security (TLS) Protocol Version 1.3</titl
<author fullname="E. Levy-Abegnoli" initials="E." surname="Levy-Abeg e>
noli"> <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
<organization/> <date month="August" year="2018"/>
</author>
<author fullname="G. Van de Velde" initials="G." surname="Van de Vel
de">
<organization/>
</author>
<author fullname="C. Popoviciu" initials="C." surname="Popoviciu">
<organization/>
</author>
<author fullname="J. Mohacsi" initials="J." surname="Mohacsi">
<organization/>
</author>
<date month="February" year="2011"/>
<abstract> <abstract>
<t>Routed protocols are often susceptible to spoof attacks. The c <t indent="0">This document specifies version 1.3 of the Transport
anonical solution for IPv6 is Secure Neighbor Discovery (SEND), a solution that Layer Security (TLS) protocol. TLS allows client/server applications to communi
is non-trivial to deploy. This document proposes a light-weight alternative and cate over the Internet in a way that is designed to prevent eavesdropping, tampe
complement to SEND based on filtering in the layer-2 network fabric, using a va ring, and message forgery.</t>
riety of filtering criteria, including, for example, SEND status. This document <t indent="0">This document updates RFCs 5705 and 6066, and obsole
is not an Internet Standards Track specification; it is published for informati tes RFCs 5077, 5246, and 6961. This document also specifies new requirements for
onal purposes.</t> TLS 1.2 implementations.</t>
</abstract> </abstract>
</front> </front>
<seriesInfo name="RFC" value="6105"/> <seriesInfo name="RFC" value="8446"/>
<seriesInfo name="DOI" value="10.17487/RFC6105"/> <seriesInfo name="DOI" value="10.17487/RFC8446"/>
</reference> </reference>
<reference anchor="RFC8880"> <reference anchor="RFC8880" target="https://www.rfc-editor.org/info/rfc8 880" quoteTitle="true" derivedAnchor="RFC8880">
<front> <front>
<title>Special Use Domain Name 'ipv4only.arpa'</title> <title>Special Use Domain Name 'ipv4only.arpa'</title>
<author fullname="S. Cheshire" initials="S." surname="Cheshire"> <author fullname="S. Cheshire" initials="S." surname="Cheshire"/>
<organization/> <author fullname="D. Schinazi" initials="D." surname="Schinazi"/>
</author>
<author fullname="D. Schinazi" initials="D." surname="Schinazi">
<organization/>
</author>
<date month="August" year="2020"/> <date month="August" year="2020"/>
<abstract> <abstract>
<t>NAT64 (Network Address and Protocol Translation from IPv6 Clien <t indent="0">NAT64 (Network Address and Protocol Translation from
ts to IPv4 Servers) allows client devices using IPv6 to communicate with servers IPv6 Clients to IPv4 Servers) allows client devices using IPv6 to communicate w
that have only IPv4 connectivity.</t> ith servers that have only IPv4 connectivity.</t>
<t>The specification for how a client discovers its local network' <t indent="0">The specification for how a client discovers its loc
s NAT64 prefix (RFC 7050) defines the special name 'ipv4only.arpa' for this purp al network's NAT64 prefix (RFC 7050) defines the special name 'ipv4only.arpa' fo
ose. However, in its Domain Name Reservation Considerations section (Section 8.1 r this purpose. However, in its Domain Name Reservation Considerations section (
), that specification (RFC 7050) indicates that the name actually has no particu Section 8.1), that specification (RFC 7050) indicates that the name actually has
larly special properties that would require special handling.</t> no particularly special properties that would require special handling.</t>
<t>Consequently, despite the well-articulated special purpose of t <t indent="0">Consequently, despite the well-articulated special p
he name, 'ipv4only.arpa' was not recorded in the Special-Use Domain Names regist urpose of the name, 'ipv4only.arpa' was not recorded in the Special-Use Domain N
ry as a name with special properties.</t> ames registry as a name with special properties.</t>
<t>This document updates RFC 7050. It describes the special treatm <t indent="0">This document updates RFC 7050. It describes the spe
ent required and formally declares the special properties of the name. It also a cial treatment required and formally declares the special properties of the name
dds similar declarations for the corresponding reverse mapping names.</t> . It also adds similar declarations for the corresponding reverse mapping names.
</t>
</abstract> </abstract>
</front> </front>
<seriesInfo name="RFC" value="8880"/> <seriesInfo name="RFC" value="8880"/>
<seriesInfo name="DOI" value="10.17487/RFC8880"/> <seriesInfo name="DOI" value="10.17487/RFC8880"/>
</reference> </reference>
<reference anchor="I-D.schinazi-httpbis-doh-preference-hints">
<front>
<title>DoH Preference Hints for HTTP</title>
<author fullname="David Schinazi">
<organization>Google LLC</organization>
</author>
<author fullname="Nick Sullivan">
<organization>Cloudflare</organization>
</author>
<author fullname="Jesse Kipp">
<organization>Cloudflare</organization>
</author>
<date day="13" month="July" year="2020"/>
<abstract>
<t> When using a publicly available DNS-over-HTTPS (DoH) server,
some
clients may suffer poor performance when the authoritative DNS server
is located far from the DoH server. For example, a publicly
available DoH server provided by a Content Delivery Network (CDN)
should be able to resolve names hosted by that CDN with good
performance but might take longer to resolve names provided by other
CDNs, or might provide suboptimal results if that CDN is using DNS-
based load balancing and returns different address records depending
or where the DNS query originated from. This document attempts to
lessen these issues by allowing the web server to indicate to the
client which DoH server can best resolve its addresses. This
document defines an HTTP header field that enables web host operators
to inform user agents of the preferred DoH servers to use for
subsequent DNS lookups for the host's domain.
