<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-denis-dns-stamps-02" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="DNS Stamps">The DNS Stamps Specification</title>
    <seriesInfo name="Internet-Draft" value="draft-denis-dns-stamps-02"/>
    <author initials="F." surname="Denis" fullname="Frank Denis">
      <organization>Individual Contributor</organization>
      <address>
        <email>fde@00f.net</email>
      </address>
    </author>
    <date year="2026" month="July" day="05"/>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 38?>

<t>This document specifies DNS Stamps, a compact format that encodes the information needed to connect to DNS resolvers. DNS Stamps encode all necessary parameters including addresses, hostnames, cryptographic keys, and protocol-specific configuration into a single string using a standard URI format. The specification supports multiple secure DNS protocols including DNSCrypt, DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), DNS-over-QUIC (DoQ), and Oblivious DoH.</t>
    </abstract>
    <note removeInRFC="true">
      <name>Discussion Venues</name>
      <t>Discussion of this document takes place on the
    Domain Name System Working Group mailing list (namedroppers@nic.ddn.mil),
    which is archived at <eref target="nicfs.nic.ddn.mil:~/namedroppers/*.Z"/>.</t>
      <t>Source for this draft and an issue tracker can be found at
    <eref target="https://github.com/DNSCrypt/draft-denis-dns-stamps"/>.</t>
    </note>
  </front>
  <middle>
    <?line 42?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>The Domain Name System (DNS) has evolved significantly from its original design as specified in <xref target="RFC1035"/>. While traditional DNS operates over unencrypted UDP and TCP connections on port <tt>53</tt>, modern DNS deployments increasingly use encrypted transports to provide confidentiality and integrity. These secure protocols include DNSCrypt <xref target="I-D.denis-dprive-dnscrypt"/>, DNS-over-TLS (DoT) <xref target="RFC7858"/>, DNS-over-HTTPS (DoH) <xref target="RFC8484"/>, DNS-over-QUIC (DoQ) <xref target="RFC9250"/>, and Oblivious DNS-over-HTTPS <xref target="RFC9230"/>.</t>
      <t>Each secure DNS protocol requires different configuration parameters. DNSCrypt needs a provider public key and provider name in addition to server addresses. DoH requires HTTPS endpoints and paths. DoT and DoQ need TLS configuration including certificate validation parameters. This diversity in configuration requirements creates significant challenges for both users and applications attempting to configure secure DNS resolvers.</t>
      <t>Current approaches to DNS configuration suffer from several limitations. Operating system interfaces typically support only IP addresses for DNS servers, providing no mechanism to specify encryption protocols or authentication parameters. Application-specific configuration files lack standardization, making it difficult to share configurations across different DNS client implementations. Manual configuration is error-prone, particularly when dealing with cryptographic parameters like public keys or certificate hashes. There is no standard way to distribute complete resolver configurations that would enable users to easily switch between different secure DNS providers.</t>
      <t>DNS Stamps address these challenges by encoding all parameters required to connect to a DNS resolver into a single, compact string using a URI format. This approach enables simple sharing of resolver configurations through copy-paste, QR codes, or URLs. It provides a consistent format across different client implementations, reduces configuration errors through format validation, and supports multiple protocols through a unified specification. DNS Stamps have been implemented in numerous DNS client applications and are used by several public DNS resolver operators to publish their server configurations.</t>
      <t>The remainder of this document is organized as follows. Section 2 establishes conventions and defines the encoding primitives used throughout the specification. Section 3 provides a high-level overview of the DNS Stamps format. Section 4 details the specific format for each supported protocol. Section 5 covers operational aspects including generation, parsing, and validation. Section 6 analyzes security considerations. Section 7 discusses implementation considerations. Section 8 specifies IANA registrations. The appendices provide test vectors and examples.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words “<bcp14>MUST</bcp14>”, “<bcp14>MUST NOT</bcp14>”, “<bcp14>REQUIRED</bcp14>”, “<bcp14>SHALL</bcp14>”, “<bcp14>SHALL
NOT</bcp14>”, “<bcp14>SHOULD</bcp14>”, “<bcp14>SHOULD NOT</bcp14>”, “<bcp14>RECOMMENDED</bcp14>”, “<bcp14>NOT RECOMMENDED</bcp14>”,
“<bcp14>MAY</bcp14>”, and “<bcp14>OPTIONAL</bcp14>” in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<section anchor="terminology">
        <name>Terminology</name>
        <t>This document uses the following terminology:</t>
        <dl>
          <dt>DNS Stamp</dt>
          <dd>
            <t>A URI-formatted string that encodes all parameters needed to connect to a DNS resolver.</t>
          </dd>
          <dt>Protocol Identifier</dt>
          <dd>
            <t>A single byte value that identifies the DNS protocol type encoded in the stamp.</t>
          </dd>
          <dt>Properties</dt>
          <dd>
            <t>A 64-bit little-endian integer encoding informal properties about the DNS resolver.</t>
          </dd>
        </dl>
      </section>
      <section anchor="encoding-primitives">
        <name>Encoding Primitives</name>
        <t>The following encoding primitives are used throughout this specification:</t>
        <dl>
          <dt><tt>‖</tt></dt>
          <dd>
            <t>Denotes concatenation of byte sequences.</t>
          </dd>
          <dt><tt>|</tt></dt>
          <dd>
            <t>Denotes the bitwise OR operation.</t>
          </dd>
          <dt><tt>len(x)</tt></dt>
          <dd>
            <t>A single byte (unsigned 8-bit integer) representing the length of <tt>x</tt> in bytes, where <tt>x</tt> is a byte sequence of maximum length 255.</t>
