<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.29 (Ruby 3.4.8) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-hardaker-dnsop-nothing-new-00" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Nothing-new in the DNS">Support for nothing-new notifications in the DNS</title>
    <seriesInfo name="Internet-Draft" value="draft-hardaker-dnsop-nothing-new-00"/>
    <author fullname="Wes Hardaker">
      <organization>Google, Inc.</organization>
      <address>
        <email>ietf@hardakers.net</email>
      </address>
    </author>
    <date year="2026" month="July" day="02"/>
    <area>Operations and Management</area>
    <workgroup>Domain Name System Operations</workgroup>
    <keyword>DNS</keyword>
    <keyword>DNSSEC</keyword>
    <abstract>
      <?line 36?>

<t>The DNS protocol has increasingly needed to carry larger records than
it was originally designed to carry.  This has resulted in performance
impacts due to both the size increases and requiring TCP instead of
only UDP.  Of particular note is the expected large increase in
records relating to post-quantum signing algorithms.  To help
mitigate, but not entirely prevent, these impacts, this document
proposes a new "nothing new" NN flag, a LARGE Redirection Resource
record type, and how these can integrate with current and future
DNSSEC DNSKEY and RRSIG records.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-hardaker-dnsop-nothing-new/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Domain Name System Operations Working Group mailing list (<eref target="mailto:dnsop@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/dnsop/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/dnsop/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/https://github.com/hardaker/draft-hardaker-dnsop-nothing-new"/>.</t>
    </note>
  </front>
  <middle>
    <?line 48?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>(Ed: this is very much a work in progress and is not a fully specified
specification at this point, and as such is not implementable.  It is
designed to promote thought and discussion about how to handle large
requests within the DNS using new mechanisms.)</t>
      <section anchor="background">
        <name>Background</name>
        <t>The DNS protocol has increasingly needed to carry larger records than
it was originally designed to carry.  This has resulted in performance
impacts due to both the size increases and requiring TCP instead of
only UDP.  Of particular note is the expected large increase in
records relating to Post-Quantum-Computing (PQC) signing algorithms.
Note that while this draft concentrates on PQC algorithms, the
techniques proposed should help mitigate other large packet size
issues with any types of DNS data.</t>
        <t>With the increase in size requirements being transmitted over DNS, we
have but a few options to address the need for large RRsets and/or
mitigate the burden on authoritative servers. These are at least some
of the options available:</t>
        <ol spacing="normal" type="1"><li>
            <t>Encourage the switch to TCP for requests which are known to
generate large responses. Especially those performing DNSSEC (DO
bit) queries.</t>
          </li>
          <li>
            <t>Investigate and deploy DNSSEC signing algorithms and deploy that