Discussion of this work is encouraged to happen on the ADD IETF
mailing list add@ietf.org or on the GitHub repository which contains
the draft: https://github.com/DavidSchinazi/draft-httpbis-doh-
preference-hints.
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-schinazi-httpbis-doh-pr
eference-hints-02"/>
</reference>
<reference anchor="I-D.ietf-tls-esni">
<front>
<title>TLS Encrypted Client Hello</title>
<author fullname="Eric Rescorla">
<organization>RTFM, Inc.</organization>
</author>
<author fullname="Kazuho Oku">
<organization>Fastly</organization>
</author>
<author fullname="Nick Sullivan">
<organization>Cloudflare</organization>
</author>
<author fullname="Christopher A. Wood">
<organization>Cloudflare</organization>
</author>
<date day="13" month="February" year="2022"/>
<abstract>
<t> This document describes a mechanism in Transport Layer Secur
ity (TLS)
for encrypting a ClientHello message under a server public key.
Discussion Venues
This note is to be removed before publishing as an RFC.
Source for this draft and an issue tracker can be found at
https://github.com/tlswg/draft-ietf-tls-esni
(https://github.com/tlswg/draft-ietf-tls-esni).
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-tls-esni-14"/>
</reference>
</references> </references>
</references> </references>
<section anchor="rationale-for-using-a-special-use-domain-name"> <section anchor="rationale-for-using-a-special-use-domain-name" numbered="tr
<name>Rationale for using a Special Use Domain Name</name> ue" removeInRFC="false" toc="include" pn="section-appendix.a">
<t>The "resolver.arpa" SUDN is similar to "ipv4only.arpa" in that the quer <name slugifiedName="name-rationale-for-using-a-speci">Rationale for Using
ying a Special-Use Domain Name</name>
<t indent="0" pn="section-appendix.a-1">The "resolver.arpa" SUDN is simila
r to "ipv4only.arpa" in that the querying
client is not interested in an answer from the authoritative "arpa" name client is not interested in an answer from the authoritative "arpa" name
servers. The intent of the SUDN is to allow clients to communicate with the servers. The intent of the SUDN is to allow clients to communicate with the
Unencrypted DNS Resolver much like "ipv4only.arpa" allows for client-to-middlebo x Unencrypted DNS Resolver much like "ipv4only.arpa" allows for client-to-middlebo x
communication. For more context, see the rationale behind "ipv4only.arpa" in communication. For more context, see <xref target="RFC8880" format="default" sec
<xref target="RFC8880"/>.</t> tionFormat="of" derivedContent="RFC8880"/> for the rationale behind "ipv4only.ar
pa".</t>
</section> </section>
<section anchor="rationale"> <section anchor="rationale" numbered="true" removeInRFC="false" toc="include
<name>Rationale for using SVCB records</name> " pn="section-appendix.b">
<t>This mechanism uses SVCB/HTTPS resource records <xref target="I-D.ietf- <name slugifiedName="name-rationale-for-using-svcb-re">Rationale for Using
dnsop-svcb-https"/> SVCB Records</name>
<t indent="0" pn="section-appendix.b-1">These mechanisms use SVCB/HTTPS re