          </dd>
          <dt><tt>vlen(x)</tt></dt>
          <dd>
            <t>Variable length encoding. Equal to <tt>len(x)</tt> if <tt>x</tt> is the last element of a set. Otherwise equal to <tt>(0x80 | len(x))</tt>, indicating more elements follow.</t>
          </dd>
          <dt><tt>LP(x)</tt></dt>
          <dd>
            <t>Length-prefixed encoding, defined as <tt>len(x) ‖ x</tt>.</t>
          </dd>
          <dt><tt>VLP(x1, x2, ...xn)</tt></dt>
          <dd>
            <t>Variable-length-prefixed set encoding, defined as <tt>vlen(x1) ‖ x1 ‖ vlen(x2) ‖ x2 ... ‖ vlen(xn) ‖ xn</tt>. For a single-element set, <tt>VLP(x) == LP(x)</tt>.</t>
          </dd>
          <dt><tt>[x]</tt></dt>
          <dd>
            <t>Denotes that <tt>x</tt> is optional and may be omitted.</t>
          </dd>
          <dt><tt>base64url(x)</tt></dt>
          <dd>
            <t>The URL-safe base64 encoding of <tt>x</tt> as specified in Section 5 of <xref target="RFC4648"/>, without padding characters.</t>
          </dd>
        </dl>
      </section>
    </section>
    <section anchor="dns-stamps-format-overview">
      <name>DNS Stamps Format Overview</name>
      <t>This section provides a high-level overview of the DNS Stamps format before detailing specific protocol encodings.</t>
      <section anchor="uri-structure">
        <name>URI Structure</name>
        <t>A DNS Stamp is a URI <xref target="RFC3986"/> with the following format:</t>
        <artwork><![CDATA[
sdns://base64url(payload)
]]></artwork>
        <t>The stamp begins with the scheme <tt>sdns://</tt> followed by a base64url-encoded payload. The payload is a byte sequence that encodes all parameters needed to connect to the DNS resolver.</t>
      </section>
      <section anchor="payload-structure">
        <name>Payload Structure</name>
        <t>The general structure of the payload is:</t>
        <artwork><![CDATA[
protocol_identifier ‖ protocol_specific_data
]]></artwork>
        <t>The payload always begins with a single-byte protocol identifier that determines how to interpret the remaining bytes. The base64url encoding is applied to the entire payload as a single operation after concatenating all components.</t>
      </section>
      <section anchor="protocol-identifiers">
        <name>Protocol Identifiers</name>
        <t>The following protocol identifiers are defined:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Value</th>
              <th align="left">Protocol</th>
              <th align="left">Description</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0x00</td>
              <td align="left">Plain DNS</td>
              <td align="left">Traditional unencrypted DNS</td>
            </tr>
            <tr>
              <td align="left">0x01</td>
              <td align="left">DNSCrypt</td>
              <td align="left">DNSCrypt protocol</td>
            </tr>
            <tr>
              <td align="left">0x02</td>
              <td align="left">DNS-over-HTTPS</td>
              <td align="left">DNS queries over HTTPS</td>
            </tr>
            <tr>
              <td align="left">0x03</td>
              <td align="left">DNS-over-TLS</td>
              <td align="left">DNS queries over TLS</td>
            </tr>
            <tr>
              <td align="left">0x04</td>
              <td align="left">DNS-over-QUIC</td>
              <td align="left">DNS queries over QUIC</td>
            </tr>
            <tr>
              <td align="left">0x05</td>
              <td align="left">Oblivious DoH Target</td>
              <td align="left">Target server for Oblivious DoH</td>
            </tr>
            <tr>
              <td align="left">0x81</td>
              <td align="left">Anonymized DNSCrypt Relay</td>
              <td align="left">Relay for DNSCrypt anonymization</td>
            </tr>
            <tr>
              <td align="left">0x85</td>
              <td align="left">Oblivious DoH Relay</td>
              <td align="left">Relay for Oblivious DoH</td>
            </tr>
          </tbody>
        </table>
        <t>Protocol identifiers in the range 0x80-0xFF are reserved for relay/proxy protocols that forward queries to other servers.</t>
      </section>
      <section anchor="properties-field">
        <name>Properties Field</name>
        <t>Several stamp types include a properties field, which is a 64-bit little-endian integer. Each bit in this field represents a property of the resolver:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Bit</th>
              <th align="left">Property</th>
              <th align="left">Description</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0</td>
              <td align="left">DNSSEC</td>
              <td align="left">The server validates DNSSEC signatures</td>
            </tr>
            <tr>
              <td align="left">1</td>
              <td align="left">No Logs</td>
              <td align="left">The server does not keep query logs</td>
            </tr>
            <tr>
              <td align="left">2</td>
              <td align="left">No Filter</td>
              <td align="left">The server does not filter or block domains</td>
            </tr>
            <tr>
              <td align="left">3-63</td>
              <td align="left">Reserved</td>
              <td align="left">Must be set to zero</td>
            </tr>
          </tbody>
        </table>
        <t>When encoding, undefined property bits <bcp14>MUST</bcp14> be set to zero. When decoding, undefined property bits <bcp14>MUST</bcp14> be ignored to allow future extensions.</t>
      </section>
    </section>
    <section anchor="protocol-specific-stamp-formats">
      <name>Protocol-Specific Stamp Formats</name>
      <t>This section specifies the exact format for each supported protocol type. Each format is presented with its structure, field descriptions, and encoding requirements.</t>
      <section anchor="plain-dns-stamps">
        <name>Plain DNS Stamps</name>
        <t>Plain DNS stamps encode parameters for traditional unencrypted DNS resolvers.</t>
        <section anchor="format">
          <name>Format</name>
