<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-cui-dns-native-agent-naming-resolution-02" category="info" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="DN-ANR">DNS-Native AI Agent Naming and Resolution</title>
    <seriesInfo name="Internet-Draft" value="draft-cui-dns-native-agent-naming-resolution-02"/>
    <author fullname="Yong Cui">
      <organization>Tsinghua University</organization>
      <address>
        <postal>
          <region>Beijing</region>
          <code>100084</code>
          <country>China</country>
        </postal>
        <email>cuiyong@tsinghua.edu.cn</email>
        <uri>http://www.cuiyong.net/</uri>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Applications</area>
    <workgroup>Network Working Group</workgroup>
    <keyword>AI agent</keyword>
    <keyword>DNS</keyword>
    <keyword>SVCB</keyword>
    <keyword>service resolution</keyword>
    <keyword>agent protocol</keyword>
    <abstract>
      <?line 84?>

<t>This document specifies DNS-Native Agent Naming and Resolution (DN-ANR) for AI agents. DN-ANR uses domain names (FQDNs) as stable Agent Identifiers and resolves a selected Agent Identifier to verifiable endpoints and supported protocol/version information with a cryptographic integrity chain, with DNSSEC preferred.</t>
      <t>DN-ANR is a post-selection resolution profile. It does not define agent discovery, capability search, semantic matching, ranking, or routing decisions. Agent discovery, publication, or registry, including DNS-based mechanisms such as DNS-AID, may produce candidate Agent Identifiers; DN-ANR resolves and verifies the identifier selected by such mechanisms or by local policy. Within that scope, DN-ANR additionally defines DNS-based version distribution and deterministic version selection, canonicalized SVCB integrity cross-checking, and a signed HTTPS mirror for clients that cannot perform SVCB queries. While AI agents are the primary use case, the resolution and verification behavior defined here applies to any entity identified by an FQDN, such as services and workloads.</t>
    </abstract>
  </front>
  <middle>
    <?line 91?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>The emergence of AI agents as autonomous software entities creates concrete requirements for naming, trusted resolution, and endpoint verification. Existing deployments often mix discovery, semantic matching, and resolution into one control plane, which increases coupling and weakens interoperability.</t>
      <t>This document defines DN-ANR as a DNS-native resolution layer built on <xref target="RFC1035"/> and Service Binding (SVCB/HTTPS RRs, <xref target="RFC9460"/>, <xref target="RFC9461"/>). The design objective is strict scope control: discovery systems produce candidate Agent Identifiers, while DN-ANR securely resolves a chosen Agent Identifier into connection material.</t>
      <t>DN-ANR is a DNS-native post-selection resolution and integrity profile for a selected FQDN-based Agent Identifier.</t>
      <t>Related IETF work on the discovery of agents, workloads, and other named entities (see, for example, <xref target="DAWN-PS"/> and <xref target="DAWN-TERM"/>) frames discovery as an end-to-end problem: learning what entities exist, what they offer, and whether they can be trusted. Within such an end-to-end discovery workflow, DN-ANR addresses the final stage. Discovery mechanisms answer "which entity"; DN-ANR answers "how to reach it, and whether the resolution answer itself is authentic". DN-ANR is therefore intended to serve as a reusable resolution and verification component within layered entity-discovery architectures, and to align with the requirements and information models produced by such efforts.</t>
      <section anchor="goals">
        <name>Goals</name>
        <t>DN-ANR goals are:</t>
        <ol spacing="normal" type="1"><li>
            <t><strong>Identity naming</strong>: use domain names/FQDNs as administratively managed Agent Identifiers.</t>
          </li>
          <li>
            <t><strong>Trusted resolution and connection guidance</strong>: resolve an Agent Identifier to endpoint(s), protocol/version declarations, and verifiable integrity material.</t>
          </li>
          <li>
            <t><strong>Post-selection interoperability</strong>: provide stable DNS-based resolution semantics that can be consumed after an Agent Identifier has been selected by local policy, user input, a registry, a gateway, or an agent discovery mechanism.</t>
          </li>
          <li>
            <t><strong>Deployment-flexible integrity</strong>: provide verifiable resolution integrity in both DNSSEC-enabled and DNSSEC-unavailable environments, via DNSSEC validation and/or application-layer TXT signatures with TLS certificate binding.</t>
          </li>
        </ol>
      </section>
      <section anchor="non-goals">
        <name>Non-Goals</name>
        <t>DN-ANR non-goals are:</t>
        <ul spacing="normal">
          <li>
            <t>DN-ANR does not define agent discovery, publication, registry, or search.</t>
          </li>
          <li>
            <t>DN-ANR does not define organization-wide agent indexes, DNS-SD enumeration, cross-domain search, or capability search.</t>
          </li>
          <li>
            <t>DN-ANR does not provide semantic matching, capability ranking, reputation, governance, or task-routing decisions.</t>
          </li>
          <li>
            <t>DN-ANR does not standardize agent capability models, OpenAPI-like schemas, model cards, policy bundles, trust registries, or behavioral attestations.</t>
          </li>
          <li>
            <t>DN-ANR does not replace discovery specifications. It only specifies how to securely and deterministically resolve and verify an Agent Identifier after that identifier has been selected.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="relationship-to-agent-discovery-and-registry-specifications">
      <name>Relationship to Agent Discovery and Registry Specifications</name>
      <t>DN-ANR is intended to interoperate with, but not replace, discovery, publication, registry, indexing, or search specifications for agents and other named entities. Such specifications may use DNS, HTTP, private registries, directories, agent gateways, semantic search systems, or other mechanisms to produce one or more candidate Agent Identifiers. Problem statements and terminology for this broader entity-discovery space are being developed in the IETF (see <xref target="DAWN-PS"/>, <xref target="DAWN-TERM"/>); DN-ANR is positioned as the resolution and verification stage of such an architecture, and its requirements and information model are expected to align with the outputs of that work.</t>
      <t>DN-ANR starts after the selection step. A DN-ANR client is given exactly one selected Agent Identifier and resolves it to endpoint connection material, protocol/version declarations, and integrity metadata.</t>
      <t>For example, DNS-based discovery specifications such as <xref target="DNSAID"/> define mechanisms for publishing AI agents in DNS so that other agents can discover them. Such specifications may define organization-level indexes, capability descriptors, DNS-SD entry points, or other discovery metadata. DN-ANR does not define those mechanisms. DN-ANR defines only the resolution and verification behavior for a selected Agent Identifier.</t>
      <t>Accordingly, DN-ANR does not define DNS-based enumeration, organization indexes, capability search, semantic matching, ranking, routing, reputation, or governance. These functions are expected to be handled by upper-layer discovery systems, private policy, registries, or operational frameworks.</t>
      <section anchor="co-existence-with-dns-based-discovery-mechanisms">
        <name>Co-existence with DNS-Based Discovery Mechanisms</name>
        <t>DN-ANR is designed so that a publisher can deploy it alongside a DNS-based discovery mechanism such as <xref target="DNSAID"/> without conflict. A discovery mechanism resolves "which agent," while DN-ANR resolves "how to connect to, and verify, that agent." An organization <bcp14>MAY</bcp14> use a discovery specification to publish and enumerate its agents, and use DN-ANR to publish the version distribution, deterministic endpoint selection, and integrity material for each individual agent once selected.</t>
        <t>To keep this co-existence unambiguous, DN-ANR intentionally reuses the <tt>_agents</tt> underscored owner-name label (<xref target="RFC8552"/>) that other agent-related DNS specifications, including <xref target="DNSAID"/>, also use, rather than requesting a separate label. DN-ANR's usage is scoped one level deeper than an organization-wide inventory label: DN-ANR's records are published under <tt>_agents.&lt;Agent Identifier&gt;</tt> (for example, <tt>_agents.translator.example.com</tt>), naming the specific already-selected agent, rather than under <tt>_agents.&lt;organization domain&gt;</tt> as an inventory or index entry point. See IANA Considerations for further discussion of this label.</t>
        <t>Agent discovery, publication, registry, and indexing specifications may identify candidate agents. DNS-based discovery mechanisms such as <xref target="DNSAID"/> are one example of that class. DN-ANR begins after such a mechanism, or local policy, has selected one Agent Identifier. DN-ANR then resolves that identifier to endpoint, protocol/version, and integrity material.</t>
      </section>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>The following terms are used throughout this document:</t>
      <dl>
        <dt>Agent:</dt>
        <dd>
          <t>An autonomous software entity capable of communicating with other agents or humans using defined protocols.</t>
        </dd>
        <dt>Agent Identifier:</dt>
        <dd>
          <t>A Fully Qualified Domain Name (FQDN) that uniquely identifies an agent.</t>
        </dd>
        <dt>Agent Protocol:</dt>
        <dd>
          <t>The application-layer protocol used for agent-to-agent communication (e.g., <xref target="A2A"/>, <xref target="ANP"/>). Other DNS-based specifications may carry equivalent protocol identifiers in different DNS parameters; see Relationship to Agent Discovery and Registry Specifications.</t>
        </dd>
      </dl>
      <t>Although this document uses AI agents as its primary use case, the resolution and verification behavior defined here applies to any entity identified by an FQDN, such as services or workloads. Where broader entity-discovery terminology (e.g., <xref target="DAWN-TERM"/>) is in use, "Agent" in this document may be read as an FQDN-named entity.</t>
    </section>
    <section anchor="design-principles">
      <name>Design Principles</name>
      <t>This specification follows five core principles:</t>
      <table>
        <thead>
          <tr>
            <th align="left">Principle</th>
            <th align="left">Description</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">DNS-First</td>
            <td align="left">DNS is the authoritative source for Agent Identifier resolution; HTTP serves only as a fallback mirror</td>
          </tr>
          <tr>
            <td align="left">Layered Scope</td>
            <td align="left">Discovery and semantic selection are out of scope; DN-ANR resolves selected identifiers</td>
          </tr>
          <tr>
            <td align="left">Path-Independent</td>
            <td align="left">Version and endpoint selection are controlled by DNS, not URL paths</td>
          </tr>
          <tr>
            <td align="left">Protocol Autonomy</td>
            <td align="left">Agent interaction protocols are decoupled from transport</td>
          </tr>
          <tr>
            <td align="left">Default Availability</td>
            <td align="left">A/AAAA records guarantee minimum connectivity; enhanced features are optional. Default version is provided when not specified</td>
          </tr>
        </tbody>
      </table>
    </section>
    <section anchor="architecture-overview">
      <name>Architecture Overview</name>
      <t>DN-ANR is a resolution-layer specification inside a three-layer architecture:</t>
      <table>
        <thead>
          <tr>
            <th align="left">Layer</th>
            <th align="left">Examples</th>
            <th align="left">Scope</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">Discovery Layer</td>
            <td align="left">Web registry, agent gateway, search engine, semantic router, DNS-SD/mDNS</td>
            <td align="left">OUT OF SCOPE</td>
          </tr>
          <tr>
            <td align="left">Resolution Layer</td>
            <td align="left">Agent Identifier (FQDN) -&gt; endpoint, protocol/version, integrity material</td>
            <td align="left">DN-ANR scope</td>
          </tr>
          <tr>
            <td align="left">Connection Layer</td>
            <td align="left">A2A, MCP, HTTPS, gRPC, other application protocols</td>
            <td align="left">OUT OF SCOPE</td>
          </tr>
        </tbody>
      </table>
      <t>Interface boundary:</t>
      <ul spacing="normal">
        <li>
          <t>Discovery Layer outputs one or more candidate Agent Identifiers (FQDNs).</t>
        </li>
        <li>
          <t>DN-ANR takes one selected Agent Identifier and resolves it into verifiable connection guidance.</t>
        </li>
        <li>
          <t>Connection Layer consumes DN-ANR outputs and executes protocol-specific session logic.</t>
        </li>
      </ul>
    </section>
    <section anchor="naming-and-resource-location">
      <name>Naming and Resource Location</name>
      <section anchor="domain-name-as-identity">
        <name>Domain Name as Identity</name>
        <t>Each agent is uniquely identified by a stable Fully Qualified Domain Name (FQDN). Domain ownership combined with TLS certificates forms the foundation of agent identity.</t>
        <section anchor="naming-rules">
          <name>Naming Rules</name>
          <ul spacing="normal">
            <li>
              <t>Use domain names or subdomains owned by the organization</t>
            </li>
            <li>
              <t>Agent version changes do not introduce new identities</t>
            </li>
            <li>
              <t>No registration with any central authority is required</t>
            </li>
          </ul>
        </section>
        <section anchor="naming-examples">
          <name>Naming Examples</name>
          <artwork><![CDATA[
# Recommended: dedicated subdomains
translator.agents.example.com
assistant.ai.example.org
agent123.agents.example.com
]]></artwork>
        </section>
      </section>
      <section anchor="resource-location-via-dns">
        <name>Resource Location via DNS</name>
        <t>This specification does not use URL paths for version expression. All version and endpoint selection is controlled by DNS records:</t>
        <ol spacing="normal" type="1"><li>
            <t>Obtain (from Discovery Layer or local policy) a candidate Agent Identifier (FQDN)</t>
          </li>
          <li>
            <t>Query DNS SVCB records -&gt; obtain version, endpoint, and protocol information</t>
          </li>
          <li>
            <t>If SVCB is unavailable, use A/AAAA resolution of the Agent Identifier as the default Agent Endpoint</t>
          </li>
          <li>
            <t>Query DNS TXT records (if present) -&gt; obtain optional application-layer security and resolution manifest metadata</t>
          </li>
          <li>
            <t>Apply local security policy (e.g., DNSSEC validation and/or TXT signature validation)</t>
          </li>
          <li>
            <t>Connect to the selected endpoint and interact according to the selected protocol specification</t>
          </li>
        </ol>
        <t>DN-ANR provides only deterministic resolution and verification for an already-selected identifier; it does not perform semantic discovery or ranking.</t>
      </section>
    </section>
    <section anchor="dns-record-design">
      <name>DNS Record Design</name>
      <t>This specification keeps DNS payloads minimal and operationally stable. DNS data is classified as <bcp14>MUST</bcp14>/<bcp14>SHOULD</bcp14>/<bcp14>MAY</bcp14> to separate core resolution from optional optimization.</t>
      <section anchor="mandatory-dns-data-must">
        <name>Mandatory DNS Data (MUST)</name>
        <ul spacing="normal">
          <li>
            <t><strong>A/AAAA</strong> <xref target="RFC1035"/>: provide baseline reachability and interoperability for resolvers and clients.</t>
          </li>
        </ul>
        <t>Rationale: A/AAAA guarantees minimum connectability and provides a default Agent Endpoint when no SVCB policy is available.</t>
      </section>
      <section anchor="recommended-dns-data-should">
        <name>Recommended DNS Data (SHOULD)</name>
        <ul spacing="normal">
          <li>
            <t><strong>SVCB</strong> <xref target="RFC9460"/> <xref target="RFC9461"/> with endpoint parameters and address hints (<tt>ipv4hint</tt>, <tt>ipv6hint</tt>): provide deterministic endpoint selection, protocol/version signaling, and reduced lookup latency.</t>
          </li>
          <li>
            <t><strong>DNSSEC</strong> <xref target="RFC4033"/>: provide origin authentication and integrity for DNS RRsets.</t>
          </li>
          <li>
            <t><strong>TXT identity anchor</strong> <xref target="RFC1035"/>: publish optional application-layer security metadata and optional resolution manifest pointers.</t>
          </li>
        </ul>
        <t>Rationale: SVCB and DNSSEC substantially improve determinism, performance, and security. TXT metadata supports alternative or additional security models and resolution manifest linkage when needed.</t>
      </section>
      <section anchor="optional-dns-data-may">
        <name>Optional DNS Data (MAY)</name>
        <ul spacing="normal">
          <li>
            <t><strong>TXT signature fields</strong> (<tt>alg</tt>, <tt>pk</tt>, <tt>sig</tt>): used when signature-based verification is enabled.</t>
          </li>