source records <xref target="RFC9460" format="default" sectionFormat="of" derive
dContent="RFC9460"/>
to communicate that a given domain designates a particular Designated to communicate that a given domain designates a particular Designated
Resolver for clients to use in place of an Unencrypted DNS Resolver (using a SUD N) Resolver for clients to use in place of an Unencrypted DNS Resolver (using a SUD N)
or another Encrypted DNS Resolver (using its domain name).</t> or another Encrypted DNS Resolver (using its domain name).</t>
<t>There are various other proposals for how to provide similar functional <t indent="0" pn="section-appendix.b-2">There are various other proposals
ity. for how to provide similar functionality.
There are several reasons that this mechanism has chosen SVCB records:</t> There are several reasons that these mechanisms have chosen SVCB records:</t>
<ul spacing="normal"> <ul spacing="normal" bare="false" empty="false" indent="3" pn="section-app
<li>Discovering encrypted DNS resolvers using DNS records keeps client l endix.b-3">
ogic for DNS <li pn="section-appendix.b-3.1">Discovering Encrypted DNS Resolvers usin
g DNS records keeps client logic for DNS
self-contained and allows a DNS resolver operator to define which resolver names self-contained and allows a DNS resolver operator to define which resolver names
and IP addresses are related to one another.</li> and IP addresses are related to one another.</li>
<li>Using DNS records also does not rely on bootstrapping with higher-le <li pn="section-appendix.b-3.2">Using DNS records also does not rely on
vel bootstrapping with higher-level
application operations (such as <xref target="I-D.schinazi-httpbis-doh-preferenc application operations (such as those discussed in <xref target="I-D.schinazi-ht
e-hints"/>).</li> tpbis-doh-preference-hints" format="default" sectionFormat="of" derivedContent="
<li>SVCB records are extensible and allow definition of parameter keys. DoH-HINTS"/>).</li>
This makes <li pn="section-appendix.b-3.3">SVCB records are extensible and allow th
them a superior mechanism for extensibility as compared to approaches such as e definition of parameter keys, making them a superior mechanism for extensibili
ty as compared to approaches such as
overloading TXT records. The same keys can be used for discovering Designated overloading TXT records. The same keys can be used for discovering Designated
Resolvers of different transport types as well as those advertised by Resolvers of different transport types as well as those advertised by
Unencrypted DNS Resolvers or another Encrypted DNS Resolver.</li> Unencrypted DNS Resolvers or another Encrypted DNS Resolver.</li>
<li>Clients and servers that are interested in privacy of names will alr <li pn="section-appendix.b-3.4">Clients and servers that are interested
eady need in privacy of names will already need
to support SVCB records in order to use Encrypted TLS Client Hello to support SVCB records in order to use the TLS Encrypted ClientHello
<xref target="I-D.ietf-tls-esni"/>. Without encrypting names in TLS, the value o <xref target="I-D.ietf-tls-esni" format="default" sectionFormat="of" derivedCont