          <artwork><![CDATA[
payload = 0x00 ‖ props ‖ LP(addr)
]]></artwork>
        </section>
        <section anchor="fields">
          <name>Fields</name>
          <dl>
            <dt><tt>0x00</tt></dt>
            <dd>
              <t>Protocol identifier for plain DNS.</t>
            </dd>
            <dt><tt>props</tt></dt>
            <dd>
              <t>Properties field (8 bytes, little-endian).</t>
            </dd>
            <dt><tt>addr</tt></dt>
            <dd>
              <t>IP address and optional port as a string. IPv6 addresses <bcp14>MUST</bcp14> be enclosed in square brackets. Default port is <tt>53</tt>.</t>
            </dd>
          </dl>
        </section>
        <section anchor="address-format">
          <name>Address Format</name>
          <ul spacing="normal">
            <li>
              <t>IPv4: <tt>192.0.2.1</tt> or <tt>192.0.2.1:5353</tt></t>
            </li>
            <li>
              <t>IPv6: <tt>[2001:db8::1]</tt> or <tt>[2001:db8::1]:5353</tt></t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="dnscrypt-stamps">
        <name>DNSCrypt Stamps</name>
        <t>DNSCrypt stamps encode parameters for DNSCrypt servers.</t>
        <section anchor="format-1">
          <name>Format</name>
          <artwork><![CDATA[
payload = 0x01 ‖ props ‖ LP(addr) ‖ LP(pk) ‖ LP(provider_name)
]]></artwork>
        </section>
        <section anchor="fields-1">
          <name>Fields</name>
          <dl>
            <dt><tt>0x01</tt></dt>
            <dd>
              <t>Protocol identifier for DNSCrypt.</t>
            </dd>
            <dt><tt>props</tt></dt>
            <dd>
              <t>Properties field (8 bytes, little-endian).</t>
            </dd>
            <dt><tt>addr</tt></dt>
            <dd>
              <t>IP address and optional port. IPv6 addresses <bcp14>MUST</bcp14> be enclosed in square brackets. Default port is <tt>443</tt>.</t>
            </dd>
            <dt><tt>pk</tt></dt>
            <dd>
              <t>Provider’s Ed25519 public key (exactly 32 bytes, raw binary format).</t>
            </dd>
            <dt><tt>provider_name</tt></dt>
            <dd>
              <t>DNSCrypt provider name (e.g., <tt>2.dnscrypt-cert.example.com</tt>).</t>
            </dd>
          </dl>
        </section>
        <section anchor="requirements">
          <name>Requirements</name>
          <ul spacing="normal">
            <li>
              <t>The public key <bcp14>MUST</bcp14> be exactly 32 bytes.</t>
            </li>
            <li>
              <t>The provider name <bcp14>MUST</bcp14> be a valid DNS name.</t>
            </li>
            <li>
              <t>The provider name <bcp14>MUST NOT</bcp14> include a terminating period.</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="dns-over-https-stamps">
        <name>DNS-over-HTTPS Stamps</name>
        <t>DoH stamps encode parameters for DNS-over-HTTPS servers.</t>
        <section anchor="format-2">
          <name>Format</name>
          <artwork><![CDATA[
payload = 0x02 ‖ props ‖ LP(addr) ‖ VLP(hash1, ..., hashn) ‖
          LP(hostname) ‖ LP(path) [ ‖ VLP(bootstrap1, ..., bootstrapn) ]
]]></artwork>
        </section>
        <section anchor="fields-2">
          <name>Fields</name>
          <dl>
            <dt><tt>0x02</tt></dt>
            <dd>
              <t>Protocol identifier for DNS-over-HTTPS.</t>
            </dd>
            <dt><tt>props</tt></dt>
            <dd>
              <t>Properties field (8 bytes, little-endian).</t>
            </dd>
            <dt><tt>addr</tt></dt>
            <dd>
              <t>IP address of the server. May be empty string if hostname resolution is required.</t>
            </dd>
            <dt><tt>hash1, ..., hashn</tt></dt>
            <dd>
              <t>SHA256 digests of certificates in the validation chain (each exactly 32 bytes).</t>
            </dd>
            <dt><tt>hostname</tt></dt>
            <dd>
              <t>Server hostname with optional port. Default port is <tt>443</tt>.</t>
            </dd>
            <dt><tt>path</tt></dt>
            <dd>
              <t>Absolute URI path (e.g., <tt>/dns-query</tt>).</t>
            </dd>
            <dt><tt>bootstrap1, ..., bootstrapn</tt></dt>
            <dd>
              <t>Optional IP addresses for resolving hostname.</t>
            </dd>
          </dl>
        </section>
        <section anchor="requirements-1">
          <name>Requirements</name>
          <ul spacing="normal">
            <li>
              <t>Certificate hashes <bcp14>MUST</bcp14> be exactly 32 bytes each.</t>
            </li>
            <li>
              <t>The hostname <bcp14>MUST NOT</bcp14> be percent-encoded or punycode-encoded.</t>
            </li>
            <li>
              <t>The path <bcp14>MUST</bcp14> start with “/”.</t>
            </li>
            <li>
              <t>Bootstrap addresses follow the same format as <tt>addr</tt>.</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="dns-over-tls-stamps">
        <name>DNS-over-TLS Stamps</name>
        <t>DoT stamps encode parameters for DNS-over-TLS servers.</t>
        <section anchor="format-3">
          <name>Format</name>
          <artwork><![CDATA[
payload = 0x03 ‖ props ‖ LP(addr) ‖ VLP(hash1, ..., hashn) ‖
          LP(hostname) [ ‖ VLP(bootstrap1, ..., bootstrapn) ]
]]></artwork>
        </section>
        <section anchor="fields-3">
          <name>Fields</name>
          <dl>
            <dt><tt>0x03</tt></dt>
            <dd>
              <t>Protocol identifier for DNS-over-TLS.</t>
            </dd>
          </dl>
          <t>Other fields have the same meaning as DoH stamps, except:</t>
          <ul spacing="normal">
            <li>
              <t>Default port is <tt>853</tt>.</t>
            </li>
            <li>
              <t>No path field is included.</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="dns-over-quic-stamps">
        <name>DNS-over-QUIC Stamps</name>
        <t>DoQ stamps encode parameters for DNS-over-QUIC servers.</t>
        <section anchor="format-4">
          <name>Format</name>
          <artwork><![CDATA[