          <li>
            <t><strong>TXT SVCB integrity digest</strong> (<tt>svcb-digest</tt>): optional integrity cross-check material, especially for HTTPS fallback workflows.</t>
          </li>
          <li>
            <t><strong>TXT resolution manifest pointer fields</strong> (<tt>resolution-manifest</tt>, <tt>resolution-manifest-sha256</tt>): pointer + digest for heavy external metadata.</t>
          </li>
        </ul>
        <t>Rationale: Heavy metadata evolves quickly and can grow large; keeping it out of DNS preserves DNS efficiency while retaining verifiable linkage.</t>
      </section>
      <section anchor="txt-record-identity-anchor-conditional-metadata">
        <name>TXT Record: Identity Anchor (Conditional Metadata)</name>
        <t>TXT records <xref target="RFC1035"/> provide optional application-layer metadata. They are not a fallback encoding of service connectivity data: endpoint and connection parameters are carried exclusively in SVCB (or, as a baseline default, A/AAAA). Their responsibilities are strictly limited to:</t>
        <ol spacing="normal" type="1"><li>
            <t>Declare identity metadata (e.g., <tt>v</tt>, <tt>kid</tt>)</t>
          </li>
          <li>
            <t>Optionally publish key/signature material (<tt>alg</tt>, <tt>pk</tt>, <tt>sig</tt>) for signature-based security</t>
          </li>
          <li>
            <t>Optionally publish SVCB digest (<tt>svcb-digest</tt>) for integrity cross-check, especially with HTTPS fallback</t>
          </li>
          <li>
            <t>Optionally publish external resolution manifest pointer metadata (<tt>resolution-manifest</tt>, <tt>resolution-manifest-sha256</tt>)</t>
          </li>
        </ol>
        <section anchor="txt-record-format">
          <name>TXT Record Format</name>
          <artwork><![CDATA[
_agents.translator.example.com. IN TXT (
  "v=1;"
  "kid=key-2025-01;"
  "alg=Ed25519;"                                       ; OPTIONAL
  "pk=base64-encoded-public-key;"                      ; OPTIONAL
  "sig=base64-encoded-signature;"                      ; OPTIONAL
  "svcb-digest=base64-encoded-sha256-digest;"          ; OPTIONAL
  "resolution-manifest=https://translator.example.com/
                   .well-known/resolution-manifest.json;" ; OPTIONAL
  "resolution-manifest-sha256=x48E9qOokqqrv="          ; OPTIONAL
)
]]></artwork>
        </section>
        <section anchor="txt-field-descriptions">
          <name>TXT Field Descriptions</name>
          <table>
            <thead>
              <tr>
                <th align="left">Field</th>
                <th align="left">Description</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">v</td>
                <td align="left">Version identifier, fixed as 1</td>
              </tr>
              <tr>
                <td align="left">kid</td>
                <td align="left">Key identifier, used for key rotation</td>
              </tr>
              <tr>
                <td align="left">alg</td>
                <td align="left">Signature algorithm: Ed25519 (<bcp14>RECOMMENDED</bcp14>) or ES256 (<bcp14>OPTIONAL</bcp14>; <bcp14>REQUIRED</bcp14> when <tt>sig</tt> is present)</td>
              </tr>
              <tr>
                <td align="left">pk</td>
                <td align="left">Base64-encoded public key (<bcp14>OPTIONAL</bcp14>; <bcp14>REQUIRED</bcp14> when <tt>sig</tt> is present)</td>
              </tr>
              <tr>
                <td align="left">sig</td>
                <td align="left">Signature over selected TXT content (<bcp14>OPTIONAL</bcp14>; used in signature-based security mode)</td>
              </tr>
              <tr>
                <td align="left">svcb-digest</td>
                <td align="left">Base64-encoded SHA-256 digest of canonicalized SVCB records (<bcp14>OPTIONAL</bcp14>; useful for HTTPS fallback integrity cross-check)</td>
              </tr>
              <tr>
                <td align="left">resolution-manifest</td>
                <td align="left">Resolution manifest URI for external heavy metadata (<bcp14>OPTIONAL</bcp14>)</td>
              </tr>
              <tr>
                <td align="left">resolution-manifest-sha256</td>
                <td align="left">Base64-encoded SHA-256 digest of resolution manifest content (<bcp14>OPTIONAL</bcp14>; <bcp14>RECOMMENDED</bcp14> when <tt>resolution-manifest</tt> is present)</td>
              </tr>
            </tbody>
          </table>
        </section>
      </section>
      <section anchor="svcb-record-version-distribution-and-protocol-negotiation">
        <name>SVCB Record: Version Distribution and Protocol Negotiation</name>
        <t>SVCB (Service Binding) records <xref target="RFC9460"/> are the core resolution mechanism, serving the following responsibilities:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Level</th>
              <th align="left">SVCB Role</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">Service Location</td>
              <td align="left">TargetName + port specify the service endpoint</td>
            </tr>
            <tr>
              <td align="left">Version Distribution</td>
              <td align="left">Private SvcParam declares agent version</td>
            </tr>
            <tr>
              <td align="left">Connection Compatibility</td>
              <td align="left">Private parameters declare a post-selection connection-profile hint (supported agent protocols)</td>
            </tr>
            <tr>
              <td align="left">Performance Optimization</td>
              <td align="left">
                <tt>ipv4hint</tt> / <tt>ipv6hint</tt> reduce additional address lookups</td>
            </tr>
          </tbody>
        </table>
        <section anchor="svcb-record-example">
          <name>SVCB Record Example</name>
          <artwork><![CDATA[
# Complete SVCB record example
_agents.translator.example.com. IN SVCB 1 agent-v3.example.com. (
  alpn=h2
  port=443
  ipv4hint=203.0.113.50
  ipv6hint=2001:db8::50
  key65480="v3"              ; Agent version
  key65481="a2a,anp"         ; Connection profile (post-selection)
)

# v2 version (lower priority)
_agents.translator.example.com. IN SVCB 2 agent-v2.example.com. (
  alpn=h2
  port=443
  ipv4hint=203.0.113.51
  key65480="v2"
  key65481="a2a"
)
]]></artwork>
        </section>
      </section>
      <section anchor="version-and-protocol-resolution">
        <name>Version and Protocol Resolution</name>
        <section anchor="svcb-private-parameters">
          <name>SVCB Private Parameters</name>
          <t>This specification introduces private SVCB parameters (SvcParam) as defined in <xref target="RFC9460"/>:</t>
          <table>
            <thead>
              <tr>
                <th align="left">Parameter</th>
                <th align="left">Semantics</th>
                <th align="left">Example</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">key65480</td>
                <td align="left">Agent version</td>
                <td align="left">"v3", "v2.1.0"</td>
              </tr>
              <tr>
                <td align="left">key65481</td>
                <td align="left">Connection profile (post-selection connection compatibility hint)</td>
                <td align="left">"a2a", "a2a,anp"</td>
              </tr>
            </tbody>
          </table>
          <section anchor="version-selection-behavior">
            <name>Version Selection Behavior</name>
            <t>Clients can:</t>
            <ul spacing="normal">
              <li>
                <t><strong>Default selection</strong>: When version is not specified, the highest priority version based on SVCB priority is used</t>
              </li>
              <li>
                <t><strong>Specific selection</strong>: Specify key65480 value to select a particular version</t>
              </li>
              <li>
                <t><strong>Connection compatibility selection</strong>: After an Agent Identifier has already been selected, clients <bcp14>MAY</bcp14> prefer SVCB alternatives whose key65481 (connection-profile) value matches a locally supported connection profile or agent protocol. This is not a discovery or ranking mechanism across different Agent Identifiers.</t>
              </li>
            </ul>
          </section>
          <section anchor="scope-of-private-svcparamkeys">
            <name>Scope of Private SvcParamKeys</name>
            <t>The private SvcParamKeys defined in this document are post-selection connection hints. They are scoped to one selected Agent Identifier and <bcp14>MUST NOT</bcp14> be used as a DNS-based mechanism to enumerate, search, rank, or advertise agents across an organization or across domains.</t>
          </section>
        </section>
        <section anchor="alpn-usage">
          <name>ALPN Usage</name>
          <t>DN-ANR treats ALPN as a transport-layer negotiation signal only (e.g., h2, h3). Agent interaction protocols (<xref target="A2A"/>, <xref target="ANP"/>) are declared via SVCB private parameters (key65481, connection-profile), not ALPN values, and are consumed only after an Agent Identifier has been selected. This keeps DN-ANR compatible with existing TLS ecosystems and reserves ALPN identifier space for transport-layer use.</t>
        </section>
        <section anchor="relationship-between-version-and-protocol">
          <name>Relationship Between Version and Protocol</name>
          <t>This specification clearly distinguishes two layers:</t>
          <table>
            <thead>
              <tr>
                <th align="left">Layer</th>
                <th align="left">Declaration Location</th>
                <th align="left">Example</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">Agent Version</td>
                <td align="left">key65480</td>
                <td align="left">v3, v2.1.0</td>
              </tr>
              <tr>
                <td align="left">Connection Profile</td>
                <td align="left">key65481</td>
                <td align="left">a2a, anp</td>
              </tr>
            </tbody>
          </table>
        </section>
        <section anchor="external-resolution-manifest-locator-and-digest-in-txt-optional">
          <name>External Resolution Manifest Locator and Digest in TXT (Optional)</name>
          <t>DN-ANR supports optional linkage to heavy external metadata while keeping DNS payloads minimal:</t>
          <ul spacing="normal">
            <li>
              <t><tt>resolution-manifest</tt> in TXT contains an absolute URI that identifies a resolution manifest resource.</t>
            </li>
            <li>
              <t><tt>resolution-manifest-sha256</tt> in TXT contains the SHA-256 digest of the resolution manifest in Base64 encoding.</t>
            </li>
          </ul>
          <t>DN-ANR standardizes only:</t>
          <ul spacing="normal">
            <li>
              <t>URI syntax and transport locator semantics.</t>
            </li>
            <li>
              <t>Digest algorithm (SHA-256) and digest encoding.</t>
            </li>
            <li>
              <t>Client verification flow (fetch resolution manifest -&gt; compute digest -&gt; compare -&gt; consume).</t>
            </li>
          </ul>
          <t>DN-ANR does not standardize resolution manifest content schema (capability model, OpenAPI, model card, I/O schema, etc.).</t>
          <t>The <tt>resolution-manifest</tt> field is not a DNS-based discovery mechanism. It is a locator for external metadata associated with an already-selected Agent Identifier. DN-ANR does not define how clients search, rank, compare, or select agents based on resolution manifest contents.</t>
          <t>The presence of <tt>resolution-manifest</tt> <bcp14>MUST NOT</bcp14> be interpreted as an organization index, a capability registry, a ranking signal, or a statement that the agent is trusted for any particular task. Resolution manifest semantics, if any, are defined by upper-layer protocols or external specifications.</t>
          <t>Resolution manifest digest computation rules:</t>
          <ol spacing="normal" type="1"><li>
              <t>Fetch resolution manifest bytes from the URI in <tt>resolution-manifest</tt>.</t>
            </li>
            <li>
              <t>If the resolution manifest media type is JSON, canonicalize using JCS <xref target="RFC8785"/> before hashing.</t>
            </li>
            <li>
              <t>For non-JSON media types, hash the raw octet stream as retrieved.</t>
            </li>
            <li>
              <t>Compute SHA-256 and Base64-encode the result.</t>
            </li>
            <li>
              <t>Compare with <tt>resolution-manifest-sha256</tt>; mismatch <bcp14>MUST</bcp14> be treated as verification failure.</t>
            </li>
          </ol>
        </section>
        <section anchor="interoperability-gating-for-resolution-manifest-dependent-clients">
          <name>Interoperability Gating for Resolution-Manifest-Dependent Clients</name>
          <ul spacing="normal">
            <li>
              <t>A client that depends on resolution manifest data <bcp14>MUST</bcp14> require <tt>resolution-manifest</tt>; otherwise it <bcp14>MUST</bcp14> treat resolution-manifest-based logic as unavailable.</t>
            </li>
            <li>
              <t>A client that requires resolution manifest integrity verification <bcp14>MUST</bcp14> require both <tt>resolution-manifest</tt> and <tt>resolution-manifest-sha256</tt>.</t>
            </li>
            <li>
              <t>A publisher that wants interoperable resolution manifest verification <bcp14>SHOULD</bcp14> publish both TXT fields together.</t>
            </li>
          </ul>
        </section>
      </section>
    </section>
    <section anchor="performance-and-determinism">
      <name>Performance and Determinism</name>
      <section anchor="why-address-hints">
        <name>Why Address Hints</name>
        <t>SVCB <tt>ipv4hint</tt> and <tt>ipv6hint</tt> improve resolution behavior by:</t>
        <ul spacing="normal">
          <li>
            <t>reducing extra A/AAAA lookup round-trips;</t>
          </li>
          <li>
            <t>improving first-connection determinism;</t>
          </li>
          <li>
            <t>reducing resolver-path jitter under recursive caching variance.</t>
          </li>
        </ul>
      </section>
      <section anchor="recommended-svcb-publication-strategy">
        <name>Recommended SVCB Publication Strategy</name>
        <ul spacing="normal">
          <li>
            <t>Publishers <bcp14>SHOULD</bcp14> keep each SVCB RRSet compact and avoid excessive per-version record expansion.</t>
          </li>
          <li>
            <t>When many versions exist, publishers <bcp14>SHOULD</bcp14> keep only stable externally supported versions in DNS and move detailed capability/version matrices to external resolution manifests (<tt>resolution-manifest</tt> + <tt>resolution-manifest-sha256</tt> in TXT).</t>
          </li>
          <li>
            <t>Publishers <bcp14>SHOULD</bcp14> keep endpoint migration agility by using shorter TTLs for SVCB than TXT.</t>
          </li>
        </ul>
      </section>
      <section anchor="ttl-guidance">
        <name>TTL Guidance</name>
        <ul spacing="normal">
          <li>
            <t>Identity anchors (TXT) <bcp14>SHOULD</bcp14> use relatively longer TTL values.</t>
          </li>
          <li>
            <t>Endpoint/control-plane records (SVCB) <bcp14>SHOULD</bcp14> use relatively shorter TTL values to support endpoint migration and rapid rollback.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="https-fallback-mechanism">
      <name>HTTPS Fallback Mechanism</name>
      <t>To ensure "works by default" behavior, this specification introduces an optional but strongly recommended fallback mechanism.</t>
      <section anchor="agent-dnsjson">
        <name>agent-dns.json</name>
        <t>For clients that do not support SVCB queries, agents can publish a JSON mirror of DNS records at an HTTPS endpoint:</t>
        <artwork><![CDATA[
https://{agent-id}/.well-known/agent-dns.json
]]></artwork>
        <t>The HTTPS fallback is a signed mirror for one selected Agent Identifier. It <bcp14>MUST NOT</bcp14> contain an organization-wide list of agents, search results, capability rankings, or registry data that is not part of the DNS resolution data for that Agent Identifier.</t>
        <section anchor="media-type">
          <name>Media Type</name>
          <t>The agent-dns.json file <bcp14>MUST</bcp14> be served with the following HTTP headers:</t>
          <artwork><![CDATA[
Content-Type: application/json; charset=utf-8
Cache-Control: max-age=300
]]></artwork>
          <t>Servers <bcp14>SHOULD</bcp14> set an appropriate Cache-Control header. A value between 300 seconds (5 minutes) and 3600 seconds (1 hour) is <bcp14>RECOMMENDED</bcp14>.</t>
        </section>
        <section anchor="json-signature">
          <name>JSON Signature</name>
          <t>The JSON file <bcp14>MUST</bcp14> include a signature for integrity protection. Unlike the TXT record signature which covers only TXT fields, the JSON signature covers the complete service binding information.</t>
          <t>The signature is computed over the canonical JSON representation of the document (excluding the sig field) as defined in <xref target="RFC8785"/> (JSON Canonicalization Scheme).</t>
        </section>
        <section anchor="json-schema-definition">
          <name>JSON Schema Definition</name>
          <t>The agent-dns.json file <bcp14>MUST</bcp14> conform to the following JSON Schema:</t>
          <sourcecode type="json"><![CDATA[
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://example.com/agent-dns.schema.json",
  "title": "Agent DNS JSON",
  "description": "Mirror of DNS records for agent resolution",
  "type": "object",
  "required": ["agentId", "txt", "sig"],
  "properties": {
    "agentId": {
      "type": "string",
      "description": "The FQDN identifying the agent",
      "pattern": "^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?