minimize the packet size impacts. We have already done this
recently, to some extent, with the shift to elliptic curve based
algorithms in DNSSEC  </t>
            <t>
But PQC algorithms will be significantly larger, even if we
standardize on an algorithms with the smallest key and signature
sizes.</t>
          </li>
          <li>
            <t>Reduce the need for sending large responses in the first place. The
most obvious solution to this is to increase TTL values.  However,
that is not always possible.</t>
          </li>
        </ol>
        <t>This draft explores an additional mechanism to solve #3 by further
reducing the quantity of large packets needed to be sent. It does this
by indicating that no changes have been made to DNS records, which
would otherwise be large and a burden to transmit frequently.</t>
      </section>
      <section anchor="technique-overview">
        <name>Technique Overview</name>
        <t>This document proposes a new "nothing new" NN flag, a LARGE
Redirection Resource record type, and describes how these can
integrate with current and future DNSSEC DNSKEY and RRSIG records.</t>
        <t>This document proposes two technical mechanisms for signaling that
resource records have not changed since a previously obtained set, and
thus do not need to be re-fetched.  This potentially saves significant
resources on both the client and server.  These optimizations include:</t>
        <ul spacing="normal">
          <li>
            <t>A new Nothing New (NN) DNS bit, to be used in conjunction with the
Truncated Response (TC) bit that indicates the requested records
have not been changed recently, and thus cached data is sufficient
fro use.  See <xref target="NN"/> for details.</t>
          </li>
          <li>
            <t>A LARGE resource record (<xref target="LARGE"/>) that serves as a hint about what
version of a record is current and whether or not a client needs to
refetch its contents.</t>
          </li>
        </ul>
        <t>The trustability of these unsigned signals is discussed in
<xref target="security"/>.</t>
        <t>The simple goal of these new features is to reduce the necessary
number of large responses from authoritative servers when
communicating with conforming resolver clients.  Effectively, these
mechanisms allow for signaling both:</t>
        <ol spacing="normal" type="1"><li>
            <t>If a recursive resolver has data in its cache, it may keep using it
(assuming the cached DNSSEC signatures are still valid if it is
validating).</t>
          </li>
          <li>
            <t>A version number of the data requested to check against a
resolver's cache, providing a hint about whether the data in a
resolvers cache is actually old or the same.</t>
          </li>
        </ol>
      </section>
    </section>
    <section anchor="definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

</section>
    <section anchor="NN">
      <name>The Nothing New flag</name>
      <t>This document defines a Nothing New (NN) flag within the EDNS0 option
header.  This flag <bcp14>SHOULD</bcp14> be set by recursive resolvers that support
this specification. This flag <bcp14>SHOULD</bcp14> be set by authoritative servers
that support this specification and are returning a Truncation