payload = 0x04 ‖ props ‖ LP(addr) ‖ VLP(hash1, ..., hashn) ‖
          LP(hostname) [ ‖ VLP(bootstrap1, ..., bootstrapn) ]
]]></artwork>
        </section>
        <section anchor="fields-4">
          <name>Fields</name>
          <dl>
            <dt><tt>0x04</tt></dt>
            <dd>
              <t>Protocol identifier for DNS-over-QUIC.</t>
            </dd>
          </dl>
          <t>Other fields have the same meaning as DoT stamps.</t>
        </section>
      </section>
      <section anchor="oblivious-doh-target-stamps">
        <name>Oblivious DoH Target Stamps</name>
        <t>ODoH target stamps encode parameters for Oblivious DoH target servers.</t>
        <section anchor="format-5">
          <name>Format</name>
          <artwork><![CDATA[
payload = 0x05 ‖ props ‖ LP(hostname) ‖ LP(path)
]]></artwork>
        </section>
        <section anchor="fields-5">
          <name>Fields</name>
          <dl>
            <dt><tt>0x05</tt></dt>
            <dd>
              <t>Protocol identifier for Oblivious DoH targets.</t>
            </dd>
            <dt><tt>props</tt></dt>
            <dd>
              <t>Properties field (8 bytes, little-endian).</t>
            </dd>
            <dt><tt>hostname</tt></dt>
            <dd>
              <t>Server hostname with optional port. Default port is <tt>443</tt>.</t>
            </dd>
            <dt><tt>path</tt></dt>
            <dd>
              <t>Absolute URI path.</t>
            </dd>
          </dl>
        </section>
      </section>
      <section anchor="anonymized-dnscrypt-relay-stamps">
        <name>Anonymized DNSCrypt Relay Stamps</name>
        <t>DNSCrypt relay stamps encode parameters for anonymization relays.</t>
        <section anchor="format-6">
          <name>Format</name>
          <artwork><![CDATA[
payload = 0x81 ‖ LP(addr)
]]></artwork>
        </section>
        <section anchor="fields-6">
          <name>Fields</name>
          <dl>
            <dt><tt>0x81</tt></dt>
            <dd>
              <t>Protocol identifier for DNSCrypt relays.</t>
            </dd>
            <dt><tt>addr</tt></dt>
            <dd>
              <t>IP address and port. Port specification is mandatory.</t>
            </dd>
          </dl>
        </section>
      </section>
      <section anchor="oblivious-doh-relay-stamps">
        <name>Oblivious DoH Relay Stamps</name>
        <t>ODoH relay stamps encode parameters for Oblivious DoH relays.</t>
        <section anchor="format-7">
          <name>Format</name>
          <artwork><![CDATA[
payload = 0x85 ‖ props ‖ LP(addr) ‖ VLP(hash1, ..., hashn) ‖
          LP(hostname) ‖ LP(path) [ ‖ VLP(bootstrap1, ..., bootstrapn) ]
]]></artwork>
        </section>
        <section anchor="fields-7">
          <name>Fields</name>
          <dl>
            <dt><tt>0x85</tt></dt>
            <dd>
              <t>Protocol identifier for ODoH relays.</t>
            </dd>
          </dl>
          <t>Other fields have the same meaning as DoH stamps.</t>
        </section>
      </section>
    </section>
    <section anchor="usage-and-operations">
      <name>Usage and Operations</name>
      <t>This section describes how to generate, parse, and validate DNS stamps in practice.</t>
      <section anchor="generating-dns-stamps">
        <name>Generating DNS Stamps</name>
        <t>To generate a DNS stamp:</t>
        <ol spacing="normal" type="1"><li>
            <t>Select the appropriate protocol identifier.</t>
          </li>
          <li>
            <t>Encode the properties field as 8 bytes in little-endian format.</t>
          </li>
          <li>
            <t>Encode each parameter using the specified length-prefixing.</t>
          </li>
          <li>
            <t>Concatenate all components in the specified order.</t>
          </li>
          <li>
            <t>Apply base64url encoding to the complete payload.</t>
          </li>
          <li>
            <t>Prepend <tt>"sdns://"</tt> to create the final stamp.</t>
          </li>
        </ol>
        <section anchor="implementation-requirements">
          <name>Implementation Requirements</name>
          <t>Implementations generating DNS stamps <bcp14>MUST</bcp14>:</t>
          <ul spacing="normal">
            <li>
              <t>Validate that all parameters meet format requirements.</t>
            </li>
            <li>
              <t>Ensure strings are valid UTF-8.</t>
            </li>
            <li>
              <t>Set undefined property bits to zero.</t>
            </li>
            <li>
              <t>Include all mandatory fields for the protocol type.</t>
            </li>
            <li>
              <t>Generate stamps that can be parsed by compliant implementations.</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="parsing-dns-stamps">
        <name>Parsing DNS Stamps</name>
        <t>To parse a DNS stamp:</t>
        <ol spacing="normal" type="1"><li>
            <t>Verify the stamp begins with <tt>"sdns://"</tt>.</t>
          </li>
          <li>
            <t>Extract and base64url-decode the payload.</t>
          </li>
          <li>
            <t>Read the first byte as the protocol identifier.</t>
          </li>
          <li>
            <t>Parse remaining fields according to the protocol format.</t>
          </li>
          <li>
            <t>Validate all fields meet requirements.</t>
          </li>
        </ol>
        <section anchor="error-handling">
          <name>Error Handling</name>
          <t>Implementations <bcp14>MUST</bcp14> detect and handle these error conditions:</t>
          <ul spacing="normal">
            <li>
              <t>Invalid base64url encoding</t>
            </li>
            <li>
              <t>Unknown protocol identifier</t>
            </li>
            <li>
              <t>Truncated payload</t>
            </li>
            <li>
              <t>Invalid length prefixes</t>
            </li>
            <li>
              <t>Malformed fields</t>
            </li>
          </ul>
          <t>Implementations <bcp14>SHOULD</bcp14> provide descriptive error messages indicating the specific validation failure.</t>
        </section>
      </section>