                  (\\.[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)*$"
    },
    "txt": {
      "type": "object",
      "description": "Core identity fields from DNS TXT record",
      "required": ["v", "kid"],
      "properties": {
        "v": {
          "type": "string",
          "const": "1"
        },
        "kid": {
          "type": "string",
          "description": "Key identifier"
        },
        "alg": {
          "type": "string",
          "enum": ["ES256", "Ed25519"],
          "description": "Signature algorithm"
        },
        "pk": {
          "type": "string",
          "description": "Base64-encoded TLS certificate public key"
        }
      }
    },
    "svcb": {
      "type": "array",
      "description": "Mirror of DNS SVCB records",
      "items": {
        "type": "object",
        "required": ["priority", "target", "port"],
        "properties": {
          "priority": {
            "type": "integer",
            "minimum": 1,
            "maximum": 65535
          },
          "target": {
            "type": "string",
            "description": "Target hostname"
          },
          "port": {
            "type": "integer",
            "minimum": 1,
            "maximum": 65535
          },
          "alpn": {
            "type": "array",
            "items": {
              "type": "string"
            }
          },
          "agentVersion": {
            "type": "string",
            "description": "Agent version (mirrors key65480)"
          },
          "connectionProfile": {
            "type": "array",
            "items": {
              "type": "string"
            },
            "description": "Post-selection connection
                                    profile (mirrors key65481)"
          }
        }
      }
    },
    "sig": {
      "type": "string",
      "description": "Base64-encoded signature over canonical JSON
                                           (excluding sig field)"
    }
  }
}
]]></sourcecode>
        </section>
        <section anchor="file-structure-example">
          <name>File Structure Example</name>
          <sourcecode type="json"><![CDATA[
{
  "agentId": "translator.example.com",
  "txt": {
    "v": "1",
    "kid": "key-2025-01",
    "alg": "ES256",
    "pk": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE..."
  },
  "svcb": [
    {
      "priority": 1,
      "target": "agent-v3.example.com",
      "port": 443,
      "alpn": ["h2"],
      "agentVersion": "v3",
      "connectionProfile": ["a2a", "anp"]
    },
    {
      "priority": 2,
      "target": "agent-v2.example.com",
      "port": 443,
      "alpn": ["h2"],
      "agentVersion": "v2",
      "connectionProfile": ["a2a"]
    }
  ],
  "sig": "MEUCIQC7..."
}
]]></sourcecode>
        </section>
        <section anchor="json-sig">
          <name>JSON Signature Computation</name>
          <t>The signature over the JSON file is computed as follows:</t>
          <ol spacing="normal" type="1"><li>
              <t>Construct the JSON object without the sig field.</t>
            </li>
            <li>
              <t>Serialize using JSON Canonicalization Scheme (JCS) as defined in <xref target="RFC8785"/>.</t>
            </li>
            <li>
              <t>Compute the signature using the TLS private key.</t>
            </li>
            <li>
              <t>Encode the signature using Base64.</t>
            </li>
          </ol>
          <artwork><![CDATA[
json_without_sig = { agentId, txt, svcb }
canonical_json = JCS(json_without_sig)
signature = Sign(TLS_private_key, UTF-8(canonical_json))
sig = Base64Encode(signature)
]]></artwork>
        </section>
        <section anchor="json-signature-verification">
          <name>JSON Signature Verification</name>
          <t>Clients <bcp14>MUST</bcp14> verify the JSON signature:</t>
          <ol spacing="normal" type="1"><li>
              <t>Fetch the JSON file over HTTPS.</t>
            </li>
            <li>
              <t>Extract the sig field and remove it from the object.</t>
            </li>
            <li>
              <t>Serialize the remaining object using JCS.</t>
            </li>
            <li>
              <t>Obtain the public key from the txt.pk field in the JSON.</t>
            </li>
            <li>
              <t>Verify the signature.</t>
            </li>
            <li>
              <t>(<bcp14>RECOMMENDED</bcp14> for TLS-based signing) Verify that txt.pk matches the TLS certificate's public key.</t>
            </li>
          </ol>
          <t>If verification fails, the client <bcp14>MUST</bcp14> reject the JSON file.</t>
          <t>Note: When agent providers use separate key pairs (not TLS-based), the verification in step 6 is not applicable. In such cases, the integrity of the JSON file depends on the authenticity of the public key in txt.pk, which has the same trust anchor limitations as described in the Security Model Overview.</t>
        </section>
      </section>
      <section anchor="design-principles-1">
        <name>Design Principles</name>
        <ul spacing="normal">
          <li>
            <t><strong>Mirror, not addition</strong>: JSON only mirrors information already in DNS; it does not introduce content absent from DNS</t>
          </li>
          <li>
            <t><strong>Single-identifier scope</strong>: the mirror reflects resolution data for exactly one selected Agent Identifier; it <bcp14>MUST NOT</bcp14> be extended into a multi-agent directory or index</t>
          </li>
          <li>
            <t><strong>DNS remains authoritative</strong>: HTTPS JSON is only a "readable mirror", not a new authoritative source</t>
          </li>
          <li>
            <t><strong>Signature required</strong>: JSON files <bcp14>MUST</bcp14> be signed for integrity protection</t>
          </li>
          <li>
            <t><strong>Schema validated</strong>: Clients <bcp14>SHOULD</bcp14> validate JSON against the defined schema</t>
          </li>
        </ul>
      </section>
      <section anchor="applicable-scenarios">
        <name>Applicable Scenarios</name>
        <ul spacing="normal">
          <li>
            <t>Clients that do not support SVCB queries</t>
          </li>
          <li>
            <t>Browsers / debugging tools</t>
          </li>
          <li>
            <t>Early ecosystem transition period</t>
          </li>
          <li>
            <t>Environments where DNS resolution is limited</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="security">
      <name>Security</name>
      <t>This section defines the security mechanisms for ensuring the integrity and authenticity of agent resolution data.</t>
      <section anchor="security-model">
        <name>Security Model Overview</name>
        <t>This specification provides two complementary mechanisms for ensuring integrity and authenticity of agent resolution data:</t>
        <ol spacing="normal" type="1"><li>
            <t><strong>DNSSEC (<bcp14>RECOMMENDED</bcp14> for Internet-facing deployments)</strong>: Protocol-level cryptographic authentication of DNS data</t>
          </li>
          <li>
            <t><strong>Signature-based Security (<bcp14>OPTIONAL</bcp14>)</strong>: TXT key/signature validation (<tt>pk</tt>, <tt>sig</tt>) with optional digest cross-checks (<tt>svcb-digest</tt>); if HTTPS fallback JSON is used, fallback signature validation is <bcp14>REQUIRED</bcp14></t>
          </li>
        </ol>
        <table>
          <thead>
            <tr>
              <th align="left">Mechanism</th>
              <th align="left">Protection Scope</th>
              <th align="left">Trust Anchor</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">DNSSEC</td>
              <td align="left">All DNS records (TXT, SVCB, A/AAAA)</td>
              <td align="left">DNS root zone</td>
            </tr>
            <tr>
              <td align="left">Signature-based Security</td>
              <td align="left">TXT signed fields, optional SVCB digest consistency, JSON fallback signature (when fallback is used)</td>
              <td align="left">Web PKI (when using TLS keys) or self-declared (when using separate keys)</td>
            </tr>
          </tbody>
        </table>
        <section anchor="dnssec-based-security-recommended">
          <name>DNSSEC-based Security (RECOMMENDED)</name>
          <t>DNSSEC <xref target="RFC4033"/> provides cryptographic authentication of DNS data at the protocol level.</t>
        </section>
        <section anchor="dnssec-deployment-recommendations">
          <name>DNSSEC Deployment Recommendations</name>
          <ul spacing="normal">
            <li>
              <t>For publicly reachable agents, the authoritative zone <bcp14>SHOULD</bcp14> deploy DNSSEC.</t>
            </li>
            <li>
              <t>When DNSSEC validation is available and the SVCB RRSet (or TXT RRSet, when used) validates as <strong>bogus</strong>, clients <bcp14>MUST</bcp14> treat resolution as failure (fail-closed) and <bcp14>MUST NOT</bcp14> use that endpoint.</t>
            </li>
            <li>
              <t>Clients <bcp14>SHOULD</bcp14> apply stricter fail-closed behavior at least to SVCB and TXT (when TXT is part of the selected trust path).</t>
            </li>
            <li>
              <t>In enterprise/private networks where DNSSEC is not deployed, operators <bcp14>MAY</bcp14> rely on TXT signatures and TLS certificate binding as a minimum trust baseline.</t>
            </li>
          </ul>
          <t>When DNSSEC is enabled:</t>
          <ul spacing="normal">
            <li>
              <t>All DNS records are signed by the zone's DNSSEC keys.</t>
            </li>
            <li>
              <t>Clients with DNSSEC validation can verify record authenticity.</t>
            </li>
            <li>
              <t>Application-layer signatures remain useful for defense in depth and for JSON fallback integrity.</t>
            </li>
          </ul>
        </section>
        <section anchor="signature-based-security-optional-but-recommended">
          <name>Signature-based Security (OPTIONAL but RECOMMENDED)</name>
          <t>This specification defines an optional but recommended signing mechanism for integrity protection. Agent providers have two options for key management:</t>
          <section anchor="option-1-tls-certificate-keys-recommended">
            <name>Option 1: TLS Certificate Keys (RECOMMENDED)</name>
            <t>Using the domain's TLS certificate keys provides a complete trust chain:</t>
            <ul spacing="normal">
              <li>
                <t>Uses the domain's TLS certificate private key for signing</t>
              </li>
              <li>
                <t>Public key is published in the TXT record (pk field)</t>
              </li>
              <li>
                <t>Enables verification through the established Web PKI trust chain</t>
              </li>
              <li>
                <t>Clients can verify that pk matches the TLS certificate presented during HTTPS connection</t>
              </li>
            </ul>
            <t>When TLS-based signing is used:</t>
            <ol spacing="normal" type="1"><li>
                <t>The TXT record contains the TLS certificate's public key</t>
              </li>
              <li>
                <t>A signature covers the selected TXT fields</t>
              </li>
              <li>
                <t><tt>svcb-digest</tt> <bcp14>MAY</bcp14> be included as optional integrity cross-check material (especially for HTTPS fallback consistency checks)</t>
              </li>
              <li>
                <t>Clients can verify the signature using the public key from the TLS certificate chain</t>
              </li>
            </ol>
          </section>
          <section anchor="option-2-separate-key-pair">
            <name>Option 2: Separate Key Pair</name>
            <t>Agent providers <bcp14>MAY</bcp14> use a separate key pair (not derived from TLS certificates) for signing:</t>
            <ul spacing="normal">
              <li>
                <t>Agent provider generates and manages their own key pair</t>
              </li>
              <li>
                <t>Public key is published in the TXT record (pk field)</t>
              </li>
              <li>
                <t>Signature is computed using the corresponding private key</t>
              </li>
            </ul>
            <t><strong>Trust Anchor Limitation</strong>: When using separate keys, the trust anchor is limited to the TXT record itself. If the TXT record is tampered with (e.g., via DNS spoofing or cache poisoning), an attacker could replace both the public key and signature, rendering the integrity protection ineffective. This is because:</t>
            <ul spacing="normal">
              <li>
                <t>The public key in the TXT record is self-declared without external verification</t>
              </li>
              <li>
                <t>Clients have no independent trust anchor to verify the authenticity of the public key</t>
              </li>
              <li>
                <t>SVCB records and agent-dns.json cannot be reliably verified if the TXT record is compromised</t>
              </li>
            </ul>
            <t>For this reason, when using separate keys:</t>
            <ul spacing="normal">
              <li>
                <t>DNSSEC deployment becomes more important to protect the TXT record itself</t>
              </li>
              <li>
                <t>Clients <bcp14>SHOULD</bcp14> treat records from non-DNSSEC zones with appropriate caution</t>
              </li>
              <li>
                <t>Out-of-band key distribution mechanisms <bcp14>MAY</bcp14> be used to establish trust</t>
              </li>
            </ul>
          </section>
        </section>
        <section anchor="choosing-a-security-mechanism">
          <name>Choosing a Security Mechanism</name>
          <table>
            <thead>
              <tr>
                <th align="left">Scenario</th>
                <th align="left">Recommended Approach</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">DNSSEC fully deployed</td>
                <td align="left">DNSSEC alone is sufficient</td>
              </tr>
              <tr>
                <td align="left">DNSSEC not available</td>
                <td align="left">Use TLS-based signing (Option 1)</td>
              </tr>
              <tr>
                <td align="left">High security requirements</td>
                <td align="left">Use both DNSSEC and signing (defense-in-depth)</td>
              </tr>
              <tr>
                <td align="left">HTTPS fallback required</td>
                <td align="left">JSON signing and/or <tt>svcb-digest</tt> consistency checks are recommended</td>
              </tr>
              <tr>
                <td align="left">Separate keys without DNSSEC</td>
                <td align="left">Limited trust; consider additional verification mechanisms</td>
              </tr>
            </tbody>
          </table>
        </section>
      </section>
      <section anchor="svcb-integrity">
        <name>SVCB Integrity Digest (Optional)</name>
        <t>When <tt>svcb-digest</tt> is present in TXT, SVCB records can be cross-checked for integrity (for example, during HTTPS fallback reconciliation). This section defines the canonicalization and digest computation procedures.</t>
        <section anchor="svcb-canonicalization">
          <name>SVCB Canonicalization</name>
          <t>To compute the svcb-digest, SVCB records <bcp14>MUST</bcp14> be canonicalized as follows:</t>
          <section anchor="step-1-collect-and-sort">
            <name>Step 1: Collect and Sort</name>
            <ol spacing="normal" type="1"><li>
                <t>Collect all SVCB records for the agent's <tt>_agents</tt> prefix.</t>
              </li>
              <li>
                <t>Exclude AliasMode records (priority = 0).</t>
              </li>
              <li>
                <t>Sort records by priority in ascending order (lowest first).</t>
              </li>
              <li>
                <t>If priorities are equal, sort by TargetName lexicographically.</t>
              </li>
            </ol>
          </section>
          <section anchor="step-2-normalize-each-record">
            <name>Step 2: Normalize Each Record</name>
            <t>For each SVCB record, construct a canonical string in the following format:</t>
            <artwork><![CDATA[
<priority> <target> <params>
]]></artwork>
            <t>Where:
- priority: Decimal integer with no leading zeros
- target: Fully qualified domain name in lowercase, with trailing dot removed
- params: SvcParams in sorted order by key number, formatted as key=value</t>
          </section>
          <section anchor="step-3-svcparam-normalization">
            <name>Step 3: SvcParam Normalization</name>
            <t>SvcParams <bcp14>MUST</bcp14> be normalized as follows:</t>
            <ol spacing="normal" type="1"><li>
                <t>Sort by SvcParamKey number (ascending).</t>
              </li>
              <li>
                <t>Format each parameter as: <tt>key&lt;number&gt;=&lt;value&gt;</tt></t>
              </li>
              <li>
                <t>String values are enclosed in double quotes.</t>
              </li>
              <li>
                <t>List values (e.g., alpn) use comma separation with no spaces.</t>
              </li>
              <li>
                <t>Separate parameters with a single space.</t>
              </li>
            </ol>
          </section>
          <section anchor="canonical-format-example">
            <name>Canonical Format Example</name>
            <artwork><![CDATA[
# Original SVCB records:
_agents.translator.example.com. IN SVCB 2 agent-v2.example.com. (
  alpn=h2 port=443 key65480="v2" key65481="a2a"
)
_agents.translator.example.com. IN SVCB 1 agent-v3.example.com. (
  alpn=h2 port=443 key65480="v3" key65481="a2a,anp"
)

# Canonical representation (sorted by priority):
1 agent-v3.example.com key1=h2 key3=443 key65480="v3" \
  key65481="a2a,anp"
2 agent-v2.example.com key1=h2 key3=443 key65480="v2" key65481="a2a"
]]></artwork>
            <t>Note: alpn is SvcParamKey 1, port is SvcParamKey 3 as defined in <xref target="RFC9460"/>. The trailing backslash and line break after <tt>key65480="v3"</tt> above are wrapping for document display only; the actual canonical string for that record contains no line break at that position.</t>
          </section>
        </section>
        <section anchor="digest-computation">
          <name>Digest Computation</name>
          <artwork><![CDATA[
canonical_svcb = <line1> + "\n" + <line2> + "\n" + ...