Response (TC) bit to indicate that nothing has changed recently in the
requested resource record.  If the authoritative server is unable to
determine that nothing new has changed with respect to that resource
record, it <bcp14>MUST NOT</bcp14> set the NN bit in its response period.</t>
      <t>In short the NN flag is a signal that can be sent along with the
Truncated Response (TC) flag to indicate both that data truncation has
occurred to comply with packet size limits <xref target="RFC6891"/> and that any
data with a still valid signature validity may be continued to use
instead of refetching the data.</t>
      <t>This flag <bcp14>SHOULD</bcp14> be accompanied with a LARGE (<xref target="LARGE"/>) Resource
Record as well.  If the DNSSEC signature on the LARGE RR can fit
within the response, it <bcp14>MUST</bcp14> be included.  If the DNSSEC signature
on the LARGE RR cannot fit within the response, the LARGE RR <bcp14>SHOULD</bcp14> be
sent without it.</t>
    </section>
    <section anchor="LARGE">
      <name>The LARGE Resource Record</name>
      <t>The LARGE RR is a hint to the resolver about the freshness of the data
at the server compared to the freshness of the data within the
resolver's cache.</t>
      <t>The RR contains the following fields:</t>
      <ul spacing="normal">
        <li>
          <t>IDENTIFIER: A 16-bit serial number field that must be unique within the
signature lifetime of the data it represents.  Resolvers can use
this information to determine if the record they have available
matches the value not sent by the upstream server.</t>
        </li>
      </ul>
      <t>The name of this record <bcp14>MUST</bcp14> match the name of the record being
requested in the query.</t>
      <section anchor="selecting-serial-numbers">
        <name>Selecting serial numbers</name>
        <t>The identifier field <bcp14>MUST</bcp14> be selected from a unique set of values that
will not duplicate during the lifetime of the DNSSEC signatures
period.  Authoritative servers which auto-generate this field can use
various forms of mechanisms, such as cryptographic hashes, incremental
serial numbers, carefully constructed timestamps, fields and values
from the data that it represents, as long as the uniqueness constraint
is properly observed.</t>
        <t>The SOA serial number of the zone <bcp14>SHOULD NOT</bcp14> be used as LARGE record
serial numbers unless it is expected that all records in a zone are
likely to change at the same time the SOA is ever changed.  EG, highly
dynamic zones will have their SOA changing so frequently that it is
pointless to use them to indicate changes relating to otherwise fairly
static records, like DNSKEYs.</t>
        <t>Note: LARGE records and their serial numbers need only be generated
and track for records which are expected to generate truncated
responses.</t>
      </section>
      <section anchor="discussion-alternative-large-formats">
        <name>Discussion: Alternative LARGE formats</name>
        <t>Could be a TXT style record with the more modern key=value syntax, at
the cost of a size increase.</t>
      </section>
      <section anchor="discussion-alternative-large-record-placement">
        <name>Discussion: Alternative LARGE record placement</name>