f encrypting ent="ECH"/>. Without encrypting names in TLS, the value of encrypting
DNS is reduced, so pairing the solutions provides the largest benefit.</li> DNS is reduced, so pairing the solutions provides the greatest benefit.</li>
</ul> </ul>
</section> </section>
<section anchor="authors-addresses" numbered="false" removeInRFC="false" toc
="include" pn="section-appendix.c">
<name slugifiedName="name-authors-addresses">Authors' Addresses</name>
<author initials="T." surname="Pauly" fullname="Tommy Pauly">
<organization showOnFrontPage="true">Apple Inc.</organization>
<address>
<postal>
<street>One Apple Park Way</street>
<city>Cupertino</city>
<region>California</region>
<code>95014</code>
<country>United States of America</country>
</postal>
<email>tpauly@apple.com</email>
</address>
</author>
<author initials="E." surname="Kinnear" fullname="Eric Kinnear">
<organization showOnFrontPage="true">Apple Inc.</organization>
<address>
<postal>
<street>One Apple Park Way</street>
<city>Cupertino</city>
<region>California</region>
<code>95014</code>
<country>United States of America</country>
</postal>
<email>ekinnear@apple.com</email>
</address>
</author>
<author initials="C. A." surname="Wood" fullname="Christopher A. Wood">
<organization showOnFrontPage="true">Cloudflare</organization>
<address>
<postal>
<street>101 Townsend St</street>
<city>San Francisco</city>
<region>California</region>
<code>94107</code>
<country>United States of America</country>
</postal>
<email>caw@heapingbits.net</email>
</address>
</author>
<author initials="P." surname="McManus" fullname="Patrick McManus">
<organization showOnFrontPage="true">Fastly</organization>
<address>
<email>mcmanus@ducksong.com</email>
</address>
</author>
<author initials="T." surname="Jensen" fullname="Tommy Jensen">
<organization showOnFrontPage="true">Microsoft</organization>
<address>
<email>tojens@microsoft.com</email>
</address>
</author>
</section>
</back> </back>
<!-- ##markdown-source:
H4sIAAAAAAAAA81d63PbSHL/Pn8FIn9YqYrkWX6t7asrr872xkpsWSfJt7mk
UtkhMBRxAgEuBpDMc/n+9vRrXiBI27e51KaSrEwC8+jp56+7h9PpVHVlV5nn
2cGr0ubNrWk3WbPIXhlbXte6M0V2YWxTwef2QOn5vDW3z7NXry5U0eS1XsGL
RasX3bQ03WKqi2JaFO30+L4q4N3nKof/f920m+eZ7QqlynX7POva3nYP7t9/
dv+B0q3Rz7PTujNtbTp117Q3123Tr59nJ69eKWU7XRf/o6umhnk2xqp1+Tz7
r67JJ5lt2q41Cwt/bVb4x38rpftu2bTPVZZN4f+yrKzt8+xqlp3rvtrQJ7zi
q2a12kSfNu01TLheVwaWks/oMwujm+559r428tW5bm+ynzS/kpcdbOplvzZt
V9bNJHupq3LRtHWps2eP7x8/4qeavu5w9x/qEkl52QE9LNL3ZGXaMtf0lFnp
sgK6rHFBP2icbJY3q3Qbr2fZv5d1bXQbbeQ1jJF8/NvYibnhJe3ay8tZdjLL
fmqaItrLy2Vb2q5ZL02bfEtbelk1fbGogF2SLR3fP4bDvKutqXFJ0X4udZ39
2Oo6R6b+9h3k+u6HpdHrsr6el52dIXMmWzifZe/yd7rubbSFc93BQDfJN7T8
H7XthNdkglW+wkd+KPr8xjb19TaRgG//zeDOthg3+phGf1fmbWObRZdwU/NX
eOyHlfuOJlDT6TTTcyCfzjulrpalzUCO+5Wpu6wwi7IGinxRD2SHIP9Hk0yr
lcmXui7tKgOGyV6dXWZ5VcJYFqbPemvoo9bkTVvQR4UMnWn4lEf7zmamztvN
GqZQNEJTL8rrvtVd2dTAKHX4XobjF/1g8HlZZx3uBWhawzfwF2gE08JXCmbV
FuY7GNnJwSwjEoRt5MA2c4NLL3C9Kxg/W7TNKuvrdJXwZbqsu6Wps6auNrAS
EL7zDHQhLJUYLOwWl3ZTA8duzVxaVdAKeWZYRFWuiFHhX7m2cDAwRWvilST0
gE2CEMDkJZDG71VFX8PLDUg5kWDO67TAVrARMAFw2i3Qnh8AtudPS2Nn2WlH