digest_bytes = SHA-256(UTF-8(canonical_svcb))
svcb-digest = Base64Encode(digest_bytes)
]]></artwork>
          <t>The resulting svcb-digest is approximately 44 characters (32 bytes encoded in Base64).</t>
        </section>
      </section>
      <section anchor="signing-spec">
        <name>Signature Specification</name>
        <t>This section defines the signature mechanism when signature-based security is used.</t>
        <section anchor="public-key-requirements">
          <name>Public Key Requirements</name>
          <t>The pk field contains the public key used for signature verification. There are two options:</t>
          <section anchor="when-using-tls-certificate-keys-recommended">
            <name>When Using TLS Certificate Keys (RECOMMENDED)</name>
            <t>The pk field <bcp14>MUST</bcp14> contain the public key from the domain's TLS certificate:</t>
            <ol spacing="normal" type="1"><li>
                <t>Extract the SubjectPublicKeyInfo from the TLS certificate.</t>
              </li>
              <li>
                <t>Encode using Base64 <xref target="RFC4648"/>.</t>
              </li>
              <li>
                <t>The certificate <bcp14>MUST</bcp14> be valid for the agent's domain name.</t>
              </li>
            </ol>
          </section>
          <section anchor="when-using-separate-key-pair">
            <name>When Using Separate Key Pair</name>
            <t>The pk field contains the agent provider's self-managed public key:</t>
            <ol spacing="normal" type="1"><li>
                <t>Generate a key pair using a supported algorithm.</t>
              </li>
              <li>
                <t>Extract the public key in SubjectPublicKeyInfo format.</t>
              </li>
              <li>
                <t>Encode using Base64 <xref target="RFC4648"/>.</t>
              </li>
            </ol>
            <t>Note: When using separate keys, the public key is self-declared and lacks an independent trust anchor. See Security Model Overview for implications.</t>
          </section>
          <section anchor="supported-key-types">
            <name>Supported Key Types</name>
            <ul spacing="normal">
              <li>
                <t>EC P-256 (for ES256 algorithm) - <bcp14>RECOMMENDED</bcp14></t>
              </li>
              <li>
                <t>Ed25519 (for Ed25519 algorithm)</t>
              </li>
            </ul>
          </section>
        </section>
        <section anchor="signature-input-construction">
          <name>Signature Input Construction</name>
          <t>When signature-based TXT validation is used, the signature input <bcp14>MUST</bcp14> be constructed from TXT fields as follows:</t>
          <ol spacing="normal" type="1"><li>
              <t>Include required fields in this exact order: <tt>v</tt>, <tt>kid</tt>, <tt>alg</tt>, <tt>pk</tt>.</t>
            </li>
            <li>
              <t>If present, append optional fields in this exact order: <tt>svcb-digest</tt>, <tt>resolution-manifest</tt>, <tt>resolution-manifest-sha256</tt>.</t>
            </li>
            <li>
              <t>Use <tt>key=value</tt> pairs separated by semicolons, with no trailing semicolon.</t>
            </li>
          </ol>
          <artwork><![CDATA[
signing_input = "v=" + v + ";kid=" + kid
                 + ";alg=" + alg + ";pk=" + pk
if svcb-digest present:
  signing_input += ";svcb-digest=" + svcb-digest
if resolution-manifest present:
  signing_input += ";resolution-manifest="
                    + resolution-manifest
if resolution-manifest-sha256 present:
  signing_input += ";resolution-manifest-sha256="
                    + resolution-manifest-sha256
]]></artwork>
          <t>Example (line-wrapped for display only; the actual signing input
contains no line break):</t>
          <artwork><![CDATA[
v=1;kid=key-2025-01;alg=ES256;pk=MFkwEwYHKoZI...;
resolution-manifest=https://translator.example.com/
.well-known/resolution-manifest.json
]]></artwork>
        </section>
        <section anchor="signature-generation">
          <name>Signature Generation</name>
          <artwork><![CDATA[
signature_bytes = Sign(private_key, UTF-8(signing_input))
sig = Base64Encode(signature_bytes)
]]></artwork>
          <t>Where private_key is either:
- The TLS certificate's private key (Option 1, <bcp14>RECOMMENDED</bcp14>), or
- The agent provider's separately managed private key (Option 2)</t>
          <t>For ES256: signature is 64 bytes (r || s format), resulting in 88 Base64 characters.
For Ed25519: signature is 64 bytes, resulting in 88 Base64 characters.</t>
        </section>
        <section anchor="signature-verification-procedure">
          <name>Signature Verification Procedure</name>
          <t>Clients <bcp14>MUST</bcp14> perform the following steps:</t>
          <ol spacing="normal" type="1"><li>
              <t>Parse TXT record and extract <tt>v</tt>, <tt>kid</tt>, <tt>alg</tt>, <tt>pk</tt>, <tt>sig</tt>, and any optional signed fields present.</t>
            </li>
            <li>
              <t>Reconstruct <tt>signing_input</tt> using the required/optional field ordering defined above.</t>
            </li>
            <li>
              <t>Decode pk from Base64 to obtain the public key.</t>
            </li>
            <li>
              <t>Decode sig from Base64 to obtain the signature bytes.</t>
            </li>
            <li>
              <t>Verify the signature using the specified algorithm.</t>
            </li>
            <li>
              <t>(<bcp14>RECOMMENDED</bcp14> for Option 1) Verify that pk matches the TLS certificate presented during connection.</t>
            </li>
          </ol>
          <t>If verification fails, the client <bcp14>MUST</bcp14> reject the TXT record.</t>
          <t>When using Option 2 (separate key pair), clients should be aware that the signature only proves consistency between the TXT record content and the private key holder. Without DNSSEC or TLS binding, there is no external trust anchor to verify the key's authenticity.</t>
        </section>
        <section anchor="tls-certificate-binding-verification-option-1-only">
          <name>TLS Certificate Binding Verification (Option 1 Only)</name>
          <t>When TLS certificate keys are used (Option 1), clients <bcp14>SHOULD</bcp14> verify that the pk in the TXT record matches the server's TLS certificate:</t>
          <ol spacing="normal" type="1"><li>
              <t>Establish TLS connection to the agent's domain.</t>
            </li>
            <li>
              <t>Extract the public key from the server's certificate.</t>
            </li>
            <li>
              <t>Compare with the pk field in the TXT record.</t>
            </li>
            <li>
              <t>If mismatch, treat as verification failure.</t>
            </li>
          </ol>
          <t>This binding ensures that the entity controlling the TLS private key is the same entity that published the DNS records.</t>
          <t>Note: This verification is not applicable when separate key pairs are used (Option 2), as the pk in the TXT record will not match the TLS certificate.</t>
        </section>
      </section>
    </section>
    <section anchor="implementation-checklist">
      <name>Implementation Checklist</name>
      <section anchor="for-agent-publishers">
        <name>For Agent Publishers</name>
        <ol spacing="normal" type="1"><li>
            <t>Prepare domain name, configure HTTPS and TLS certificate</t>
          </li>
          <li>
            <t>Configure DNS A/AAAA records (basic connectivity)</t>
          </li>
          <li>
            <t>(<bcp14>OPTIONAL</bcp14>) Configure DNS TXT record (<tt>_agents.xxx</tt>) for signature metadata (<tt>alg</tt>/<tt>pk</tt>/<tt>sig</tt>), <tt>svcb-digest</tt>, and/or resolution manifest pointer fields</t>
          </li>
          <li>
            <t>Configure DNS SVCB records with endpoint, protocol/version, and (<bcp14>SHOULD</bcp14>) address hints</t>
          </li>
          <li>
            <t>(<bcp14>OPTIONAL</bcp14>) Publish resolution manifest URI + digest in TXT (<tt>resolution-manifest</tt>, <tt>resolution-manifest-sha256</tt>) for heavy metadata externalization</t>
          </li>
          <li>
            <t>(<bcp14>RECOMMENDED</bcp14>) Publish /.well-known/agent-dns.json fallback file</t>
          </li>
          <li>
            <t>(<bcp14>RECOMMENDED</bcp14> for public deployments) Enable DNSSEC</t>
          </li>
        </ol>
      </section>
      <section anchor="for-client-developers">
        <name>For Client Developers</name>
        <ol spacing="normal" type="1"><li>
            <t>Query SVCB records, parse version and endpoint information</t>
          </li>
          <li>
            <t>If SVCB is unavailable, use A/AAAA of the Agent Identifier as the default endpoint</t>
          </li>
          <li>
            <t>Query TXT records (if present), parse optional fields (<tt>pk</tt>, <tt>sig</tt>, <tt>svcb-digest</tt>, <tt>resolution-manifest</tt>, <tt>resolution-manifest-sha256</tt>)</t>
          </li>
          <li>
            <t>If resolution manifest fields are present and required by local policy, fetch the resolution manifest and verify digest before use</t>
          </li>
          <li>
            <t>(Fallback) If SVCB unavailable, fetch agent-dns.json when needed</t>
          </li>
          <li>
            <t>Connect to endpoint per the selected connection-profile (key65481) value</t>
          </li>
          <li>
            <t>Validate DNSSEC when present, and fail closed for bogus SVCB/TXT results that are part of the selected trust path</t>
          </li>
        </ol>
      </section>
      <section anchor="dns-record-configuration-example">
        <name>DNS Record Configuration Example</name>
        <artwork><![CDATA[
; Basic connectivity
translator.example.com.    IN A     203.0.113.50