        <t>This could be done with an underbar label instead, with something like
a _large.example.com record instead.  (this is more difficult than it
sounds and probably won't work well in practice)</t>
      </section>
      <section anchor="discussion-signaling-to-the-parent-with-a-large-record">
        <name>Discussion: Signaling to the parent with a LARGE record</name>
        <t>Another option is to actually have the resolver send a signal to the
parent about its cache using an embedded LARGE record within an EDNS0
packet so that the parent knows whether or not something is new.</t>
        <t>Because the NN feature is only expected to be used in a truncated
response, it does not help the authoritative server know the serial
number that the client last saw. Specifically, the authoritative
server will have to return a truncated response (and a LARGE record
anyway). Thus, instead we place the burden on the resolver to figure
out whether it needs to request the entire RRset (over TCP) or
not.</t>
      </section>
    </section>
    <section anchor="DNSSEC">
      <name>Use with DNSSEC</name>
      <t>The use of these techniques within DNSSEC is especially tricky even
while other uses may be more straight forward, as RRSIG records
themselves are frequently large but are needed to validate the data.
For the average DNSSEC signed zone, it may be that only the DNSSEC
records need to be tracked with serial numbers.</t>
      <t>(TBD: I have ideas about large RRSIGs associated with small records
that I haven't written here yet -- but PQC RRSIGs are expected to be
large as well)</t>
    </section>
    <section anchor="security">
      <name>Security Considerations</name>
      <t>Obviously, using unsigned data to decide whether or not to retrieve
signed data is a security concern. Having said that, there are already
other specifications that show how to old data when the parental
server cannot be contacted (<xref target="RFC8767"/>).</t>
      <t>This document merely provides a specification for the parental agent
to deliberately say "nothing new". If there is a machine in the middle
spoofing this signal, it already has an attack vector to cause a
resolver to use stale data by simply dropping query or response so the
resolver falls back to its stale cache.  At most, with this proposal
clients will end up using old data, which is already the case, albeit
faster than waiting for a timeout.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>TBD</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC1035">
          <front>
            <title>Domain names - implementation and specification</title>
            <author fullname="P. Mockapetris" initials="P." surname="Mockapetris"/>
            <date month="November" year="1987"/>
            <abstract>
              <t>This RFC is the revised specification of the protocol and format used in the implementation of the Domain Name System. It obsoletes RFC-883. This memo documents the details of the domain name client - server communication.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="13"/>
          <seriesInfo name="RFC" value="1035"/>
          <seriesInfo name="DOI" value="10.17487/RFC1035"/>
        </reference>
        <reference anchor="RFC6891">
          <front>
            <title>Extension Mechanisms for DNS (EDNS(0))</title>