      <section anchor="validation-requirements">
        <name>Validation Requirements</name>
        <section anchor="length-validation">
          <name>Length Validation</name>
          <ul spacing="normal">
            <li>
              <t>Length prefixes <bcp14>MUST NOT</bcp14> exceed remaining payload size.</t>
            </li>
            <li>
              <t>Certificate hashes <bcp14>MUST</bcp14> be exactly 32 bytes.</t>
            </li>
            <li>
              <t>Ed25519 public keys <bcp14>MUST</bcp14> be exactly 32 bytes.</t>
            </li>
            <li>
              <t>Properties field <bcp14>MUST</bcp14> be exactly 8 bytes.</t>
            </li>
          </ul>
        </section>
        <section anchor="format-validation">
          <name>Format Validation</name>
          <ul spacing="normal">
            <li>
              <t>IP addresses <bcp14>MUST</bcp14> be valid IPv4 or IPv6 addresses.</t>
            </li>
            <li>
              <t>Hostnames <bcp14>MUST</bcp14> be valid DNS names.</t>
            </li>
            <li>
              <t>Ports <bcp14>MUST</bcp14> be in the range <tt>1-65535</tt>.</t>
            </li>
            <li>
              <t>Paths <bcp14>MUST</bcp14> begin with <tt>/</tt>.</t>
            </li>
          </ul>
        </section>
        <section anchor="semantic-validation">
          <name>Semantic Validation</name>
          <ul spacing="normal">
            <li>
              <t>Certificate hashes <bcp14>SHOULD</bcp14> be validated against actual certificates.</t>
            </li>
            <li>
              <t>Provider names <bcp14>SHOULD</bcp14> be verified to exist in DNS.</t>
            </li>
            <li>
              <t>Bootstrap resolvers <bcp14>SHOULD</bcp14> be reachable.</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="internationalization">
        <name>Internationalization</name>
        <t>Hostnames in DNS stamps <bcp14>MUST</bcp14> be represented in their Unicode form within the stamp payload. Implementations <bcp14>MUST NOT</bcp14> apply punycode encoding before storing hostnames in stamps. When using the hostname for actual DNS queries or TLS connections, implementations <bcp14>MUST</bcp14> apply the appropriate encoding for the protocol being used.</t>
        <t>This approach:</t>
        <ul spacing="normal">
          <li>
            <t>Preserves readability when stamps are decoded for display</t>
          </li>
          <li>
            <t>Avoids double-encoding issues</t>
          </li>
          <li>
            <t>Allows implementations to apply protocol-specific encoding rules</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <section anchor="stamp-integrity">
        <name>Stamp Integrity</name>
        <t>DNS stamps contain security-critical configuration including server addresses, cryptographic keys, and certificate hashes. The integrity of stamps is essential - a modified stamp could redirect users to malicious resolvers.</t>
        <section anchor="threats">
          <name>Threats</name>
          <ul spacing="normal">
            <li>
              <t>Substitution: Replacing legitimate stamps with malicious ones</t>
            </li>
            <li>
              <t>Modification: Altering addresses, keys, or certificate hashes</t>
            </li>
            <li>
              <t>Downgrade: Replacing secure protocol stamps with insecure ones</t>
            </li>
          </ul>
        </section>
        <section anchor="mitigations">
          <name>Mitigations</name>
          <t>Implementations <bcp14>SHOULD</bcp14>:</t>
          <ul spacing="normal">
            <li>
              <t>Obtain stamps over authenticated channels (HTTPS with certificate validation)</t>
            </li>
            <li>
              <t>Verify stamps against known-good values when available</t>
            </li>
            <li>
              <t>Warn users when importing stamps from untrusted sources</t>
            </li>
            <li>
              <t>Validate all cryptographic parameters before use</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="certificate-validation">
        <name>Certificate Validation</name>
        <t>For protocols using TLS (DoH, DoT, DoQ), stamps may include SHA256 hashes of certificates in the validation chain. These provide certificate pinning but require careful management.</t>
        <section anchor="security-requirements">
          <name>Security Requirements</name>
          <t>Implementations <bcp14>MUST</bcp14>:</t>
          <ul spacing="normal">
            <li>
              <t>Verify at least one certificate in the chain matches a provided hash</t>
            </li>
            <li>
              <t>Follow standard certificate validation per <xref target="RFC5280"/></t>
            </li>
            <li>
              <t>Check certificate validity periods and signatures</t>
            </li>
            <li>
              <t>Verify the certificate matches the specified hostname</t>
            </li>
          </ul>
        </section>
        <section anchor="operational-considerations">
          <name>Operational Considerations</name>
          <t>Implementations <bcp14>SHOULD</bcp14>:</t>
          <ul spacing="normal">
            <li>
              <t>Support multiple certificate hashes to enable rotation</t>
            </li>
            <li>
              <t>Provide clear errors for validation failures</t>
            </li>
            <li>
              <t>Allow optional fallback to standard WebPKI validation</t>
            </li>
            <li>
              <t>Cache certificate validation results appropriately</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="privacy-considerations">
        <name>Privacy Considerations</name>
        <t>DNS stamps may reveal information about resolver configuration:</t>
        <ul spacing="normal">
          <li>
            <t>Server Locations: IP addresses indicate geographic regions</t>
          </li>
          <li>
            <t>Logging Policies: Properties flags indicate data retention</t>
          </li>
          <li>
            <t>Query Privacy: Bootstrap resolvers may see some queries</t>