translator.example.com.    IN AAAA  2001:db8::50

; Optional TXT identity/security/resolution-manifest metadata
_agents.translator.example.com. IN TXT "v=1;kid=key-2025-01;
            alg=Ed25519;pk=...;sig=...;
            svcb-digest=...;
            resolution-manifest=https://translator.example.com/
            .well-known/resolution-manifest.json;
            resolution-manifest-sha256=x48E9qOokqqr7kbu9DBPE="

; Version resolution (SVCB)
_agents.translator.example.com. IN SVCB 1 agent-v3.example.com. (
  alpn=h2 port=443
  ipv4hint=203.0.113.50 ipv6hint=2001:db8::50
  key65480="v3" key65481="a2a,anp"
)
_agents.translator.example.com. IN SVCB 2 agent-v2.example.com. (
  alpn=h2 port=443 ipv4hint=203.0.113.51 key65480="v2" key65481="a2a"
)
]]></artwork>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>This specification uses DNS as the authoritative source for agent resolution and identity information. Its security objectives are to ensure the authenticity, integrity, and verifiability of resolution results, rather than evaluating agent service quality or behavioral trustworthiness.</t>
      <section anchor="threat-model">
        <name>Threat Model</name>
        <t>This specification primarily considers the following threats:</t>
        <ul spacing="normal">
          <li>
            <t>DNS poisoning or cache pollution leading to incorrect endpoint resolution</t>
          </li>
          <li>
            <t>Tampering with resolution results to redirect clients to unintended endpoints</t>
          </li>
          <li>
            <t>Downgrade attacks inducing clients to use older versions or weaker protocols</t>
          </li>
          <li>
            <t>Trust violations caused by expired or replaced identity declarations</t>
          </li>
        </ul>
      </section>
      <section anchor="mandatory-security-requirements">
        <name>Mandatory Security Requirements</name>
        <t>To address the above threats, this specification mandates:</t>
        <ul spacing="normal">
          <li>
            <t>Clients <bcp14>MUST</bcp14> establish at least one validated integrity path before endpoint use: DNSSEC validation, or TXT signature verification when TXT signing fields are used</t>
          </li>
          <li>
            <t>Clients <bcp14>MUST</bcp14> perform TXT-SVCB consistency checks when <tt>svcb-digest</tt> is present and selected by local policy</t>
          </li>
          <li>
            <t>Clients <bcp14>MUST</bcp14> use TLS <xref target="RFC8446"/> and verify server certificates <xref target="RFC9525"/></t>
          </li>
          <li>
            <t>Clients <bcp14>MUST NOT</bcp14> use endpoints that fail verification</t>
          </li>
          <li>
            <t>Agents that publish <tt>svcb-digest</tt> or TXT signatures over endpoint-related metadata <bcp14>MUST</bcp14> synchronously update TXT and SVCB information when versions or endpoints change</t>
          </li>
        </ul>
      </section>
      <section anchor="deployment-recommendations">
        <name>Deployment Recommendations</name>
        <ul spacing="normal">
          <li>
            <t>For Internet-facing agent domains, authoritative operators <bcp14>SHOULD</bcp14> enable DNSSEC <xref target="RFC4033"/>.</t>
          </li>
          <li>
            <t>If DNSSEC data is present and validates as bogus for SVCB (or TXT, when TXT is part of the selected trust path), clients <bcp14>MUST</bcp14> fail closed for that endpoint.</t>
          </li>
          <li>
            <t>For private/enterprise deployments without DNSSEC, clients <bcp14>SHOULD</bcp14> require TXT signature verification and TLS certificate validation as minimum controls.</t>
          </li>
          <li>
            <t>This specification does not require DNSSEC as the only trust mechanism; deployments <bcp14>MAY</bcp14> combine DNSSEC and signature-based protections.</t>
          </li>
        </ul>
      </section>
      <section anchor="specification-scope">
        <name>Specification Scope</name>
        <t>DN-ANR verifies the authenticity, integrity, and consistency of agent resolution data. It does not assert that the resolved agent is benign, competent, authorized for a task, compliant with policy, or reputable. Those judgments are made by upper-layer protocols, governance systems, trust registries, organizational policy, or other discovery and selection mechanisms.</t>
        <t>This specification guarantees the following properties:</t>
        <ul spacing="normal">
          <li>
            <t>Verifiability of agent identity</t>
          </li>
          <li>
            <t>Integrity and consistency of resolution results</t>
          </li>
          <li>
            <t>Encryption and tamper-proofing of connections</t>
          </li>
        </ul>
        <t>This specification does NOT attempt to address:</t>
        <ul spacing="normal">
          <li>
            <t>Agent capability authenticity</t>
          </li>
          <li>
            <t>Service quality (SLA) or behavioral compliance</t>
          </li>
          <li>
            <t>Agent reputation or governance issues</t>
          </li>
        </ul>
        <t>These concerns should be handled by upper-layer protocols, operational frameworks, or governance mechanisms.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="svcb-service-parameter-keys">
        <name>SVCB Service Parameter Keys</name>
        <t>This revision uses Private Use SvcParamKeys only for experimentation. No permanent SvcParamKey codepoint is requested in this revision.</t>
        <t>The following private-use keys are used in examples and experimental deployments:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Private-use key</th>
              <th align="left">Experimental name</th>
              <th align="left">Meaning</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">key65480</td>
              <td align="left">agent-version</td>
              <td align="left">Agent version or endpoint profile revision</td>
            </tr>
            <tr>
              <td align="left">key65481</td>
              <td align="left">connection-profile</td>
              <td align="left">Post-selection connection compatibility hint (supported agent protocols for the selected identifier)</td>
            </tr>
          </tbody>
        </table>
        <t>Note: The values 65480-65481 are in the private use range (65280-65534) as defined in <xref target="RFC9460"/>.</t>
        <t>Future revisions may request permanent SvcParamKey registrations for <tt>connection-profile</tt> (and, if warranted, <tt>agent-version</tt>) after coordination with related agent discovery, publication, registry, and connection-profile specifications, including possible alignment of protocol identifier values with registries proposed by such specifications.</t>
      </section>
      <section anchor="underscored-dns-node-names">
        <name>Underscored DNS Node Names</name>
        <t>This document uses the <tt>_agents</tt> underscored owner-name label (<xref target="RFC8552"/>) as a prefix for per-agent resolution records (for example, <tt>_agents.translator.example.com</tt>). This is the same label used by DNS-based agent discovery mechanisms, including <xref target="DNSAID"/>'s organization-level inventory mechanism; however, DN-ANR's usage is scoped one level deeper, under the specific already-selected Agent Identifier, rather than under an organization's root domain (see Relationship to Agent Discovery and Registry Specifications).</t>
        <t>Because <xref target="DNSAID"/> has already requested registration of <tt>_agents</tt> in the "Underscored and Globally Scoped DNS Node Names" registry established by <xref target="RFC8552"/>, this document does not request a separate or duplicate registration for that label in this revision. Should working-group review determine that the two usages require distinct registry entries, this section will be revisited in a future revision.</t>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC1035">
          <front>
            <title>Domain names - implementation and specification</title>
            <author fullname="P. Mockapetris" initials="P." surname="Mockapetris"/>
            <date month="November" year="1987"/>
            <abstract>
              <t>This RFC is the revised specification of the protocol and format used in the implementation of the Domain Name System. It obsoletes RFC-883. This memo documents the details of the domain name client - server communication.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="13"/>
          <seriesInfo name="RFC" value="1035"/>
          <seriesInfo name="DOI" value="10.17487/RFC1035"/>
        </reference>
        <reference anchor="RFC9460">
          <front>
            <title>Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records)</title>
            <author fullname="B. Schwartz" initials="B." surname="Schwartz"/>
            <author fullname="M. Bishop" initials="M." surname="Bishop"/>
            <author fullname="E. Nygren" initials="E." surname="Nygren"/>
            <date month="November" year="2023"/>
            <abstract>
              <t>This document specifies the "SVCB" ("Service Binding") and "HTTPS" DNS resource record (RR) types to facilitate the lookup of information needed to make connections to network services, such as for HTTP origins. SVCB records allow a service to be provided from multiple alternative endpoints, each with associated parameters (such as transport protocol configuration), and are extensible to support future uses (such as keys for encrypting the TLS ClientHello). They also enable aliasing of apex domains, which is not possible with CNAME. The HTTPS RR is a variation of SVCB for use with HTTP (see RFC 9110, "HTTP Semantics"). By providing more information to the client before it attempts to establish a connection, these records offer potential benefits to both performance and privacy.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9460"/>