            <author fullname="J. Damas" initials="J." surname="Damas"/>
            <author fullname="M. Graff" initials="M." surname="Graff"/>
            <author fullname="P. Vixie" initials="P." surname="Vixie"/>
            <date month="April" year="2013"/>
            <abstract>
              <t>The Domain Name System's wire protocol includes a number of fixed fields whose range has been or soon will be exhausted and does not allow requestors to advertise their capabilities to responders. This document describes backward-compatible mechanisms for allowing the protocol to grow.</t>
              <t>This document updates the Extension Mechanisms for DNS (EDNS(0)) specification (and obsoletes RFC 2671) based on feedback from deployment experience in several implementations. It also obsoletes RFC 2673 ("Binary Labels in the Domain Name System") and adds considerations on the use of extended labels in the DNS.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="75"/>
          <seriesInfo name="RFC" value="6891"/>
          <seriesInfo name="DOI" value="10.17487/RFC6891"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <referencegroup anchor="BCP237" target="https://www.rfc-editor.org/info/bcp237">
          <reference anchor="RFC9364" target="https://www.rfc-editor.org/info/rfc9364">
            <front>
              <title>DNS Security Extensions (DNSSEC)</title>
              <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
              <date month="February" year="2023"/>
              <abstract>
                <t>This document describes the DNS Security Extensions (commonly called "DNSSEC") that are specified in RFCs 4033, 4034, and 4035, as well as a handful of others. One purpose is to introduce all of the RFCs in one place so that the reader can understand the many aspects of DNSSEC. This document does not update any of those RFCs. A second purpose is to state that using DNSSEC for origin authentication of DNS data is the best current practice. A third purpose is to provide a single reference for other documents that want to refer to DNSSEC.</t>
              </abstract>
            </front>
            <seriesInfo name="BCP" value="237"/>
            <seriesInfo name="RFC" value="9364"/>
            <seriesInfo name="DOI" value="10.17487/RFC9364"/>
          </reference>
        </referencegroup>
        <reference anchor="RFC8767">
          <front>
            <title>Serving Stale Data to Improve DNS Resiliency</title>
            <author fullname="D. Lawrence" initials="D." surname="Lawrence"/>
            <author fullname="W. Kumari" initials="W." surname="Kumari"/>
            <author fullname="P. Sood" initials="P." surname="Sood"/>
            <date month="March" year="2020"/>
            <abstract>
              <t>This document defines a method (serve-stale) for recursive resolvers to use stale DNS data to avoid outages when authoritative nameservers cannot be reached to refresh expired data. One of the motivations for serve-stale is to make the DNS more resilient to DoS attacks and thereby make them less attractive as an attack vector. This document updates the definitions of TTL from RFCs 1034 and 1035 so that data can be kept in the cache beyond the TTL expiry; it also updates RFC 2181 by interpreting values with the high-order bit set as being positive, rather than 0, and suggests a cap of 7 days.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8767"/>