          </li>
        </ul>
        <t>Users should understand the privacy implications of their chosen resolvers. Applications <bcp14>SHOULD</bcp14> display relevant properties clearly.</t>
      </section>
      <section anchor="implementation-security">
        <name>Implementation Security</name>
        <section anchor="parsing-safety">
          <name>Parsing Safety</name>
          <t>Malformed stamps could trigger implementation vulnerabilities:</t>
          <ul spacing="normal">
            <li>
              <t>Buffer Overflows: Validate all lengths before allocation</t>
            </li>
            <li>
              <t>Integer Overflows: Check length calculations</t>
            </li>
            <li>
              <t>Resource Exhaustion: Limit maximum stamp size</t>
            </li>
          </ul>
        </section>
        <section anchor="cryptographic-safety">
          <name>Cryptographic Safety</name>
          <ul spacing="normal">
            <li>
              <t>Validate Ed25519 public keys are valid points</t>
            </li>
            <li>
              <t>Ensure certificate hashes are compared in constant time</t>
            </li>
            <li>
              <t>Use cryptographically secure random numbers where needed</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="downgrade-prevention">
        <name>Downgrade Prevention</name>
        <t>Applications supporting multiple protocols <bcp14>MUST NOT</bcp14> automatically downgrade from secure to less secure protocols. For example:</t>
        <ul spacing="normal">
          <li>
            <t>Never downgrade from DoH to plain DNS</t>
          </li>
          <li>
            <t>Never ignore certificate validation failures</t>
          </li>
          <li>
            <t>Never bypass authentication requirements</t>
          </li>
        </ul>
        <t>If a secure connection fails, the implementation <bcp14>SHOULD</bcp14> report the error rather than attempting insecure alternatives.</t>
      </section>
    </section>
    <section anchor="implementation-considerations">
      <name>Implementation Considerations</name>
      <section anchor="platform-integration">
        <name>Platform Integration</name>
        <t>DNS stamp support can be integrated at various levels:</t>
        <section anchor="operating-system-level">
          <name>Operating System Level</name>
          <ul spacing="normal">
            <li>
              <t>System resolver configuration</t>
            </li>
            <li>
              <t>Network configuration tools</t>
            </li>
            <li>
              <t>VPN client integration</t>
            </li>
          </ul>
        </section>
        <section anchor="application-level">
          <name>Application Level</name>
          <ul spacing="normal">
            <li>
              <t>Web browsers</t>
            </li>
            <li>
              <t>DNS proxy software</t>
            </li>
            <li>
              <t>Network diagnostic tools</t>
            </li>
          </ul>
        </section>
        <section anchor="library-level">
          <name>Library Level</name>
          <ul spacing="normal">
            <li>
              <t>DNS client libraries</t>
            </li>
            <li>
              <t>HTTP client libraries</t>
            </li>
            <li>
              <t>Security frameworks</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="performance-optimization">
        <name>Performance Optimization</name>
        <section anchor="caching">
          <name>Caching</name>
          <t>Implementations <bcp14>SHOULD</bcp14> cache:</t>
          <ul spacing="normal">
            <li>
              <t>Decoded stamp data structures</t>
            </li>
            <li>
              <t>Certificate validation results</t>
            </li>
            <li>
              <t>Bootstrap resolver results</t>
            </li>
            <li>
              <t>Connection state for persistent protocols</t>
            </li>
          </ul>
        </section>
        <section anchor="connection-management">
          <name>Connection Management</name>
          <ul spacing="normal">
            <li>
              <t>Reuse connections for multiple queries</t>
            </li>
            <li>
              <t>Implement appropriate timeout strategies</t>
            </li>
            <li>
              <t>Handle connection failures gracefully</t>
            </li>
            <li>
              <t>Support connection pooling for concurrent queries</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="user-interface-considerations">
        <name>User Interface Considerations</name>
        <t>Applications <bcp14>SHOULD</bcp14>:</t>
        <ul spacing="normal">
          <li>
            <t>Display decoded stamp contents clearly</t>
          </li>
          <li>
            <t>Allow copying stamps to clipboard</t>
          </li>
          <li>
            <t>Support QR code generation/scanning</t>
          </li>
          <li>
            <t>Provide stamp validation feedback</t>
          </li>
          <li>
            <t>Show security properties prominently</t>
          </li>
        </ul>
      </section>
      <section anchor="debugging-support">
        <name>Debugging Support</name>
        <t>Implementations <bcp14>SHOULD</bcp14> provide:</t>
        <ul spacing="normal">
          <li>
            <t>Detailed logging of stamp parsing</t>
          </li>
          <li>
            <t>Connection attempt diagnostics</t>
          </li>
          <li>
            <t>Certificate validation details</t>
          </li>
          <li>
            <t>Performance metrics</t>
          </li>
          <li>
            <t>Error context for troubleshooting</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="dns-stamps-uri-scheme-registration">
        <name>DNS Stamps URI Scheme Registration</name>
        <t>IANA is requested to register the “sdns” URI scheme in the “Uniform Resource Identifier (URI) Schemes” registry:</t>
        <ul spacing="normal">
          <li>
            <t>Scheme name: sdns</t>