dNGVbRxxVHyYtl+vQRsTD6RrW7cNKOumskwenBEZmWiy81w9iZhdV2VRVEap
e2gm2gYEBhlDqZ9wxJjl7kq7dHy3axm2z5fID/DpFNc+vXp7CezcXB2pT5/+
5eLHl98/ffz08+dJeOBPH05f4hN/Osr4iWcPHt/HJ5jh+aE3V1fnNM4b99TT
R08fwVMKtrwh6rXml76EEwC2KHEDugKuBYqtiM+BrpuGj2/AO/gJ7sGaFmaa
KLcD/DySoWVjOyQtSGWFxhQOORrIgJmsm3pK9lS3RYbnZXEP6sPFadaZ1bpC
bTjL3jR3BucBVlitYF2JNAZ2tczqQNjbsjCDxahoB0XfIjMNhPoSNxENVtZ5
1cM4oGbRBeBxLTyK7/rTU1V5A8R48/IciPwCiPzg+OGDz5/lH08fHT+Gf6AQ
nJ7fPskumr5DU1LcomGzhnTc4cXJEQgBrsK6947vP8GTApremapC2qJqhvNJ
F71LXcKK462gEERK0AvJqEh2S9158QEiJpwbuLa3SIfABdkl/KfMjfpjWRf4
1eHln1/+cQIbOp2+mpEnVtS2WU/tbT6fLrtubT9/PnKK+LlSx2Bfvb4C5hyo
qxpsZCpBF0PhnNCZ80bVLz0YUINa1q5NXgLpUAaLBixRzQJ/ePnh1ZmTjSff
PzmGk4qpg3PgHpQzFtraBkbC+e/KbgkrNShxqwZE6PXo0lgkBgtXfuFLONdw
BnRMuEjSS7ECwyFlCOR4UMsoucbiS4efPs2bpkPzuUbXAIgKbPFAiInTOzEU
Mo6vdJSImUyDZqADC25RRaNfg+erMyTxhhaoPbHkQMWUDEyXI60K+mC3UqTt
s1XQvDSnb5DoMJoIul9bmRg12jEswYutG8rJMxDOT85E+2ODh7oQpgdyto3O
l8hDVdXcxRJEUtiuWFZ0bPVfj590mRy0GLqmLa9LULpOackq3RZmsX9wAPpI
kT8Bc3fmYwfyrWuR1ljVfY1NVWM29fdsKz9q0LtmMjKmznMQxnIOznpT+1Ej
xcoHQw5BiYKXo5JblBhv8Tpx6SB+dmhSFvyecgTxtML1eXKAub2XXaIw05go
CXBYF2zDUP1ZVIcmuwHrdkcCe/Duw+XVwYT/m529p78vXoP5vHj9Cv++fHPy
9q3/g59Q8I/3H97K9/hXePPl+3fvXp+94pfh02zw0buTv8B/QN2rg/fnV6fv
z07eHnhH0GtpJCa7UyUGmevW4EmxLsjbcs7O4x/BpECgw+rpwfHxM7IqZMeP
vwc7TmqCJmOVSf9k2w6sC5EODgLMBUK4LjtwlCY4hV2iIOEZIT2zK9OuIMCq
muvNTlsCJF00KAF4GrDeFWpr8Lafq+df9stn8OeCFGFDI0VWiSco1JA+sLCR
kXC2E88ME5AYY/uVnrOxGFdqk4HQ6bpB9vSjKKdxYQkQUWVIGnA6ciPqy7Mh
Oh2syuAtYD9nAdBTi7jcwtLHV8KrT1xKNqC63gx0ICjy2qLuk0WIHwKC30Pw
AJYtIqF3HZs34B42V8wO4BjSWTvXYdF3fRuTHpa5y5juXmhYGO0dPJnIJk2y
JQbKGLKCOlNXwLtA2g+vzsmryx4/JG4jI8FuQubchAs2rkqlcQM5985NSizt
aPSH6kWtNLLhIvL+yY6HjeL+a1NxVIJSiAqpBd5OFaViRTkTf147a+jUvB1d
wwRYKKtA7mqbeNFyRopG91YtWDpcC7m+/rzDu85+FawShHbvGrB6QzqSu+X9
Ke82XJLJtOSCw5ldL7OTqtQWh4jttVVbphq+6GKbR4GSMbiUaB3xIBnYFNRX
exw+3COqE9wgaXdvbmUdE+F30jVgEjCc6esSXI1srVs4nA7p7/j+oGiWa90t
UenCcYpGwbOMl4EIIC0C1gNLYCsRVBraqtoZPnGS4l2JVmYhAElzDm+w+gom
JGcIn0HK//w/MNVMhkSg5mdQmX//+9/V8PNZln3/4P79LDs94zmPs+TbQ4JP
4PDW9R+WDzLZ7h9+B8NMacZPL3BT2RGN/us2dvVP3ljRdPETyd7gOxKCPzx9
/PD+/8lu/vRP380ve3bzy/ZuThfZqq+6Elc/qsPIx7oFVxaMGjhgrHYjzad2
+MqprwZ0WFfNhkw4yjSqB/LANJpMUI4wiuHBSSWt2xLUNriFYNWqAtVPZsDr
TUi7N4ab0daioAEmQFiTtoRha6HBMGyC+JJfkp4daM6iARMH9ln1dQGvIihA
GtW5bmSnyYuUd1LoboSiE5oox4c17FmRxf706dIQWJM9RR76kqpSsiekpO3K
iqNI50Wwqi2DM4ynsIYw3mAwEpEEXw/7UuiVseIr2zEKOVNAcYe33+H4wxGj
Zla2RMbStWl6C+6QM37BxJhbMGMUHl2X+KesqiSCZ/qOIoYFOYtgJKxR/tVZ
9mMcFMiudkbi4Mn2Lfn3rUntywQ5mfwt8lWQrfkfV86FNRJJbkw37Zqp+QgO
hd/DJFjhu2WZL9nllZ1ahVqZPZ8r9HD7qkBbhnLkwDfalz8yGKPCE1sYGAX4
pmnF3qAn2hYuiAUV1IBINmXB4WTVNDf9Gsivi6rJbybBPCJfErY8JthoNRmc
tXCOSoJGK5FM5LvG4SKeDBljokrNmqs0MheemBhjYACR/QTLTHQCOLemWri4
2bRogJPwrDW3jcRUEPHmN+RAqHiMyVaAEkTp+D7OGCDG2dfQQZx+oSWpd6Q0
Hdo3TDUMWxbwBwLT8KxTDwRUDT3k8WhFvSfRDqLjQWZmIue7fK2r4aFLlL56
w46LG93rPNjiLR2gbVY8A24yOh91qysgDXvatbnLwr/jiOoOFZSj8jz4Q/Av
ERU/EJAkjm60D8eY3C7MIQLfi8K8D5addmEsCOJPHJybfbqXIlHefw6IeMYA
BkGYLojaB+3F4ELZKYnHGXhKOBylJNY3nOKw4iTzPJkF3mbpOIDzOaBAHWY/
oRQtQSPwjccbdLvWB0DGBUYdK31D5pjYQ0Qx1dIR9oj0hilzgf7xxTQsJJlG
IxAPR0yybhhimQWkAwIqiusDCW1PwGbA39iRSVY++5l3jS8KYWzTt7nx9nOz