          <seriesInfo name="DOI" value="10.17487/RFC9460"/>
        </reference>
        <reference anchor="RFC9461">
          <front>
            <title>Service Binding Mapping for DNS Servers</title>
            <author fullname="B. Schwartz" initials="B." surname="Schwartz"/>
            <date month="November" year="2023"/>
            <abstract>
              <t>The SVCB DNS resource record type expresses a bound collection of endpoint metadata, for use when establishing a connection to a named service. DNS itself can be such a service, when the server is identified by a domain name. This document provides the SVCB mapping for named DNS servers, allowing them to indicate support for encrypted transport protocols.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9461"/>
          <seriesInfo name="DOI" value="10.17487/RFC9461"/>
        </reference>
        <reference anchor="RFC8446">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC4033">
          <front>
            <title>DNS Security Introduction and Requirements</title>
            <author fullname="R. Arends" initials="R." surname="Arends"/>
            <author fullname="R. Austein" initials="R." surname="Austein"/>
            <author fullname="M. Larson" initials="M." surname="Larson"/>
            <author fullname="D. Massey" initials="D." surname="Massey"/>
            <author fullname="S. Rose" initials="S." surname="Rose"/>
            <date month="March" year="2005"/>
            <abstract>
              <t>The Domain Name System Security Extensions (DNSSEC) add data origin authentication and data integrity to the Domain Name System. This document introduces these extensions and describes their capabilities and limitations. This document also discusses the services that the DNS security extensions do and do not provide. Last, this document describes the interrelationships between the documents that collectively describe DNSSEC. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4033"/>
          <seriesInfo name="DOI" value="10.17487/RFC4033"/>
        </reference>
        <reference anchor="RFC9525">
          <front>
            <title>Service Identity in TLS</title>
            <author fullname="P. Saint-Andre" initials="P." surname="Saint-Andre"/>
            <author fullname="R. Salz" initials="R." surname="Salz"/>
            <date month="November" year="2023"/>
            <abstract>
              <t>Many application technologies enable secure communication between two entities by means of Transport Layer Security (TLS) with Internet Public Key Infrastructure using X.509 (PKIX) certificates. This document specifies procedures for representing and verifying the identity of application services in such interactions.</t>
              <t>This document obsoletes RFC 6125.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9525"/>
          <seriesInfo name="DOI" value="10.17487/RFC9525"/>
        </reference>
        <reference anchor="RFC4648">
          <front>
            <title>The Base16, Base32, and Base64 Data Encodings</title>
            <author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
            <date month="October" year="2006"/>
            <abstract>
              <t>This document describes the commonly used base 64, base 32, and base 16 encoding schemes. It also discusses the use of line-feeds in encoded data, use of padding in encoded data, use of non-alphabet characters in encoded data, use of different encoding alphabets, and canonical encodings. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4648"/>
          <seriesInfo name="DOI" value="10.17487/RFC4648"/>
        </reference>
        <reference anchor="RFC8785">
          <front>
            <title>JSON Canonicalization Scheme (JCS)</title>
            <author fullname="A. Rundgren" initials="A." surname="Rundgren"/>
            <author fullname="B. Jordan" initials="B." surname="Jordan"/>
            <author fullname="S. Erdtman" initials="S." surname="Erdtman"/>
            <date month="June" year="2020"/>
            <abstract>
              <t>Cryptographic operations like hashing and signing need the data to be expressed in an invariant format so that the operations are reliably repeatable. One way to address this is to create a canonical representation of the data. Canonicalization also permits data to be exchanged in its original form on the "wire" while cryptographic operations performed on the canonicalized counterpart of the data in the producer and consumer endpoints generate consistent results.</t>
              <t>This document describes the JSON Canonicalization Scheme (JCS). This specification defines how to create a canonical representation of JSON data by building on the strict serialization methods for JSON primitives defined by ECMAScript, constraining JSON data to the Internet JSON (I-JSON) subset, and by using deterministic property sorting.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8785"/>
          <seriesInfo name="DOI" value="10.17487/RFC8785"/>
        </reference>
        <reference anchor="RFC8552">
          <front>
            <title>Scoped Interpretation of DNS Resource Records through "Underscored" Naming of Attribute Leaves</title>
            <author fullname="D. Crocker" initials="D." surname="Crocker"/>
            <date month="March" year="2019"/>
            <abstract>
              <t>Formally, any DNS Resource Record (RR) may occur under any domain name. However, some services use an operational convention for defining specific interpretations of an RRset by locating the records in a DNS branch under the parent domain to which the RRset actually applies. The top of this subordinate branch is defined by a naming convention that uses a reserved node name, which begins with the underscore character (e.g., "_name"). The underscored naming construct defines a semantic scope for DNS record types that are associated with the parent domain above the underscored branch. This specification explores the nature of this DNS usage and defines the "Underscored and Globally Scoped DNS Node Names" registry with IANA. The purpose of this registry is to avoid collisions resulting from the use of the same underscored name for different services.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="222"/>
          <seriesInfo name="RFC" value="8552"/>
          <seriesInfo name="DOI" value="10.17487/RFC8552"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="A2A" target="https://google.github.io/A2A/">
          <front>
            <title>Agent2Agent Protocol (A2A)</title>
            <author>
              <organization>Google</organization>
            </author>
            <date year="2025"/>
          </front>
        </reference>
        <reference anchor="ANP" target="https://agent-network-protocol.com/">
          <front>
            <title>Agent Network Protocol (ANP)</title>
            <author>
              <organization>ANP Community</organization>
            </author>
            <date year="2025"/>
          </front>
        </reference>
        <reference anchor="DNSAID" target="https://datatracker.ietf.org/doc/draft-mozleywilliams-dnsop-dnsaid/">
          <front>
            <title>DNS for AI Discovery</title>
            <author initials="J." surname="Mozley">
              <organization>Infoblox, Inc.</organization>
            </author>
            <author initials="N." surname="Williams">
              <organization>Infoblox, Inc.</organization>
            </author>
            <author initials="B." surname="Sarikaya">
              <organization>Unaffiliated</organization>
            </author>
            <author initials="R." surname="Schott">
              <organization>Deutsche Telekom</organization>
            </author>
            <author initials="J." surname="Damick">
              <organization>Amazon</organization>
            </author>
            <date year="2026"/>
          </front>
        </reference>
        <reference anchor="DAWN-PS" target="https://datatracker.ietf.org/doc/draft-akhavain-moussa-dawn-problem-statement/">
          <front>
            <title>Problem Statement for the Discovery of Agents, Workloads, and Named Entities</title>
            <author initials="A." surname="Akhavain">
              <organization/>
            </author>
            <author initials="H." surname="Moussa">
              <organization/>
            </author>
            <date year="2026"/>
          </front>
        </reference>
        <reference anchor="DAWN-TERM" target="https://datatracker.ietf.org/doc/draft-farrel-dawn-terminology/">
          <front>
            <title>Terminology for the Discovery of Agents, Workloads, and Named Entities</title>
            <author initials="A." surname="Farrel">
              <organization/>
            </author>
            <date year="2026"/>
          </front>
        </reference>
      </references>
    </references>
    <?line 1013?>

<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The author thanks Chenguang Du for his valuable contributions to the design and text of this draft.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA81923bbRrbgO7+ihjlrhXSTlHWx25GinKElO1G3LSuWnEyf
7kwMkiCJCAQYAJTExO5vmW+ZL5t9q6pdICgrSZ9ek7W6TZFAXXbt+636/X6r
Sqo0PjTt0/PL/nlUJTexGZ6Z4SzOKnMeLZJsZqJsYt7GZZ6uqiTP2q1oNCri
G3qnPzx/226Noyqe5cX60CTZNG+1Jvk4ixYw6qSIplV/vEr6k6zsZzR8P8Kx
4Q8cu1+4cfuP91rlarRIyhL+qtZLeP/sxdVLYz4zUVrmMF+STeJlDP+XVe2e
aceTpMqLJErxj7Phc/gnL+DT26uX7Va2Wozi4rA1gbUdtsZ5VsZZuSoPTVWs
4hasfr8VFXEEow6XyzSBLcCsZbt1mxfXsyJfLeGX87jCP8338H8IiK/x+3br
Ol7D15PDlukjrGg/+BlAiP9cfnfyHP8t4+ImGcfGbxG/pafNssirfJynrSwv
FgQWGM28fXmy+3j/iXz84uDpY/9xVz4+Ozh4Kh8PHu/v2wee7NnXDp4ePLPP
/vmZ/fbZkyd7h61oVc1zAErfFDmeOoC2iBc5nHkyNVleMXCMma7SlE/wbzns
+2SVwJd5MYuy5BcC1KG5KgEi81Vk3mWw+qJMqjU8Ey+iJD00cOJrePF/VvLQ
IJ6sBmPYP0w3o9efx8lPCNLPaNoovY3WpYlu4O1olOISxvkEpt99/PjxswP6