          <seriesInfo name="DOI" value="10.17487/RFC8767"/>
        </reference>
      </references>
    </references>
    <?line 268?>

<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The bad-idea fairy contributed greatly to the ideas behind this document.</t>
      <t>Joe Ably had constructive advice to offer, even though he may not
actually agree with the bad ideas in this document.</t>
      <t>TBD</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+1a3XLjxnK+n6foUBdHSpHcs7Zj+7DOn1aS10rW1FqSy3Gl
UqkB0CAmGszAMwPStErvkmfJk6W6ewCCkjZ27nOzK4KYv/75+utvuFgs1MnJ
iUomWVzB7K7vOh8S1D6A86kxbrNwuKO/TW1KnYx3EYyD1CBcru9mShdFwO0K
ZuvJ69MXSp1w48N+BTFVqvKl0y2uoAq6TotGh0o/YFhULvpuMVlyYXXCmFTs
i9bEaLxL+w5XcH11/40qvYvoYh9XkEKParuCz5UOqFcwu+kw5H1qV8F32ukN
tujSTO18eNgE33crmF36VhsHa90i3O1jwhYOI2fqAfc7H6qVggUdI/93d3Wh
tuh6XCmA3zkTgGx89qMPD8Zt4D2No+etNnYFMz763w2meunDhr7QoWxWMGtS
6uLqzRt6jx6ZLS6H197QgzdF8LuIb3iGNzRyY1LTF5Ox8mBZ+vbNYOs3v2X6
mVK6T40PdMqFAgCoe2vFbz9ihG/zUP7Kh4125lc+7gree7+xOIdrVy75a5RT
0r7/PiwZlw6TUs6HViezZWvefnPx9o+f/1P+88uv//R2BSdwdbm++6NSxtXT
d99dfPzs869WACeDU3jQ1199+RUNihi2CDFpi0otFgvQRUxBl0mpe4lK6IJP
vvQWGk3hXAbU0biN3YNDrLCC5KHUIezB6rDBAAFLH6oIqdFOmQQ7HcEHszFO
W7uHCqPZuMm4JcB9YyLPHzD2NmFFadFh4KO4EpVpO12mCFWPNK7wqeG0ieZX
HDaFEsUBf+5NoOi5v/gIxsWEugJfK+/sHn64/LgEuKmh0yGZsreasxfBRJ4Q
f+mwpA3wYcapwTg1nCug1YnmTx46H9Pi51671LdA56Ln2m58MKlpIx3NQ4O2
U61JZqMTzqHoEy0J6JIJaPfQBdyiS3PaAC0lZ6WPJkLly55SUnXBd54PCYQb
sxyF9GEG6zXUVm/moOHD+e37K7jFygQsKdLgFqPvQ4n5BJxkc7ZV43d50VI7
MC7hJuiEsDOpgbIPAV3iF+s+9QGVhBCFxb9c/cRf3N7eXb8fXL6UGGpNVVE8
ncC1S8FXPW9DqdOraiWHMhG2GPbQ9mUDGghs2OPBbwJG8aOJbCXNCbWH2GFp
aoOVyn8JwoJOMmXnDZmQRuoIkSbOM5i2s4xqurC4BLhOYKKahmEXfEsxkBrf
bxo5cWVi2TOYgi58n8RWHhrtKosSHopiDWOKbLADkkMfs2egxbLRzsQ2Ls+U
OjmBd7pkYHXV/6fY70qxj5Ri30uKLS582/X8zenH7y/OXks5tRZX6gS7xljM
aURADqV3JbpEMR7BO/j4/cVkKCegSlg2zpBfIadcBbHxva04kWFIZPCpwZAP
0enyARPbSpkYaTDnkHZ7TrcIvmZXVzrppVI/mmzdyenF0mJbjtcIBbIRgnax
NYls5rcYaKI57FA1eosMJxpq3IHvpJYnD7qqOJFoCYohZimy1dvbiIn9+MaH
EZb4zaIPFToyjBQ1k7iOSJUIcQn3jBU6IKWdRR0TRN+i8jWPHzagt1SGC4sr
pd4u4cqVvg96I4vEnUllQ5uk4KF9HbKoMYQHAeHB+Z2D5KkubtAho5LsP2Ds
iNPEJVwxFHDIp8ZHHOKZjJah6vTyhuYoTDqDn3sMBgmlPlvCtdtizGfnfMfO
+v0w7GVcTV+i4KJZW+NMS06jc01CYIDwJfyIwE7SNqCu9lB5JwFJwwNSMNr9
nIxBdgT8JXEh2A3hERtTJ/oarTVdMiWhMjldR6xojskGjRtKPH3xrk/Pwht2
xlooUA5HAEqLZ0iZA9UgMDXFFQBRAlfpUNFpKB7c8UTD9lptLcYED7hnA9HU
mksFzWF+ZWt/vqRy1Jd4HI4RXUU2fubWgRHXJsQEndUlcuCxwX1M4Iut8X2E
6G3PJSD5saokf8io+/sPsNW2p0iBb/0OtxjmNAtjw1Be7E7vqXrEaKg8ECiP
cIG/dNYHBj3KKEOraXvAdPGb3SKcfA7FHuo+ECaoQKflzG0QmB2YtCcEmIJF
nIA7OQVdWlJtqjxGCZFiD8ZVXOh4Lk28AWjtDUaJqwLRQasrhmzCl4ygc8kl
tWPcYqTamUjv5z1wnRwSngyYMQZqzkaKjCXXq/sBDuFmi2FrcDeYKBMT+D8R
E/UaMYEXxKTCWAZT0DGnFEX9JkWB36Yon9h92nkQ7C+nPo4SqxTXdnCDCscb
z86geBLvUCK4EkEzt6NotXvwRdKGqnJEISoqNT3thAdyWkgoBFzUmMoGq6Fu
d55wQZAu6i3GaQ6Pu+GSNtbt0prBNILfPBkZkmC6zW0I8w3bVwTVCzhnD+b2
FNa4g9P1+owDqzBpnvfXR2EPpXf/2Ttx5QAJCuA+9I462Yr8yzkNp/cXZzRD
Tj0JapTylNEfq8GYCg7m5PgebHrASzoUG6/UZCauqpTRsa9rU9K5FUAdPG11
CXCHCI+P6/XTEzuzwqSNZbYK55kvP/MonD4+8hdPT2eyabZhJG6poTFkWGaF
OykFVB7JDL4GPUxh4lF87hpkwiByAejBQeT4KKUuIPsdTIpkXPK5BCxS7x6T
LozNSCIp0btM9CQ+GQIzcWUXqcfHiGUfTNo/PeWZIvNh2HhtDxOR22tk5B5w