NurwyaOjL5r3CzFqPgyg8cLs+NGQbIitehneIWtXkSpAkSoX5J50Y4+nwLdH
FmEnGKdAyAnCjlzdl3aJYAoGeAO49oQ+PYH/SaKkVMklIZaQLdk8qAGniQeu
CRBhdoA6dkgLkLneeIV6pdtr052BmoYzLlfg7rVwwN6U+EGdmj7BIWnVbl4c
aTDH/19Qk8yb+Msp+415zMudHvNvJ7b5Nfv7bcY3v2ZH3x7jsDjlfWvB1Qz6
2XnuBj61bPpZgWAOZBze8eg5Qytk3NjBZF2Loo+ySVhBrPsl9xG+VV50XS4o
EqWhuE52bMEZH5cXxKf2qJTYDxvRZ0qihpOQej2p7R2BG+zqiHWhbVst3l1k
SQkgcy+rFkIu0OltuUY9BWSC7ck7g8RtBIm6rf0e5jSRk/VYfSE0GkVobSYU
mie5ArZ/Q8Rfg+Jz3ixWXKUJH46MIgW+y0HASoC9yUGFYjVcDGUXbx/FrkWG
2FgXpZXwIXeq4oOr+KU9ZwvkDHodbHpJbs/IKhQlhfevIuYuWUcWvybrGDsQ
BtvGjOm7k7/4MJGkbnguGKTUe2O9STbvO1xyyJGEnKW5w9lJGyCiaRU6uQWI
+SBkoihuicwN5r1G7rslNwzXiEohWdYmW5VIHQQJouiO6brrLGb/sFKqm3GY
V4U9izY6e//q5OqEDscHac2oV/Q3IkGUu9S4cQuuC0t0gbtBHwfkAWeuKNkY
UyxCSphwevTkKVf2wZpdaZlvg7a53Gi/n65iNkbvLF82GHL7+NvsCo9NSV6w
7rsGYW9xeIGYc43xL0LoGBaxr7xuqjIHsVqaHkvzypySjjBDixOC57a3JmLt
SrAgagKfnwvAkokHUXywQWA3p9mfXfYnBESHcbB0NCEuuGPaDrJDSBUVQewS
ig0rVTLgC8k/TLP3JFB9TVtNZ23ir4ZTR8MFrUu6EAG/W5wVHobAG1hMvgXC
nTh2QP0QjItQJclzj2kVSQspOVAP7QutJ+FAS3Qp8HTIm596KIRP159oWa/7
bgYMzgl+GJDjZ36KUCvQQfhx3qzF2saJxOzlwKlW22c9Ch36DBdxnqVU0iIK
utOSJ662YX6Koug06UvY1jATN0MZVW6yKKhn2AGrDvCPrtP5jWmjvAzE2Ask
GLJvlP0MBQesLGzW162ptJTsxUUHexS7prK/GH2xqDuBJcn0By5xoUprpsIg
EaQQMcuoCwAERUhwd1WP5GLZFd6I/O96HKxNDVpUF0mojFiIZYdobaRQovBC
BEqYTUeEJO9y18Taf3kR8sgdg54RQQjgVxDVTb39QYXviRhpBo+QRKDCd3iW
JWoiODusLZkb0P9l04qfyJG0DUl/67BCXwkF480NnoRF2iDrIOTcbdR2aYpf
YlSjwu/iGsm87LUvYMfaxlpfbIP8fg1uBRpjvQcL8kD6VyBCwD7KZ1QCeCBT
YspzVLSJJmjg58YkXIr1JMCQbsmRXzNHgvSiu4gXY25wE3qlwczmMpjb/EZ1
NphjkTcnYOwxKeM3H+0Rc9qOMzDuD/vk8M+6WpxtArATMGKyPt3zFkupke/J
TIQqYAacGeTy+pPzIItx9yOpIbTD8jX6UtANK2YSpirsUt+g+UYZagtWdwTx
gINU0AnpUH4xmu8heCU1ugrrRIAqgbXH1uv1xFrbYcWL4OErDe6aDMH8yzWL
V0HbkCjTCuWxJdYapkguSPGaRY9aToCbwG1p1W7A+4nDux8/eHqfs1Klj7Qc
8ARWR4MkKLsBHbgiW7NeV65KKp4JxKKvK5IeZN47rK4IQsiVgzu3JBo08Wl2
lHRJVBIXcu3T9JioPBckGSvSWi9jtp//FUhxUhFkpsxHcJWth6xHSfZo9mB2
PBsSzgUCuGE+UjzspNxxSNW97o5yiRlWtbACzkwhVEEZKHLPA5VZue+LqJSl
voDO+akD0BhdO0wmBIx4e0sLcJSSLXnzsu35pFsclePSeVSRXb/TUmgdkee2
1KAJxlFojqgOyxR9cCP5Gp9CXJtq46TMKeLtgy7qdkqlc5oOHCvfiVUYEPO5
WudsH80imAVj8u0jR11FvIcHuuhbPDUVg0SjRs75NUChncztahsrU19LeWmJ
lamSlvdqKQKwwNRf4TPACG8xXj28unp7hDsntUjdI5STNB8JUbg1aW6QEKMK
XCEcQPZCjIEH5V1MxN8jNgGHn/IKlF1yw8mZDZZ29RYthJ8cDqxqsACJzqmj
gkLelozN7voR9a6Udbkq/8a8N6AIBEd0pquy42jYeb14nnA4t/ihWJ2E1iHE
H2NhaUDZfUBgdlrDqEqIYT0aD3QJgWwSciVyNDYzrtj79ly6GytOFNixOE5w
k0SbSj6YlgoebvIKRzFSKYAqSegmfq8EDBEwQbUILirYDh3GEr2J//9SoBp0
acmSjaZrcBYJGp1jEm0I4SU1ajL2xCUu5hK2dO5Us5AEuAsyiF9d6m/DZS1R
i4vvP5llr7EaQkJmv06VEt4n4Rl0dnsf9TacGvbk88WtAupKEQla55A78yHZ
XmKoJNIg324XOvDpXspUlGpAJkectex6iUe4d2vEARxKmEo7bihQGrZ8CYuG
/GVavLqrB4L8VwdJxM1BUut8/OyYep8+cA3gW0IsQsr58MPbE+v6pB4dP3uI
z6LIvy3rm62n+bGHzx5872upHz14dozv3FHdi4NekH1xN3NfJCIV/z6YHVb+
cnlPtmoslbkzsxGmUg+O6Rw3m2/gv80Cq1DKABpIRczQmzl2ngw3ginqHVxh
8aV3Opy+Kho6hQRaGq0ICW5xyYIYbUbObv+yPcTNriapFoVpqbgjjcuHSADW
/N5k387AqEDIX0pbg3KbYtgXE0QO/x3Hzn6fLV25hat4ckOwDldR9QshO7Ho
xugLSTFJ+EaKKpgZHObspleOvjYhKGsh77hSqwtYSnRguczOHUc8P0Z3ThCQ
gxmci0ViiNBx5XqoFiaUdmCwOcO17ZgdULTKHSX7Dxq4jey73uHjRyYksase
pmbFGlb3DVrOA3iJZ449qsj95IXi/tqBRxYgTrVNRRdth5d89RbH80EFkWMg