          </li>
          <li>
            <t>Status: Permanent</t>
          </li>
          <li>
            <t>Applications/protocols: DNS client applications using DNS Stamps</t>
          </li>
          <li>
            <t>Reference: This document</t>
          </li>
        </ul>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC1035">
          <front>
            <title>Domain names - implementation and specification</title>
            <author fullname="P. Mockapetris" initials="P." surname="Mockapetris"/>
            <date month="November" year="1987"/>
            <abstract>
              <t>This RFC is the revised specification of the protocol and format used in the implementation of the Domain Name System. It obsoletes RFC-883. This memo documents the details of the domain name client - server communication.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="13"/>
          <seriesInfo name="RFC" value="1035"/>
          <seriesInfo name="DOI" value="10.17487/RFC1035"/>
        </reference>
        <reference anchor="RFC3986">
          <front>
            <title>Uniform Resource Identifier (URI): Generic Syntax</title>
            <author fullname="T. Berners-Lee" initials="T." surname="Berners-Lee"/>
            <author fullname="R. Fielding" initials="R." surname="Fielding"/>
            <author fullname="L. Masinter" initials="L." surname="Masinter"/>
            <date month="January" year="2005"/>
            <abstract>
              <t>A Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource. This specification defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet. The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier. This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="66"/>
          <seriesInfo name="RFC" value="3986"/>
          <seriesInfo name="DOI" value="10.17487/RFC3986"/>
        </reference>
        <reference anchor="RFC4648">
          <front>
            <title>The Base16, Base32, and Base64 Data Encodings</title>
            <author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
            <date month="October" year="2006"/>
            <abstract>
              <t>This document describes the commonly used base 64, base 32, and base 16 encoding schemes. It also discusses the use of line-feeds in encoded data, use of padding in encoded data, use of non-alphabet characters in encoded data, use of different encoding alphabets, and canonical encodings. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4648"/>
          <seriesInfo name="DOI" value="10.17487/RFC4648"/>
        </reference>
        <reference anchor="RFC5280">
          <front>
            <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
            <author fullname="D. Cooper" initials="D." surname="Cooper"/>
            <author fullname="S. Santesson" initials="S." surname="Santesson"/>
            <author fullname="S. Farrell" initials="S." surname="Farrell"/>
            <author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <author fullname="W. Polk" initials="W." surname="Polk"/>
            <date month="May" year="2008"/>
            <abstract>
              <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5280"/>
          <seriesInfo name="DOI" value="10.17487/RFC5280"/>
        </reference>
        <reference anchor="RFC6125">
          <front>
            <title>Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)</title>
            <author fullname="P. Saint-Andre" initials="P." surname="Saint-Andre"/>
            <author fullname="J. Hodges" initials="J." surname="Hodges"/>
            <date month="March" year="2011"/>
            <abstract>
              <t>Many application technologies enable secure communication between two entities by means of Internet Public Key Infrastructure Using X.509 (PKIX) certificates in the context of Transport Layer Security (TLS). This document specifies procedures for representing and verifying the identity of application services in such interactions. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6125"/>
          <seriesInfo name="DOI" value="10.17487/RFC6125"/>
        </reference>
        <reference anchor="RFC7858">
          <front>
            <title>Specification for DNS over Transport Layer Security (TLS)</title>
            <author fullname="Z. Hu" initials="Z." surname="Hu"/>
            <author fullname="L. Zhu" initials="L." surname="Zhu"/>
            <author fullname="J. Heidemann" initials="J." surname="Heidemann"/>
            <author fullname="A. Mankin" initials="A." surname="Mankin"/>
            <author fullname="D. Wessels" initials="D." surname="Wessels"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="May" year="2016"/>
            <abstract>
              <t>This document describes the use of Transport Layer Security (TLS) to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626. In addition, this document specifies two usage profiles for DNS over TLS and provides advice on performance considerations to minimize overhead from using TCP and TLS with DNS.</t>
              <t>This document focuses on securing stub-to-recursive traffic, as per the charter of the DPRIVE Working Group. It does not prevent future applications of the protocol to recursive-to-authoritative traffic.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7858"/>
          <seriesInfo name="DOI" value="10.17487/RFC7858"/>
        </reference>
        <reference anchor="RFC8484">
          <front>
            <title>DNS Queries over HTTPS (DoH)</title>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <author fullname="P. McManus" initials="P." surname="McManus"/>
            <date month="October" year="2018"/>
            <abstract>
              <t>This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS. Each DNS query-response pair is mapped into an HTTP exchange.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8484"/>
          <seriesInfo name="DOI" value="10.17487/RFC8484"/>
        </reference>
        <reference anchor="RFC9250">
          <front>
            <title>DNS over Dedicated QUIC Connections</title>
            <author fullname="C. Huitema" initials="C." surname="Huitema"/>