NEwhu8QYddgr17cFnaF+gdp18O3rtIFO7lTp27Z3A5hJ9no3VGsyvyVqI0Yh
xL6qa4KJLXKBpF2qSVJqa/3uWWpS6AvjuM5u6EOkjYyzE/+VWHFiZAqfOZgE
rd7DA2KXqbvh+n6qY+zbAchzrE0YQrYXEZaYqLhutTUVFVHDPQaAPOEzny2J
dpyPoXIwJU3OuzqkAhH3BssH0BtN/Bq0EAY5xx/GnXfBbw1X0WdRKbE2zmzc
8Qx5AnK1LlPPwOKpUsiYqFsqhSdw4R21pqNEdIm1cUY+P55Uh09PElzEA3aM
iLPvfri7n83lf1jf8N+3V9//cH17dUl/3317/uHD+IfKb9x9e/PDh8vDX4eR
FzfffXe1vpTB65t7OHqkZt+d/zQTZJjdfLy/vlmff5gJl5jCPflKUIxKSegC
krk194NccRjZ3l18/O//evsFPD7+w+03F5+9ffunp6f84eu3X33x9MQxLatx
zyMfU4N7pbsOdWCLWwul7kzSNs65K22I1TYYyLj/+G9kmX9fwZ+Lsnv7xV/z
Azrw0cPBZkcP2WYvn7wYLEZ85dEry4zWPHr+zNLH+z3/6ejzYPfJwz//zRqH
sHj79d/+qiiiKEqmBYbYATyerNdPzyszRxfTihcFiQdNem7WvnL7oRrUVa52
Jsqr+cxMsxIxtZfYEDPMi6qrOGqOlIbl/zbfq8CnpjPCyxmFhAXaQ+qD9BtD
9aSDvFI+/Vg8Bz4oliFge14mM5FW0wJ7VORICxH0eW37hA29oy6OilOFCQmq
n61LdWO6NuM6FQUsk/ByncZlc3vPeDuEOhuQtrBe8wkzMA91hTo646ulUteO
0ieML7MfCL5yAZClSMbKZBq09UOlITN8ipbwRFPDZgalk0BnGh1CJ1W+5KIu
EO3bjpKflpi2f9a0dIjHxyzPPj1lxqKJCuwVzyv6wFHhGGuKfKZST3WpQGYD
xvWybB9RHUSXgTUMZSorDK8Fqy5px9qZwVODWjhlO6NaeCs0RkfYobWHYHle
AIl10vMsPN6yE2qT1CRBB38efM8IzMyz+vTU6pWpiTzVpHm9NvvRy+PBFccD
DaDiaNJyAKJBK81pkU/8eCLGkJI2TmdG6seBPaEVUnS5aQ0YG0fKy6SuKy1f
5rxiH+QI+uSYyfHU87KfiRyZwzvqKYRI1544EYVBbdBWkRn99eXV+v76m+ur
2xWcw9svF5RkEYPRdmAg/LYEZ9vHxAxfOr7JHmDib2tqTKbFo/0ayvMuYMz0
7XbCNByHLOQufbigkM79ACymzlaVXrDBfdZOBjWJ74GoL5Lzcm/PXJrdW+z5
ad/FFFC3Q9MjtqILGdmuicMKHIY8oZBcfThRfoPltwl+5nAjHSl3x3doiaS6
zbFNo6xqKuJOtRmNPER+5GGkgzBrHuxNWOjrLFpIp8maDZ2x6jsr+FT1Ycj1
5554wU1Vxk+A809Qc1bc+uQXo8zGNpL9Dq7b6sCSC3mOw/TAxOeitVMNCPsu
+U3QXWNKwsoG41zkGFbfrTq20Zy0aRR1n24pU+jZJnSgmHTbxXmOZEZPsYpi
i41RJ/3kNPSYaDHyawkTsS3nl6yijUvKiLqLgRtzNkeVY+Xu5vxZhmTr/kri
3YE+ja2wjmMTSWHz7JjQO0uLc0twEL+lGFg7SghEGGUJHVBZ80BXQ2nQe2DA
EIpSdnnKW6VJGVakBFPn9H4Ojdk0dq+qvdOtKXneLAByTqUGTeDhPIwD2E+0
n9GwJiq+WeEjSO2hwe1RxRwkqalsf9Ccam2C3atIoVceBCo6YZZpqMkl1X51
ZMeYiybt9JlJWSxh4l3gqA9Xit8PunzIsrLMclCVD8b3B1U5DbxAHZRlzu3L
8QZoBec2YXCSO7JHAbGo1AVLbFRd4f5f7yGmvR0BZBRKWx/onwqDox7pL4Jd
ce+S/mUOmvgmFfmYREE4unP5PbvJ67FayreFUv/LYW+sO+cbCehdhaHQdCFQ
oB3ub7LqTDq0cDtykNLwH9zpL/EXTboBXY+PAocMXAKcDvorn7MypML0luUe
4nMq0n2X+LMLvtAFsSbv/pDk6o/4hdz/6TKZEs9enPjuoL/5rLaHoaaPLCan
nzp3cjUj/UCWM8Y2d4j/Q/kmIXrCI3kBlReQ0j5qBVke0A6wLbAi+fbIAbli
apev4wdWmJnwZOd0wxGfi0IH45M8jbulUu+w1DnpmPaKSEPfc/xPQ3oizelX
wpq5F6vLtBTfZX2S+9PuBs5itB10n/EQWbuyfAOkd0u4Gxobm+Wa43lVnneC
QD63PdO9Hnj/qQjUR47Vbr/T+zNqxHquLEKBdyhx/+wK68jFyUNtNswoJ/KI
Oahvg/YiN5R8My83ZXDKV273Fx/PwAflvLDHH2LOp1xyH0/kj0wayWOjuDa5
UczxkQcRdE+usIIpH/Z8D6Pk5lLCuCd5LfcBnF9cw+ieuvZhp6mh0vFY5SY4
aSPabVanJsAuuh1fGgacXEFkoQonPcQ3WQ3SW+Tbuwm7wIpLyiidFbkv5Jg8
MJHxQneibjNADw3IMa4vlTq9f3e5gmuJEVMh6a2cgsPl5d31e1Jhoy8NR4xM
004qqbTdMgVDTKCrU9FdYI8JFgs+P92ODfM9Kw4FqnxNIs0PARLcZSWVRLFo
qvGnU48no8aq1E2R5f55hopRohW+QoS3NBU+z3xJh2CQcmUyQDrcYWW+vw5u
Cd/qLddsbYRJcMqFfDUrd41KoudIcRhEDrpUyb9nINVPGo4G3QSghK4xsZCe
K3ehmm10yr0t/Yro6ensxZ1Ki/l3LSROsoJzrHvUObCGlUBvqGaxcawpuC7z
Tcf++DZpmftEwT8Nraa2Fwdenn93Ejvva2HIJmZU50AdLmFJsKAbvZSIKmyx
TD7ITyUobbWaogY94Z9HiZGKvejne6iC7zpahbsBYL6RsSv6o7YNam1thIIW
I9aUYp5RmjmA88QXm+O1rxl+eaCtynq4ACfVqX6QqAfH5as+tkg+oKjVhPja
FmiSqnVMAt8OdtowRyMnaKaSvhdMuz5fnz8LbqXu313Kr3po//TWeUnFwWK1
4d8oqMeVZC9Wf5nV2kacZQwsdLWgDGYCyLGbgil6Cp9NQJ2E3qZmyPMCG8OE
bxJKS6X+2SOcF1y4q0OfQLVKV1tTciXxdT1eYcuPeIDiQe8pt9RY+vUmIB5I
WaGrvPRzmXiZz/0/h7FIM/QpAAA=

-->

</rfc>