R+47dNSW6IseL9vkqPZUzZwRx3y6F/qP8GSj3J6E3C04cRvqfbKJJO/u4nJm
Fy9DSDv9GELVc3RGECAK+bYdZaWiBby9oApx3ZZc3OhBHI+kRFCOYP6u3HBX
cwYcD420t8MyO/RNDm+4q2BnJyUYAsmroIIkYknCbAe18BKHaztsFo2LjjzO
O9+4jsfYSp7JyoM1O3x1doEVNS+SkjAIWMh1Ym1I8ZomVowiEYugOLfX2bih
juOnAKFyKxzuTg2UupwYvyAFMuTUe/AX3yp2UYOLBBUXCQbENYz+oaZmV1qz
Zkc8KfjalSYKqPRIs+JECOLy51EO2dVCO4267ucQSZCGEBeQ0LKopxPCk1Au
49s22+2xFI+VSds8Q+2hIydkCOMi40H30Hd2NFEUdV4SC+JBkKaa+5MiG+GU
FJmPtQZXlqDrL5BCDpI2rvuipGpuUc3b1QjCcsP6XVdBkCgYUQ1RsYz62Z+9
qwLJm9XPPsPHAaMrU/H1YEMcIH43ISivRvxSpm3KN1GTjCMAQewpQJe0LNJS
tFRS+Np3cifGdxNgyjm2f0aVxBOJHQX1CkVSyo2LcroEn4T8KSmj94nzQMfZ
WMlNtIaRypvxx76+Yurr53rwFXNh9ZJU+CQZtcgL050vVN6hXrbyQVqxKvPC
xncFjIVVQ+81Rh1VUIiEJA4Qw8wjhp51XI0VcPytmbAPFHXTEh84dN1V03KR
Qmz1paMV+cHL+jiLzbL3i85IxHgLJrTp7Zj9VYPrKdDxnBtXKA5PkjHyDEnH
F6oJM/ACqVs5pQmF87DBru29Ik0IEN2vYHw4jGNEQ2OM4sP4w8WISolKCJca
kfrobQjQf46L/5AmR7HtsxIWMyayFRanbKLcSQ+jFqXOGseLdKaeXSLXXsLU
QVI06XckZeHb7gZKBX1w602BpwLnxpyG3t+XIn0OtKsd7aKCOyz6yqETkbfF
KjoNyUntLppmh9alUh0KtYO3xbyOtfeWBpSU8o62F7rNyJUcJ/5BVNfkSXgo
JQAE86EH7rNqUWKRUtvh5cBBR+NWgtJS0ZUVEctRsePO7bMzHtqiXkpGiWEQ
FdyTpK8mvgYD3Gl2I4rbMuRoaZDUGKl1U8LbDM+81PkS2QJM8J1G6NY6N3/h
PomzjPLhvtrE7FB0LOg4dnvA5+3XePWUXon7J1CpDUxDbhmXOUn1WxwgBswY
MWKM4vHKMsRBSPXOTa6j3gdedlJW4mRKRNItJ758ZUQKEEkeaPnLkzMOj2fZ
kEyMcjiHRee4PfhfBccLp9whQsPtybrlJhD3YgrgOhJ3SR23vweIL0UAUTIf
Qec6JpA6DolmCbqbuKKlmDrubR+wiZ52BPF3rPBgS1fTuYuq3JM+IBI848lE
rrqbxc/u1h617iZoSYAwKW3DLSfDuhSl3st4SJ5mhIT7uNSzgPRiAd2k7Uk4
0tUuEOtQTuu613B+nZHafcH5Ue7o0o6UdFgBiHcB9bVrbWzDLRDD227c8cQ8
TyfOXiwjO8ollkVyI658p2t9TSNHmgJU99ZdOSNAatKQU2FDGx2F4jI0FMYE
8mQJKtvtewXkZi69QYCVMssVpk+kGSBAGdLoUqHxzep+Nec6rPH55EYNVqFk
qd8A7StUY2pYOUVkHJ6zxB2ihMkui1yILoB9qHj8U3ackfcOL89OjzAg5HuS
Hj3B24B8SyBdYcDNghHDWioLlLHxkii82kZeeuMvq3F9+4L0UauTPxF2PUdC
fWPTHgzlxfqr0PkBsGDdEtWuJQZfheGohBGova/p0qJoSfJHtM2AhpNdVzcN
95xMMOgUUyl4I1gmTUPX4EB0g6IwVNgkRnWDy+CrCug1lZ4iR1NvmNkcg9HN
XyjdsRpJuGt4IcSWPZ5vogp/XHU81DbgqYiTUS116UR8FR95KQS/tBifY6Eu
MpC7Herh/YcI4Jxi2I5J55wClTRuCGv15cG0vHhtUstGvVeNuEjOHo+vm0Va
SoyRlulQCofyoVd8vRUnJHaOxedxGrLo8iX7adPRfPene8PMO5xSjIeJlzcd
6TFgaGyy1S1J0NiRJDBV5J6GGvi4ZoCUmRvRVQwAEVu622LrHjb1rfew8fOP
ntJtYHIpmyA6GH250N/V8zmeD7qDXGZXTbDPSHLooYZ5NFGmW/UBji58NZlA
oRcnduIz3EDeZHnChZ2+oWXmpiCwSMoc0YxsheSDNSoXirne9qgqJNzyBKqj
KvPO4eqwDKnsC2VbdH0BxFwlRUjchygtayOskl6BUtOIIfUjsT9V01JggrW5
6vI2P8f2eRvaop3hkJz3+M2OBAowyEugZnKHnE9i19tQrB7iFttZ8+h6sYk7
7si3xspnFtgp30d38ursiGKVS0m3DyIVkD+fiFfqkqgds510MgTo2OFgYwlb
7MGfInykQsFAXGkBNMHQDEPQYEnQCoE1WPuOK6+MWjfZRDE/9j4S8WukOIQb
Y0Vlb12LOfOOR9TGT/cTuO6HwAjwlcs2S8DoGkDhq+7OmHpoGiU7yn0ToC53
1YswP2B0imk7qaigflW6/5RYpFyt4WvUR4E8jhqMBhClEN9hl2gFnl9e8hUN
4LOB71pjnYsvSkpPckoBN3uDCaXBKJVNweUnwCzRfRazB5RN3dGL7pmTrkQ0
mKMGetzV160u3BYVVwTEJeeURqAG/Twt+yAcaURzccoXDPTE52+dn+HDkHFY
xMlVFKCI0IhOlFZsKmekjknUOU1c8EIhhl+xZFqidWMHxj/ElTtwGncbA6UP
hg7XF8WQPJzQ7+usnQPauPPNh0rcPAHzYrBLff+dBmpql8CP4ptQKoNf4EWw
GUo6Sam/eZEcKQ4RJhxfUx9edMsS7y1mBhLJFbDfYrN9M4hW7OL6CgOfiluU
OCtXnnNVDhoWdLHQicel8aV5mtxCfhr3Gj3sELf4heHCrKngoJVcEOIqI2WU
UMsDSoy34DJq/hapsHkqjrNOLny7OQh/ee2sMm+Qd4UvdkkKUQVnG5bv7uDk
4ATT6t9W/EToHYLIyU2RDScjyCjE97v5DI27Hjl+iZ9GjeOYBGEAvl42LfTB