c5VViGEn8ySL4LVVGZurV6emE9+N42Vl3v21i6cvzxlcPby2KpJDM6+q5eHO
zu3t7UAWNsjiaqeFyKqgP9wb4j/GWJIgIthjUriQAzMdeKzb5ueiYhZXPH4J
E8zyfJbGg1lSzVejQZLvwKM79KSFu6H/+gjKQ/M1PU7fEZKavcd7T3Ad5xcN
6zAWGdVKzi+2rERIjN/oW2QbjPPFPeuB4cxJvlisMj7L2rIAu4dnp+HK4DsD
MEQqOE3KMSBSsW5eEQwVVUU0vo6LQRJX0wFMuQN8YodZxCL/JQWqStI0iRYl
cot8if8fJZPmFScZkPJfBuY1vShfG97IGZzrKM3vevBpPAhfOR+Y72WWh7/0
fGAuoyK5jtZR+NK7LJpOExitiifhK2/hlfE8r6rwhdN4VZXjOaBunMbX+WJj
P6fAFsfX4UvDRfQLMg99Ik/xRIbfn/cvLsMjAfQAAlqYS4B3vEDEwQOqYEp3
QiafMoMve8Ta0jyawEdk88Dx44l5kcFoSVz+rqOMrudIxxmc6aoso/4kus0Q
BXFV/dKu6p5THQ7MUMYIf/gGjxvH3AKKqxdvX4fAuIoLkDJ5ms/W/24wTKOi
iFPefeWXcf++X9JL9e21WoPBoNXq90F6jEqcs2q1ruZJaWC6FZ1xuYzHyRTW
arQc3y7ETYdld9eSL3GMEvCPvkbuiqMDN8+IlZam8/Lb0/Oya6LSwCHCYcrw
ZyiNceqipDlI2t3ACxEIwDQeA2VsPGmq3MAJwGcaCCT6Mk9gehqgXC2XeYGv
Wb61Q/IFFu0YNny+BS4Lc4yL9bLKZ0W0nCdjeAAUkQLYlxnPYek9fgpAcvni
BIaLpzHAdwKwlG0muMxlXlZ9XisO7MU1LgCoOx6YswqAAXtCWTWJp0kWixyf
WGTqmXG0jEbAC2DyMo6K8bwH/y4i2PLYwJrHILdmPVNE2TV9ALCDNlHh0Uzg
7HB/AP5hfdTlamSVE34H5CegAPySZON0NcH38chHUQkQW8Sw7ywpF3BIq/Ec
Dwt/BL7dgzWscUOTFagkYwB0ghi2eYhHFgX8QcKh8GnBH0hBiT9Id8SjNc+o
VgCrhW/TfBylAGPYxRp5bwVwgFEiwNlxvox7drpoAtoc7DJK07XAuFQ7sygw
wd0nIz4fXNkkZuqC7wHQ9jF3nHguWZ4BCNPkFxgHlTONJkVeln1gyGM+FRwR
EDeZZfDsN1dXF5dmkRQFbAXpZJwmSCW8fBgX0WEZF4iUPPDPK4BTDOf4/TxJ
Y09XBlRNAt2ySBYRsB7UXsawsR59q1DOA5sP3YxiYIUJTM4wmZh5DGNFqLPi
ceTwxtrgecBu3MHQeUSZQZrtOVQQhZRP9NZyPKAGYi2LZDIBdaT1GQjAivCE
VFZgNEChixiYXwaYgzzT76pETpZnObJ6U+bT6hY3GgvfBOjGgGPwb57Bxwo3
+vMqKUgAlARRtgJ6qHeWiEYeEnwWljUEMBmYF3d43EQ6yzRf83gwfZzBNu40
/TSQoONSDHEYPTc5UDSsEvYNuJpGGRzMLTCUOVIZbKKkTawA5sJJb+PoGuwJ
wqQC0LgQ0h/UGbPHZMZyZDiI1WwL6XWk0RoIarRK0gqWY379VayBjx9pxkux
Jp6DEYSr6CDC7TCKvn0LcoteQJvh40f/x+7Hj92BwSOcxIjVJh/9hISBGj8y
8iIZCyHa7R966JlyDYcClPwAtkHwApSXfZbxeAWSbK3FAahDYINtCgM6AJg9
EwYMJxWjVVdj0wpq2zk2QspTt/BvwjQljpAqhK3UFwNzvo1TVOfY9iSNO8+I
SidacYhEcbgNFYccHiSsjieeDDplDPiEi4jvosUyjfF8RHmT05W/UYOBEzPT
gmSunxHxJkNq6Fd5H/4xolAdmhRkTYYIcYtMyc0ZI4X0+EtYE64ZhB8v8nYe
0zLpezhT4DGWAB2HZp4RTOlXg5uepvmtZt5wCKXIB8B4YPmgJcxAdHp1S4mG
KCtvYQFtpjHmXm0nefjX0rTn+S1yOCBApMRqY/XhydOQSQXHPCWMAR0LRx63
nVaT0PpADciBSyGaZBM4J5gBOWPMxFnEq5K0kvuYMhhSS2AZgDq3DC4iXnvm
6746OFAEkgrwDshBcAR5doq0SMoJb0OxRUZhr+gswBBOHQ16SRtP4ZkK2fdn
n4EtGaWlo5cZ/oUy57DV2h2YR48Ywau18NtHjw5JAmkFb4f0O4LBhMVpQcQG
NAwcFI5yk1hg7j0c/WqDedMmFEnPVsA2QHzgxMIRELma9ELL8Ttlt7epAYKq
lEYF+2p66lzoxDzhexayjwu8CPlFnWnjqmCmGxCfVrf1iofalJUlXgFAykHX
0grpHbR+2ELTtuYA1VEcZ4G6pBWjHh4HcsLlCrFcaXmRmcFebqM1aX8weE3v
9FQ1aB3gXk+dROxPU+ACAWD0ThXgQmkoMATEGOVOewYOgI9OCOby1SpzDhs4
tpukyLMFc8WbJLJa9w3g+iSySLGDm/D+tj4Lvav/dUU6V0RUwnRx9erSjOOi
YqKLzYjlHqP7ObwaojzoeH2N9n1L85/U2wMN2wM+L0SNH2wfS3vE+rcIVB4d
/ZR3SO6IRpenABxAkEKmYJVTSM9aCqhc1u2Hpokdmm6qNep9Z2QUMSCUzDvD
/WZIhTRdFZXX/U0LpGFOIIlsEhUT0J9lf2oq5k4982YZZ8OLs36aXMPqQKFe
RPAt/QqPFygfGdVBw8lAzyxF57MQT/AbtBhE3QXSiCrQHXn1jeuCzaXRWMtl
sYLFl0tmW56la2Udi0Rx6smGBUHmh2dRwl/WjWTNBE+8ILmH2FHB/syQWoHL
midLXAKP5qUj2+eMfeYy2IjWg7TU8nwM6AOJpgfArTRseg9AdEJWa5Iy5tUA
yfrTzEmnJiVnYC5Xmy+izYmCBuigR+YUsvTkJiJTwJ/7BITfGF35JCIJMML1
SqXB27WxUkrL5ZUoxQKgYpXVnAgUULC4V3EdGOsxc74p3mW14TsC8I8K0PVg
yg05Xy4RFdH6GcVMUSA64WxQlpOMJ3USNUGt+/Vqit+R0lRAySWDGHlu+Ukz
kbQtVEyt4qYVD5aUoBo9QNOgPcR3S5ZTm7oKcAzgKWhtMeajLug1dVhGgSML
ZcTeEIef4uXADO0O2ZbGjc5Ay8hQNR5XQHt4bNsdR4GHKam0wtBkQjxIg1Bq
Q1xF6NaD/bzU2rrXBrbxGmdjw3mSnxz0ehESCjsRjYgKS2TZypAGHEFXepkz
TBmt5TdUM+y0CNLFdlJrEkspIqKXSIp1g0U4LpIl0J2WVMh+2BunKEyrGwKi
bTKxQitPbdo/KJYwceQHez1qpluDvTYcj/MCVYN03du2KH+AgSjWgGoE0UMc
eSJDQ2ELq/bylgxwAMp0lY35sOo0BmokgGuSsma4WgJPF9Vowxj3HNSqjjUJ
ygKBPGlsRyKFiplwApYcGobkyrG+0f5zgowXRa/d4WnJww4EeNBiaWRxOS4Y
SUnzRKqM0jyblaQPNdKOw44mssFlAUiRnKewwQp5RtOrjg2IFUnk0muHfgj/
kEh+YRLwUZkP657sCIcYtM0wC1Hj9fBvJMaibfRPcoeBIW4rxrKYmK71FeAv
LA1pbeodJIcmD2ev5t50vE75N2ssTDgfuxvIbgbRBzrjCjUqop4cD18pJ1e5
uY7jJQu4scYQUPAXo2S2ylelIy1SQJyjFq1lsfrf/8j7fA+vgYgEOKFBnN9m
gMuoK4CNPAJO1CHXFIaj0dFRZ3f9QrwvxA4DDqc93h5depQbgGBFkhTHQJSR
oIvZR4jsYxnRadASLEf6vITXUGqiJ2xMshqFDzPMCUDEjhVlDZp+koHUAt65
5kEP/aCgywBDYiK3FDJhoDggDb6sc7Kv3ptO4CJyj4IhnpUAlbwYyI8YyH0P
5jFb8yxnBVYAjiKOJuu+Y5lMFwFw6msJkJ0tE1gO+5z8PvOCeaQWEiCLQKM5
G54PgbdkSPKF0hmnq8KJjxWldbDaAADnkwDu/UBzjLGcNdUm0ScK+Fqpej6k
dQ8HapTceHKICgJup+uA5lB6gTaCxWVW1+FR/LjEikMTf04ueDkVHH5DmDnO
MI8zz7rqBobSeTb1m238gI0QOKMbpl7W/k5RPCZiZKCX+Dom7x5gb/v1u8sr
TKzBf835G/r89sW3787evjjFz5ffDF+9ch9a8sTlN2/evTr1n/ybJ29ev35x
fsovw7cm+KrVBibb5tW331xcnb05H75qs/Ks/ekUSCGBSdbPEsMKqCC3WJsZ
scL9/OTi//6f3QM40/8BzGZvd/cLOFX+49nunw9QygCIxWWL+gj/iQ7RVgTS
N0JUB1JC23WZVBFauHh6IEQyCsAAOB/9HSHzw6H5cjRe7h58JV/ghoMvLcyC
Lwlmm99svMxAbPiqYRoHzeD7GqTD9Q7/Fvxt4a6+/PI/U1Sg+rvP/vOrFuPI
NE/T/JYYD4gm5nMrJK9qDrrQjIR3cGiHQuaHrUMUrVtDRmtWvZjgxpyJgjSO
zm3UVQK1GMhrvgKtDJk4G1wcHrMEUTrm4gmMFmBerlByfQsCkUNlp+yKwZg/
R7lFLMHsIENSFVYrnQPODW6zcXBoBM6mc8suiGHkTGn0qos3xe8UA/PxYDZA
u3C4N2QDcXh+QVGcN7R9z80auOA4KoC5oY13E6U6z0zxD7I2JgmGA8gDAYIW
peMCFY3yyKCF+gd8FQiYFBW42bxGuaQoBLFD1I3+/wiIwmg+Hmq+pxG3mvra
MeBOKwjfkJ+GdRJO3mpgZHhcI9xpNBFJS2Ep5VVZM88+5cDdRQHqTwLSqJQQ
Y6iAMlGC2MX4GKpeCFl5Aejvg3/ffMAhyfLDFz+0PvT9f/oz/AXvIb69TIqy
MvRZYiiSwZJUHJAr81Ux5jjbhsnuz/KIXEAcbBE7kEIuU2C0o2h8bUPtOO0r
CahcUmzyQw35lE/IuhdIZgPnQRcIvrOZx+Bkr6YFnOsCVKP+mc8them+E2U8
iEGHk0m8VGw28nChxfnu7Sugp2ouQ1v6GzLTW8PYQ/ERAx5FY5tnwjyLBp7E
FGpGZlHkC0PqH2bE0IAgsaNVWpkhe97ZTIUxd4bwn1M9ZyugaJgADHGQ74vV
wjlHbuD5I9jSHA1TmCEWnzuBb8l6/cDN4hJvSut5pvhbxn5h8apOYGGAp0Pl
cDJvbpC04tswhKuSfZk3hjicZGIzgiCJY3lE+7EIkQkzYMsvWDkDOFskcZj8
YROhCXYOh+wY38cjrWNqz2PP+hvjDNS8WPkA0ODHUCq7THYWSBUfzJt3V+bN
S3N58ubiBZ2USray023Qhoib/lf3anQN1t0HF2i3W0fdzrq/3Hx7w555fXLB
vldA0Nnbi5OelaNeUikE3NhI6wwRdYrezVG+wkDAmsMrNWA6v+DD3K42n0w5
9qvoOi5/o/+PcgdUJKsh5ogzbMBGgnYuL8Ounuj9Lh6vMG3FQqXvjCsQYUQP
wPuTMbPnWnod8cFXOcOVfC5avQB2Z0OxrdaLyHotkDo2tQ2WWTYi+WmtZWC/
I5ubZDeoFiOSkU0hNbLRFhKyp6OtxEKTRU2cGPrsM7fRtysSQX3zrhZApvDB
asRflbQI2gE5jZWBCa/ysVrmghbTjNINia0kkn0Umyy+tYsA0Q7vneeWWnUO
IIj7MZqk6OAQqbRGiIqvexIs33KNVuuf//wnhWVQ/aKQyiFw3glBZqI20lLm
t1iUygpvgUGYYICsGkSJ+wG226Jnd/f2m17CqRE1NhDGBk4bRbxzaqKu5MUM
Cl0LyvhuWTCKDswQrJeb+8UY+XtqUszKEE4deDOq8IA7JIk2SD60cLuY47OV
4gVJMWPg2xWOgXNR0pwVWsAFc57OcT7PFaNsopRZH7TAAP/ZVNL6kIpcSJpi
6l4wOmZMxnzD+iTIMrECln5/IQvA2LpfNsar7ao7yRQzS0t4uqu2YGVpg0FA
wUfE0VoiGoiXZBqDomV97K0ncIrwus0VcC9KJFWUz62B9iCsrn7vtp4OLEtE
hdnHaWKFJtaPgEqKiayTfeN5dygBsjq5L2qDqHuhN/M+LX8q2Q51b5bX3Y6Q
//vAuKRhOimtsrUK66wfkD4NB/iWDk9U60ZiQ49oKcbRmuwCVqXwRNFp4J3s
GF8mFk2eJszbjoiw0FfErBowCz0DO2y576A3mWLQ4pQkbV3BgmjN4Q9+WAjr
ZCf+awzHk0cO5zvF+To4fhe58qNHjPGPHukMQp/1gaYjWfSUVGUVSHfWKiuG
jkBkreR2S/4rJsnJ5uNDS2FO5SzrOqeexKFDtIXQrHrJFC2InqjSoIFwTse2
FRQYwAIHHMBCgdMidVYkyw6H7N4C5hRgzmczc8pK77xPljcH+Pl9z+Dnp/S5
66H6aS/9RhySCDNVCamc3ZXm+fVqadAJno3XA9oJE7jdC1Z96RMFeTdLMp/u
5liA0hvxKAnv35ZxVfKoyB2siIfHxyA4N5BGwhMPYWaWaQl5yAtN7I1gQ9lj
Go3ovH1yEUpgkqsJUViywO1qQC96luY5pYXNQl7MgFifW5FUFMDRphWG5Mhk
Rf7iUs7VNjjbbhtrhgO7xpABY2kcTyiCAgj5xu5Y0eTwb4KKISMGnpBOSoB1
532UzhClltf4//AE4hS5iWh894rPgVfGUmkkJcsfZy25fZKAWlXRROXNeNTn
v3EOdz6NmfAqfB4TV6QjQBzidGNnr9s8UIVR9xy43riyBO1jCIKGr/vlPNp7
8pSoTcb5k+yMljSPo5s1KD50sqkO4Svk+oYecggR37ABAfrh+FqygDCCOSvy
WyC9YhYfkQBAeQdCRtwKJAxQ0pP7Av+Kp3AcCRKqRB2LGIU/vqZsEsEZxhOE
EUufQ2cKmCFRn+mATHYY+VoWCyik1Q2dFu44wHby9OH6K0z2RSuf6i39GcLq
cxLs6DiRHHPtLCCBdhiqBcrK0oyTLL6iQJEX343TVcnpo8CcCDE7edFjh48T
QiIDeiJEOFU9IbGzxHASSY5E3BOcrY7aEAhEDpyzknpKKR2x52buoEVDen+D
yHWdTN6T/mlpFYayHO46Xu94CnVmdhOFEtbVSdPyD1RHG4an/QvS1oiRhmsk
w4D6SFyF5Ic6acNcjhTuI0UPod9DimxReVQ2L0kdZ5vq/rAlaOvn9GanZUz7
5nj3CKvr2nA2x3AGfaw17T+WLwH2xy8me0+e7H5x1DYP++/I2CAGjrC8Psbz
eXrQJzSPJ30OL/Zhrm1DhiPAQdeHcGf/wBH8aW+MRPCUH/Vo4QgNR3FsqxCb
obzTaljW4DZO0/51Bpb5TsOQg5/KPINFfHJuWfbx3cGzF1/8/Ca//vnn4ua4
efVda+syurxECaDdzyV69PjbbW7pTZf0jXLQenugB/LljrXtXXKIAU7Bg3+N
18FDLgqDoU5QyiI7HWgHM/QlOi4Af6MvYb44NIKFpqMiaVRu/uISIGE6dr9H
xkb7WIITx2DvqViIONHyGuZ5HqCChL1pUb9xNPgyWDbliTl7CaGONj7q2Gpg
gkKyqWIEepCM7/F3c9mX3wz7CAH5HeN2m+V2zlQO5p+u0iadopEV8koacNEE
flb37bu3Z1JvI7xwHioAbiVbBxYkf8iOm/hsA8gV6shxNnHe2vGiykAwtDqD
xfvTeh2kizScx7MctGa2wlnw1mrHuqE2IcaRLVGsm6MqpYH0A0k48VHgurBm
Lz1l0XyQxefpFvc80bNdnvOCfTBXVGxNzs0/GQp+sHm+FucDv+CUEhylETIU
96Jsucub8QXqKpIAGktalnOR1VzoJ/liCYtxARY7jNJ3ZKDNCmKvHvVtBRoa
jKbjS5vDLiAlo+GFt2dIsFuzH6b3FqjZUSaomI3akrGmKxuSJeNQgETWB2pd
oLjVFKszFbHa1JeHSHN6bVei2jf74e8o5qN0mR3P9+AT7v744GAfPtoNHe89
3h88Huzu7g+ePObvn8r3j3cPJ6Nnh4f0PXDGp08Onj0+bt/s1+TuUehQ9g/v
HrejvagXZcu2elidsj2eTniC3RaqOOZmz2FHB3CdYvkJuZe7D4bLnoXL3h+A
y264/712fYttK2iRX+jYpeMKnksqfLBIfeGQutEX5jzypcs9Ze+Mp4WOJS9q
EGAj80mmOQyHoe07yBtcPZWL5t0Tjv4Q8AwLDhdVc3RsEEF68P97g93B47ZR
T4Ne8IDT1+bNOGADeC5dnAFB3jMeuZjIPOgv3VjPJVuh1TqR4nEQkIfsFrBR
Vjczlmd9j6JBxV2DSCtnR8yT2ZyUecFG9zjL8FzsLfcz+sXhB/aK+VCWmvRS
mKuD6k2UrmL2UuJjyOOiAo5qBRzP0RmOd7INVsH4w3tL48TJG1bN9Fy1PfpL
uXeDOIm8F6cESYrp5u58O5u8tyubodRt8jySNx3dto4djzeRwubpOCaNtikm
dpRiQTc5mFV6ckTqi0q0aaieZKTh6DUoEnVRBaqrpOUtG37RVLaZI7cdpcmn
qfwBkvoqRfD3h15tghtmrpAK6erZa/0nOElRkqBtKJ2T5rmQcXKDgcgydulA
DK5aqi09KoDkcJwEI4evLs7NO8zedZGGCpsNlPwLLcslTogvJPOKkXhfOSgh
ToL5Hvxvvzu4Nz+js5GXZVM2UBWYUPzOEl9dX+hYLO01aAhdzh6h1RO+Sr64
ZJpwhSmnzDy8zFRQ1sYyuO5GqDSVAoDYtlLA6DDIflvzLx5QdnbRsnTbD6p2
oqqoGpABK+SIgiSy53F1iytrkk2NMmeMde0YMeLVrTCJujTVbc6l1mWQCnLq
a3q0ErkpU0JbslmyMFi/c+JESZqb/Z5hsVJXFy+EawSiBsUD7HRpdbAX1hpR
JstrazHQunMms1O2LYCwyVNinTxdX2ZlPdrO9Wcd00B3Wzyi4qK0fs2m0BbJ
pS1mSeZMSQrvY2xuRM/FZG2FScphso83iwoJeA+2zGM9TBvTodjbtLxqqYJu
GswAJqvNeTeDCjVbzcpBSdo0bqFcw2R3XPvncq5SORZX+00JK7wC5yDAyBOt
rcsFpfyzn7tvWPjXQpygU5rONAax1LiL/ldErAhhGVG+QZ5AH4ktdP3eGkt2
7zNPuVAXpGatoNfV8+oS3p4523kjr/QMLHvQHbB4akYZcvd7eXlvGj7V6iZW
OFdS+LWJw1FZ5mNqt2aTPzZDxFvT6utVYVgSZJWMUEIJlKUkljUgllNOxboH
rOXASm2047lpTjOItDwN89k3JCEVP/QoxcLXeas2AVYDYcnGQtaXtDJ9UuKm
TTiyLXc40r7WCh7Whg8aHSuODHrYMRJe64n8Y1WkVrzm5aY+zLKeMNw0kWA8
EwBDoFhxLuvuwLzcSjSjNSU2UeLknFlTssXVQt0rzrZzEZC4IM2xESmC6y+X
b87DZlKSeP6Xk0u2crDb5sePcJTUXgSE8ZyIf3+A7nFqUIBjqGFLqgmRFiDR
rckBfZF2AZ8XiAKAC0US32CE72BAZjryAssGkdMEvim7ETApBpg6ciKsggjl
Pm57BPy/JPWYEZLawcSRIGLIs6IkXRVWxJ/VUwa+5mx9RCl/qH0r4/qnLsNW
jCFkvUNbCkwoykm45TYKIyZAi5TsruajPeIcx1tUMJOKX6AtNbr6mKYppw83
rHKIBhvrk2nLLXLH+i4DoAXrpZ4azdwAT/S+c+LV+KJLrr+OuIDYnUTajM3B
iqSGxIaMaE0obzlCC0rEjHrsUL6M9kpxzZALwZO74fv52gzF6fRNQodKGrBy
WdHGvNPKBvPVMl1S/4jlMfm1EJWAaxSRzTGR5IgCkxX7QBvL8gie5eEI7zBP