Cvo/n59RIJZAh+QpIlDt5Iryghcn03+FKL4Qn+vJ8f3HWAFyEp0TK++OIUSp
TEslK2pskUtL5huFGIs7LJchR82ANT7bV3CO6xaDzuVoLZovTNjd1nHJDsJY
FTBviU0Ka7g4ROIuyXl6IWfS0iN9Oh13bXeNauak7rghGtmUe6E8WOULCjkV
XJni2idIhDiNb0oItZHD27/HqMTk8RTRHQcZO3t0gtEiVAw3MAKCpB1yHFyn
maNvlwV31uwcqx21NrtbdLfRRym71F101wohovYfq6ceyw3PAq7CDP0N7X08
88gV7GK09+MR9bhYeAxy0HYyESUaZaC3+wbD48Fr49fEz2JU/Js2iQstuZFL
iZpwXrxj/EXZYo0dporcPQdp41nbS7mAcw7b0t5gjMBuGYWvuVmPCCNqaUHI
d+RlqP8n5VW1ry82nE2YRFtXjQ27u8ZQRq6hdE0TO/UQR0wYWYGaxDyDa/5x
cOlY0B7Sh+zcoaQqG10u47y50NsTPJnt61q3OhsnDpynEE/aa/kXDkaUAR7w
Dobw1V7KFbdFfb9RO1LjGlIcUDy67aizIRiPrVuqfepTKOg9f+8mhYmpSYiu
ksCIGshPved41V10wJnNTY0pXis1V0J3iutOT85OtmO6Utf6c7jcGFszcVMM
5ZAeG4blgw5nPMVw8YSrdB67zMjd38PzTLH5NJrHuivRW3MNZwOnZWwHETtf
qcM3Xfmr0tGy4HYoz+ouI0eSFAVH2/g+DHxw5a6NnZ7WhVlDWINrfst425TQ
YfaE/xPcE3sQJscNfZdsYPZd6BLkcIY7yg6SGx+i3QkVDyYEvvtmjXATs/vN
ArkXkUGxmPQwKqyQFcswb3gaXy+YDa4XfEyXUztqsQ1xgYAcQ8gaEv0iTEly
z5SlxgiUvZ2wcGw9O8pO4Nllv2KQAhvpKfPDx4AMfl1Lq4V1Rara+htQnPDA
16vQVVhtXiAgckc5Qb15gTi1JB/cherkQ6fWD1iDAsCun0foHOjhmq+w9LcM
GPbE6bcllhpvpFvw2iduPa3HplF94rUknZ/cwX3Ypca7v2tLilTQTYka3vC3
ZQg0iCmy0ly7BgG1+159FZUYM0Y6ZV+kk6BiNQeRVCUnMTUj3kCleKGHqR8D
u/7YeWY4kj4yFz774ldcJdDg4RYNag/T9TT8yfkp3y9clfNWk/s4ThHlKfbr
KAIKtJlgFTYQ5C+YtopvfnM9/43cdRovJdkb5xXim4xUcqMBJiTQcaOMGfkK
DAuPXMDDMcQswiesGs49AtMvXNU6L0d0TtnyDeF+ehVN7x0SnJtKcfAflEfA
AhzXFIgj1whuVjFYj2HhIz5OkBFT4QR0ormUEMTAvitN2nGU6d0K9ledqNo+
0Zd7VhTSvaNp4kBRLDKgFjYX2Q18bupkL3pSfHEzNJhhpCxQ6/EYtbRc5MdK
8zdBM1QLmK3yTZQm/M4HZbCGl9JQrtc0rXE3oZA7Em/MwWEMeoTMfPjNFq+t
6e6hOy2Z8HCfevTjIrtuFWa0itoxpvR7E4QZz3spTnduThSMYd+mv/zgxqUp
T19f/Yjvvj+nj/Gw6df04AyfHIGpdRfvtEZSb9vmmy2xR23XDeGm+GNFgsHW
KsqcuEII+0Ia6TZZiCTCtQplO2CXMAQ12CTfee71q2TMn0wV1aCAE9fFrBbb
GAxN8SBQD9TE6S9gZ9nYmr2yx9BeSnIFhiuim5FBQ4K6fS1NLl7bDaamYon6
u84D8cSrGNyrqHN1sCXG2o2vyAXrFq4ewgIElG7Xl+vEaYKl6BwGODd7sLMh
nv9CnFjnVaT5V3YHkkpsHt0X6wYm54EVOwxRgQ8bkNk4mUezC5EFUbH25zJM
hx1GpSWCz+BkQCbmtSjpxLolCLZS3x9hxOFmZ6+VvF1Qkb+TPzU6iJKm5moB
NlL4pRmwoYp03IvskoelGMa/S9fA1hCE7f6e4Gs8RJRu/rm4JvxuEjjpUY6O
++NeiPMvG1k2VSGONG/B1SRG/kp2Bv4PvTS2LTU8T1gUcZ5fvnMyRwkmP8s2
xxwGxFkXmtMqRlQt5xV2RFccVI/eX0rtL9Tmhms9KNe3j5A88khZB/TKOSuu
cNKXxCGSbaUrDBU5RQABckzVzAEPTL0dYrH4NgZOFTk8y63NNy4kv0wUyqKc
37L7jp0VsgKBt8PNRQ3FPDreyc0/ezdvPkbVV1RY/aO7vVF+nGginjtwhD8K
8PhLEOptKroc/VO5pmH8/JLLfT/d8+N+FkUS4nS6/hkf/x3/BB6ebHTxrc32
/0SFGlBRAGZuZRJ58wJh5Q6dMu+RS0Ywv7FytPRqo93o0aFnXQzLVZQG2QFP
yQsldYJ6zXA0ixuAXQG63KcGzmxjteAH4LPEhReO+Rd9nTO56VqyMJZFpavx
Wk5tmzqulwzHgXhXjuUGSdkp36fmsB/+HarxX5AMyTR3fjfGrF19IxiO6zJ3
P3ei0NufSoWAlBK6m2vSIm9vlzARQciWWJgkq28Vl4wMSrOi6nHy7/lQUAlJ
p1+8WsrB+PLRVrJ3aeMUSSp3kkwrdGlVHCXKb3UhgX0znHSYWXTG9d9KYt55
aadFs5yG33mYLhEl5F83m6YixFEQtUbQjeuOUkwNjyCFX224MZtQh3hDV0SC
N4HtFpSSjiE6bhDgsUvkGVwxuknaYYPht9Xcz+MgG1SNpnza1X9chbtcrxw8
jQtIflEOp0nueB/pxuIEvcv6hJ8wwrIpG/9IElfERNeRzDc79abUO+wTRSK4
Q8WppkAiEH99f2ob1tJ1K1G8oCCu4Bm9QhW5+MlJltF9SahdwoIwxcFryN7A
NhsV9yV2lZ2Ce1hiju6nwQ86YYEerQLGhkFc5wpeYx3uBkBzJ53/cKx9jm6b
xSuUSv9rCg6JsCEbTC0BWJ5qMS9WA7N1M/W/3jHnMvN7AAA=
</rfc> </rfc>
 End of changes. 217 change blocks. 
1210 lines changed or deleted 1212 lines changed or added

This html diff was produced by rfcdiff 1.48.