va9sHZUucKRHtWktfUyhMz8lFarUXBVXoAe8pCz6iEp9QR0vEk4krWeesBPF
F6yZS8xMjGdr3MKFPafSgpuqLKkmk71xby9j5nCUYYXK/k2eUOwUc/iwzxWs
0Nr2zi+3BNWEcoH67CtYIPOWp1zfp2Xz5NwNgxNKLT8ODGE3jlSk46oWkngB
NIGmshM/LpUFWEdBZRRo9N0TfSy3RBvNnx6iDFKq8DagWkfwIpmJHRDNmCWh
SCI+Xc5xi4W5unrFSZN0CFQPCaNLdP7qlfla8obxDM/C/BjYAC7ETo35hVSv
ynFuLHrm8cWCwwXbvKYdSbTsU3c5HxLBRWwbUK1YRiSPDB9W457RZouWgEOY
0onhFM5R5hDLSxticfXdVPuLbbGBL7WpTBzBJUH5tiPKHvsXtjoFI5XuiA1I
QILlWI5Pu7S04os8fMMiBDm7RyegCGD8kRsvBH0WJS3Yblv3WezpHgmu/tqw
mOVaEsnbcDW5SGgCDwvAQ3aE24jqr7yiZPJxR0dMa+skbysqefXwVen7R6rO
kfe6Vkj5daqg2DzNVceww0q3n5MaBZb6ZVMToDJoG8oClI01SZwEtc/aUgwp
R7f0LLc+iTb9V6IDvCZ15grUGYZHCCdDVrHVKsibMPG9RHwMiQqDwHCdsGmP
0D1hZbp/RZ3gVWrLDgWqMW28KOPqeFVN+89aJ8BW4/6J7WG4iO6wuu54//Fj
PiqMMSmuAS+S7bAE0bEs0KAwwQiyFuw9wN7DkTgwYEAMkuaoo3SeoOGMpQJs
9+0/1T/ugn2xKqgYTIX+BGqEoi5my5Cj7zy8uNo9FnSS1LEgVwTVaxZ0A/Mu
o85LCFWfLqTe5B4JZHZJLq6X9+xVpun9C/IoRwQlQGTjbtKLS+dhi8nj36fc
ctJYJ8a2LvHqM89WxBLqdJUHlIFt/ZgdyiKauBL3ZMYLbowxiPbdoYFPvJou
ghmtVjKVPfTZ9vUl0J/AX+xHgRnGkgDtcVeNxqhLDOJXzJ74D7aW24embdkL
/tjnr7ljNHaL3tl7vPe4v7u3I8/36OVkol/U6R1+kTISjspvUevrtusajySN
C+QfJz7DAh953cgjXYmq4gUyNpAivsdNRPk7W2UB3/+9Ta+dTTA2Ut3RHQ1w
aO0f6MEl6afUT/vQ/EoJKu55+4WaA4O42YzmoO9rS8ejwoICV/hvsYSG9K8t
sYtYQa/8779H/V+G/f963P/ih47/3P/hkfqh+58NqTOdf/xj8LCXu4/+g7uF
f+QVEBgadqcg2LS7k1yns4lWzjUYQfmBHyA4hhuE/DWgzw8eDpvQp+9vgj+3
w59+Q48Tbqe923Zff/RP0JS/YbjapsNMneYZonT2W2bAEARBhPJ0ECqSyeMh
07SShhyg5uUsr//AfmuJJfWGhz4jSM3d0v9aHMMMnSYki4oiWm/FsZD4daKO
fyXBUECIMFswuI6CNvhIrICSOfATanAa9NvQkn6RAcLv1QpIEAKi9MKfpfoA
ntit/xLdyS9PnzzZf6J+/Bick6x368QNZ9vAoGgQ0AHKCsvj2ltnI5j8+zeJ
yQfbpw1RR37cxIZmwAQ/f9y+AuTUEmf5g8AOUwA6rHiXLnTT3Q597yyQEM6/
BSb37+ZiW+y2Katz4z+X1VCDwm4IhU/xlGTWxFI+IZVrLK0MkxJD7e9Bm5H/
lCbotUARtC3830efZ/oSN39ZFSuuRNfJTl4x84pHuzmDRxQeJb1JVILkEwCx
rGurpGX7C8soK3L4OxIU7dcvr29f3P7tm7/m/3X2y0+PT4bf/u1MPp8Ovx2f
fjsbvhgMBrgxOgfL2f9Og7jDUKzRUb9nWu2mRCylEDG7OTjYd18JK/h7e76n
NIYaeVJWjf2tiWr+7rJismX7B41MTQvf277wvX/1wvcesvAfHDaxusoE0H79
4t3J2bcnf6ZjUVgWGnDinGdb49fPWMdPZh/rRpEzhLytp+2kqLR9PDjMgS21
CJH9Oyx2XZO8wC6igMYlVS6o8MQ99hBYSyeX91hTFLywcYcq2AkPTubmq0uX
7QDUQLGKFz4gUX+FWcSAbXwE1I+ylx9xH8fmVyO0CVbpXdWj9GM4Fsc7fiSz
7BjDLp36692Wn+2YTqcDq/tRVvcjrK5n3l297D/rhMN16UV4hRfHq++4sbpb
j/075VT3GV5kLkrf4E3LWkewQlQg7CB/Ep3kizu66ic8Y8nL4DvbKh/oYryg
A/MYwAGhhZQkCeq4qBWdlBR4090kPgXdDQtHMFhe21Bu5hZMAabv/Bbd7gZY
W6zT5MmchFOwCebwIKUgu5cxLsmz2Awti1VKG/68VMsD5DmbbsalxI8h0RoJ
utCWAzDD2+c53q1E3nOX44WVVAUlyvnKXATFMkrQ74uuMreLbs92bNT+UOpw
a566iDd7rKgw+EwuVMAOR7JM78YRt4fHAxUDs612qLJTPazOCk+F4GevLJlL
JXuJ2dPcZJvd11w4Je2iiOhVyzTKsLDZ/68p6G+buLCjtqEPESYAshnB2Us2
DRlT/phboaPJ6iG61bBN+eMwQ1jK7RtA2DSFaIROImcAcyIjdnyN+zopCRPZ
cGrcivhei3iKalTZ6NZ8UMvhIxdAlDg9RjjIo029RyKzWKVV0rdt5bmRtW+W
aAt4hQ7LsHESrpYdyASuxHZFQmMqmlCYhjfSFgBTT4ym3ksCE8uYrC3mTgIR
q/SOWHZQb3Mn8mDsH5O2ATyU5XDiRbW/8RTRDDdY2S4KJE/YPUX4M3T0ANIn
ziLQBQiFTh7o7IdHnxcgGpFKd2CC0Wo244YEeYo/vqB8MZfBxjk8CefvwQD5
hKIx/pYCLMIoNnze2JqSywspcuIo4tfPbGnMR5uv5mKM3NeYCxNcNXTQ9Jli
LFZgeohTzK9G3XXPm5Fq1s8+20aeam19ytb52JhR50rvMYmOXboIh6jYvtrf
sVJ744hUcW9IAkoZyGK8H29cu8CpixhmkwKlb3V4vVutxl1cF9Qqgy4iuaxV
MzmA+XofnAP9Z2HBp+qd0QlqPbnvoA1u2aQUX5hU1ss5jzAvphYTsrSNGbM9
/3Xj9BQt4KIvzHB0oTrDvcQE52xXNLp5xZYP39fJreEbae6Gp/SBmsVoHzDG
OXtEfq42V/q/FTnQ5y/IMql0ZxvEP7juI8hnJMzgAKnrYdGpyA2HQTtjXrUJ
oQ5VTOkoGwKzKy28Lv56Jk+wcoPKAxxw2ZX8rWnfJejqx7ScL7s2S1MuN6lj
kK78w4Q7ApxqyODp66E4ayQjy3VQIZQf6FUYf5uLTzywl0L0Ka+INQEKtlJD
jzR2wcHNPn10bsK8pV03T+SyCTabyejmG5wcOY91AkNHOs3QXz0j8MXDseKB
lI1Hj0b5bFU+eqQS+5vScsgI4iwj08EP/XGa03BBAjrqaRXfeMVR3IESJbLD
iHrncNk4th/wg/l8ExghjaOS+uC4FhSUdUsboSYZZRAkdZoCq1aYQUKpCWd4
WRal8CVlvGMtIrmDV0kbBG9i8xDxCJApcD8Z1JKw2oGuJsmz+r04tLTma3E4
4902XuGV2Sp7wCh9tL5xBGXa1CmfSgKYbKV5FyLN56V9HWlFw1rfsKmwBiPy
YgJJLFKLD8pk2uwl4rfK2pIuEwUxC3Ippual8bLiPuv4Q8gynMgSOvq0SKCU
hZC6m5pviZSv5zroFAexbVQVxPZ47bBmdwA6xiSZefTSlSjz5VvSRpfqRTgd
3OweEjKcKGSgspAap3rnDHWuoICTrOMQHqnuzOPivYxHdJXqobR8K+8fSjkC
XJ8EmN9m7ojFUqq+6GJ6qKB1xxqcXdLYEFVrWYjSaJhejCmdiceyskCtW2Gq
QkniHPdbnLYKF/OVWRtiqa68sUxWG7atlU6sCl2Fmwsy2u8zclGjGTbH44Pi
bpataPcHigjxEcoqpiwC8i09sOuL6dzf9UUJbMNKUJfyU5vA3OwyavI01MHP
pxdg/N4hkK+IbAwWXoBpbvswe0rylzVs2PFsxsNTyY3trlrvidjVaMsMMhjf
wF9U1MTsmKmTjgWGx+7gdq7fj/LeitO+QQ89eINLronxK4prteQuPqsRvnL2
vqssbNB8WFEIHAXeCrLpDmqxfMWiS53WvwAgosWSGveSXJDSKulqCCw1z6fk
iioouxLL1JIyJ4dQj/Jxqoou1MbLVlP0c/ENX5SfWkMc6vdkIYU3BWD25qaJ
5XkufBlPp3z5qa/lG8XjCLCFTvpq07Gysb9Qm7RuWJf1qNmUYj3E3bOcXAI2
BToAuO1iun6AxwdRRLdVINsszFqRu4mpv3SKXYhsRjJiX9OxIZoBOSRYJkop
eJTxhzffYvOybTqz3LNHst8bcgjTHBuCUg/YZIGWfJRVcjdXZR1yGxi1qcBZ
3VDyUpBeMY1eZkS9RPQPnccF5ynQf7Oq+vkUmDMACA80uDta2bzCKrmHfe4l
Ch8R6xEn8zwv+TYRb4b7PMoPzqdBHSm8TjDElWHKb2CdbalD8xbZdMXXYLN+
aNz3eLMOX1iykt5T0haafyYfkVPWP1CP1k351LEaBLcd+CYBUeo8F8ENYTyC
ugbSkR2NIzpZP8n6pJPJeKG4sK4oGMw5wqVjLjapDKXWpmwhhVRrWdwxQmGh
o0Jnzb6yvAvP74gHRd6t2iQE+oTCBdVy48wxEan38oV46HLBZTs+81GUgXA3
vpeH5DD3Qsq1N4h6IbzhlAvvhAk0EQVhvGA7Sbm2tSvMrck/Na7HgVS5mi61
AZwdxxPUxAeqXUA9ikTpw2MdHvKbr+3UOh7D7jBBvItrodGFDprtCbaklaz4
S+AfEg6TL9M0HJ1zVMXwBS3KX0WEdePJnYRTOJ9yCHAq0YPmnR2uUv7YPO5y
DAW9j/b30VrV0qOBCqTOLdMKxCrqDYHd6LD6oEtRlbOpfcM2LwMiwKqsEseF
8VR/E7ykdWzdBahzDTQsQOc5R685xXOoYzQ38ZAb6lwxAa+VKoslZBipeDuH
7a1E86mL7JCXhNsv7Sa/Ml9yUBY+UP1y+RVHwOhihEPgrPbJQyy9paaokqfC
7BgkHRjVBKJfYkBueIMHPJQ21j+7NtaqgzQuj9ps8D0QnCVcADMjPyFdaolh
L/Tj8qoOXT081SuUXMLAhzKiZgYmWy1G1BqKNioxVvjhmLJ6NaD3/WgO4raJ
jpvFonFmj2QzZnspJ6xK9WUVpuMwp0sYyV3T+BBdnTgMeGjewxK/5Le+Ov6S
1vrVe8JLPkipBuCbU8SlgYZxvkK+//MKpGxJiPgK88XlaVHGMGje5fs2gKc6
LRnJ3h4elXeXFONznFYVsrPINSVFYPhhi7OORdjN1XrNvKFmpVFIv4f/ym4q
rpdK2DFls1/Kv7CzTeOc+7U5qVMIN5bxUKplQHcEhxXH6R62mleAo+/i5PDv
fsPk/2jsg9NqBuG9g21Cj7gBR1ERBCjoNL7v9rhnU+3r/e29YdhOdtSOYg3O
RG7To1aRI9AFr6X5wftgp+9NNMJwONU6Ahtd2hJEl0gOih8YEmsKrh2xpBhX
eCHeBod01Q51cx1ZmlqGVAPaO1qt05YlqUoGYbz32QaUzXBsvsSxdr8yfzLt
f2Rt+Ie+2FNfDAaDFkvSH7mk9dgWfnbqGQw4JmYwqD5ttUwGPVDXl65w1Qhp
9epd9Pei0nqXoEMAmPXBAdVaRGPuYrG/J0W2NsvLVdt3B9yAyBuwwd1AqDSx
7kcXKtwbR/OtOJ0vrbElrlNbxeciByGWNyLdW6XPSlm2zWcIfDHK8HMtAlWE
RqmLhKsF45vy2FkVhvTAdy4O8Sn/XLAiW2hwb07GNucbyx+dNXK5opQPhgZM
fpZN860eF1aSOHFHp+pIkOPpwTNJCMIVa0+NFYrk/d3QxZSAH2xCqMGfs/2I
wlyNz8UYZxeM7qDIgPhaHDUgqZz/ZyUmnGrEZhO8N1JuQk9AMyhJxhFQPgk4
nXSy1QmzDDxGoa+BOGFEFlG21ZHA9zFuCxSTabFwbnffgciBA48BC64ovAS2
1AWVmpMRwq0uHby6pq+95vi4bZJJT8sf/vmaPx7MK2CSPsXNO1TrNI6OgjAe
xYHUkFEkNJyzM+ywzs/nq5vrGtuZFFo5Q1Wes32VKE2E1cpD1UoY/vHNgW0v
AZHmPWShsW6Efu+Y2mhsbr37iY68hIJoqr93uu17yVyyWEZKRRkvwNZI6TZV
q+w5oet+lOQ8YdY/MmSPsVsvSqYbFFJH2LAX/4J/NxN58QFs3osPYFdV/Ht5
TX8ur1vJNJA3ArJDGCac8U8w5ZHunovvq79xoKaWoPcP2NRMt725BdpFw7Nb
JrXtQn/z3LaZ7m9YgrzCctz2OOqgAtEn9UeE11alx4UpcGGtZg2nKzYhNmiu
92amtszIDPBMdUoz6CxHrd/TrPghnYl9DqZnIcLinZ7luIHXmTAHtCH/Mzic
T6R/BnoT3w2oRqR4aoLdEg7FhdwQ1VFRMed86wVBR6zSlfcbxByTcGqjgZPG
Efe67BSgszkMSzFBGjFIOoX58MGUIrq6PaUEAm969szKLq/xDXhQ5udbhn3Q
MLXD07mzmNvCDqdaFq291iV0W2CipTDvCywC1r5kvsGLxfgWZi3ZPdJgLVt7
Lh3kq1hiJt6OXhfrWXkfYM97FZqxImQn5PvM6PUtpWSxENc+jUlxQI0H5ZTA
DbvxNWXmklEvr1BO8NZ3/DnRCW1N2FWr9xf6Ka2oKZ3X+4+/+wPxVB9J/V0J
vf7MbYID78RSAxjT9fhf1+eelHOKMIGqEN1y5+OoqgGGUjGpU0kZ+KVtKXgt
iOGSVSVFRpPoPE+pmvz70FPNmdE2h4N2y3SVqUYa98SJYOjPy1piBfdarxke
0vg5pDnHicwb2GnXh7M3kwPcFb8+dOBBaZNBdUI36/CbETSNINQNoNhqx7go
DP3se7pIQDK0L+7T3p3B4yYMrJ79WqekStsfGzuw7l3bMaknQartjZLIyLVp
Otxso/RQkhJfew3blqIKe+sqpXTLK0xzLqhcuf4N5FNzBgdNX785JsxPF9N6
M+t949j3uj17T1rj8d4maUqDczepRisTHWBnLvuUhj3B0Ae2tiD3wUt3i6zv
9sK8vojpmJRJSQ7vaTJDeuWoSEOSFOLGiXsMgVS7LrUDhgYgi772pIt4odrE
h+/r0L0NNgzu7u7qt4PoezZQ/uyg+Nnh3NJeXe+XgNinb9DhbmB6PUE0JLjZ
atsN8faurPCqKxQSatMC/8YlYWc1dxGP7VT5O0yXrrrFx1/QI8zPuuBrQsiv
7J4WLT4+hrnvrT83yDFhEjoHWRKOhEM7fJT+jaeYoYm5eoyQfCOgBn4P/eRl
3Hzxor62cO9B1xY+8K5COwPiLK9p2w2Fdn11u7QT6EV/3CDtCptswhxrhhdO
J5CiJjG/R+vgWsmembpaqabh3NWB9sIr24EP4Ej4bPsedR3EA3Dz6DXcUfd7
1S5L9FfGSSmfy8ZqaPvvWv5KE2rEwu9s0YQoATSV9xtgViOszUhUB9GUEmdp
5TtyxRY2+2EBQFC8PzuVq3f8rYeWdTDvDQI0R6hL1jhha1uABP47OzdDMlSD
Jv6feAER2wTd/WFed3+avpZux7p3m6xCf03mA28cajcZs4HZrS8cAtsW7Vm8
/4fsWv2cdkps/PhHb+t50DU9n5qx6Y6eP1+PVl+cPr94cdxGiH/nGss5muJu
ZP8tkbHWlhsfHnjfQ2Mk7b8lath4/8KnYoly94J3vJ5IyonN1W/IKF6Vcouc
MPOmqq7GXjx8t6NtDqN7MJkz6mQra+B6T+qSTxaOa/VWTzFTN4z31E2stpFY
eMWNazUGe5MmlJmJkbtx709ere0URYH+isrhbMq9NWluAeJzjPiU0ntvToo0
uay3FDAli6hI0rVL6LF3V1u/QEVDuLQ0n12oEw5T2YjNUKgwLY9yKseqqZ7f
MXplKKkRHybdahMaOAiILqr+893rcrzUO5NqQTsyJkOcAm3Pigibe1HCI/qF
pTOlfhnlNNqNvisjbOM2jq51a11cHrF6gK00XDeU0kiCNL5bkkwlvZKSKRXq
THzb9LJ2s6xD5Fr4LHf6IiERxV0F6o1dAhc0YsxHEnh2fJadK8HA1DZXbqhz
OLFJpwh1d0CYtLlZd0DN7mr3HmvbxxV1WCeoUkbkjoxG/xO80ide0pCgdntv
4hffSypCuaba1GdbcbqelOAfHDzFa5m8esP2a3iFO8fQn+w9+fixPpotk3GY
xxoDaRe1PNXhzJdg2j6K4Y7qYC25Wt2O3ae2lXQDhKjwtIRynY3nRZ7lqzLF
1tCk9+A4lNfFt5X6ouBbdfUJt4x2K+c74qUO+VMlUfUaQ6nN5QskejVG6ytv
xI8RawNAV3hRkc/U5bvKPc/6nIOCJ9baXKNRKZPqmd9SV1SrlaorhhsFUFQQ
xm6DHV+MpA2cWrLkhhfHtim+h4aaypD05ePBBdDo1aB6ofsutLeT2hxT5i7k
f2NguCyAo2AvmLgLGDDCsEUtP1UHEH0OuIiaMC2BiildD33Jky4/LSU1K9ha
uIutPd0+oxJIWPVilzbEE9+UfRRnsHhuQB9XbBEwuv5iW7VTd3Z+Ik0wr5pk
krWVmNGv5ELyK7od56fVZMYAi+hyU7wGfEuj9p6ZIV1n1O1ZrgLpySFID1Hq
u6o7kypLDfuJkVbgW/x7/hdm2g4aZby6RTwU7b5RGImS7+oaikBQRBuV4+na
5dpZbUpwKjWiyk2L4lzJgKac1CxMlYXXrNLRQSPbxVTDxZLsRZGXqpRE9WjV
+IVp/TWtqXP5atit6U723Knkfyg45xJ34Vl1gElZrmLOeqF0P/iuyLTvG85i
kt7Tt7+nL7o3U8wApGrGXm2i4FjRvzc8H27owDaN2O7SXwVmLzqikoObpHTq
sb0RCUPbwd1HxBs4NRo1M+dKHJjzHIU26B0IGZ19hjET8cOUxHHislK3J9mJ
pZGpxjxaQ39V1p3h8KrYE6WEndxaUs2n+OKzcBi6nkY9TgmwWO8dkVoS1nJv
LxrYeimaWDzuFpuwQ5qSra5fmIN87cK0BrcG7OY33Jh2z72HLlvICT/fz4MK
sq0PO7ZJrLS/Pq+N7nzOgmALddBGVcF0nj7Zoyef7B/ccykdHPfLlbTM4P2D
+IrWFkG24JKwwsiXar7fBNN70wGsoIsybrF3XEa3mr0PTuZ9V1Iax3legDmi
8nCtRmU7iwhDld7uY1F31RUgWaMLKrxtoycFgYTYeVnSPVDAbGbUEwN5nKtG
V51VBPayLCsFiCfnYmhQe5uNmz2A5N9hXVaJl4pOyCY7x9AlJr5bindZmitb
XerT91fqZbCZgEERnaTRKE7xLi5Uk5882aNruLByldP92bcLD2+IZOcSDaoq
3t/vSHjf9eViLgjDS7Bmlr/bpnZaijNq0P/6K7wxPDv9+PHzMuzyzW0vkuwG
hsn1+0d4XQ38WPTkOpvPMQ8Kr3xCMcR3uKEBxQNM4nhJtx3TnQYquDv+9H05
oWnPI9SakcPc1AdCIjGdMo7D+75A8En/4UAReGvbkAcaWImJo8+5EE+BJrgb
0DNsTXt0s47DFuEFbY1yOOvXaT6iYtZLBlOIhm3fHF3XEsOpKvwS49ZnFGvV
lbzQPn6GuTcrTrKLw9U6nZ2xZ0P0mEuWzChjMU12VuR43UVMyXv2LgsVq8bs
U8KB0qnQfF/auFKbykRnq3S2LUXqRpbriSCMzDTkhSjNQbZQPjbK9eEY/ZKg
MbA+2fr1kIsU4slxexqlZdz+yE20SWclBAID+QR0HFDs8NKxFUd7MCSJHiPk
PmQkSFVeaaO7E242RXpYfCc2Eh4AdssetP4fdFEGr7m8AAA=

-->

</rfc>