            <author fullname="S. Dickinson" initials="S." surname="Dickinson"/>
            <author fullname="A. Mankin" initials="A." surname="Mankin"/>
            <date month="May" year="2022"/>
            <abstract>
              <t>This document describes the use of QUIC to provide transport confidentiality for DNS. The encryption provided by QUIC has similar properties to those provided by TLS, while QUIC transport eliminates the head-of-line blocking issues inherent with TCP and provides more efficient packet-loss recovery than UDP. DNS over QUIC (DoQ) has privacy properties similar to DNS over TLS (DoT) specified in RFC 7858, and latency characteristics similar to classic DNS over UDP. This specification describes the use of DoQ as a general-purpose transport for DNS and includes the use of DoQ for stub to recursive, recursive to authoritative, and zone transfer scenarios.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9250"/>
          <seriesInfo name="DOI" value="10.17487/RFC9250"/>
        </reference>
        <reference anchor="I-D.denis-dprive-dnscrypt">
          <front>
            <title>The DNSCrypt Protocol</title>
            <author fullname="Frank Denis" initials="F." surname="Denis">
              <organization>Individual Contributor</organization>
            </author>
            <date day="20" month="June" year="2026"/>
            <abstract>
              <t>   The DNSCrypt protocol is designed to encrypt and authenticate DNS
   traffic between clients and resolvers.  This document specifies the
   protocol and its implementation, providing a standardized approach to
   securing DNS communications.  DNSCrypt improves confidentiality,
   integrity, and resistance to attacks affecting the original DNS
   protocol while maintaining compatibility with existing DNS
   infrastructure.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-denis-dprive-dnscrypt-10"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC3552">
          <front>
            <title>Guidelines for Writing RFC Text on Security Considerations</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="B. Korver" initials="B." surname="Korver"/>
            <date month="July" year="2003"/>
            <abstract>
              <t>All RFCs are required to have a Security Considerations section. Historically, such sections have been relatively weak. This document provides guidelines to RFC authors on how to write a good Security Considerations section. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="72"/>
          <seriesInfo name="RFC" value="3552"/>
          <seriesInfo name="DOI" value="10.17487/RFC3552"/>
        </reference>
        <reference anchor="RFC5116">
          <front>
            <title>An Interface and Algorithms for Authenticated Encryption</title>
            <author fullname="D. McGrew" initials="D." surname="McGrew"/>
            <date month="January" year="2008"/>
            <abstract>
              <t>This document defines algorithms for Authenticated Encryption with Associated Data (AEAD), and defines a uniform interface and a registry for such algorithms. The interface and registry can be used as an application-independent set of cryptoalgorithm suites. This approach provides advantages in efficiency and security, and promotes the reuse of crypto implementations. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5116"/>
          <seriesInfo name="DOI" value="10.17487/RFC5116"/>
        </reference>
        <reference anchor="RFC8310">
          <front>
            <title>Usage Profiles for DNS over TLS and DNS over DTLS</title>
            <author fullname="S. Dickinson" initials="S." surname="Dickinson"/>
            <author fullname="D. Gillmor" initials="D." surname="Gillmor"/>
            <author fullname="T. Reddy" initials="T." surname="Reddy"/>
            <date month="March" year="2018"/>
            <abstract>
              <t>This document discusses usage profiles, based on one or more authentication mechanisms, which can be used for DNS over Transport Layer Security (TLS) or Datagram TLS (DTLS). These profiles can increase the privacy of DNS transactions compared to using only cleartext DNS. This document also specifies new authentication mechanisms -- it describes several ways that a DNS client can use an authentication domain name to authenticate a (D)TLS connection to a DNS server. Additionally, it defines (D)TLS protocol profiles for DNS clients and servers implementing DNS over (D)TLS. This document updates RFC 7858.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8310"/>
          <seriesInfo name="DOI" value="10.17487/RFC8310"/>
        </reference>
        <reference anchor="RFC9230">
          <front>
            <title>Oblivious DNS over HTTPS</title>
            <author fullname="E. Kinnear" initials="E." surname="Kinnear"/>
            <author fullname="P. McManus" initials="P." surname="McManus"/>
            <author fullname="T. Pauly" initials="T." surname="Pauly"/>
            <author fullname="T. Verma" initials="T." surname="Verma"/>
            <author fullname="C.A. Wood" initials="C.A." surname="Wood"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>This document describes a protocol that allows clients to hide their IP addresses from DNS resolvers via proxying encrypted DNS over HTTPS (DoH) messages. This improves privacy of DNS operations by not allowing any one server entity to be aware of both the client IP address and the content of DNS queries and answers.</t>
              <t>This experimental protocol has been developed outside the IETF and is published here to guide implementation, ensure interoperability among implementations, and enable wide-scale experimentation.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9230"/>
          <seriesInfo name="DOI" value="10.17487/RFC9230"/>
        </reference>
      </references>
    </references>
    <?line 607?>

<section anchor="complete-examples">
      <name>Complete Examples</name>
      <t>This appendix provides complete examples of DNS stamp encoding with step-by-step explanations.</t>
      <section anchor="example-1-plain-dns">
        <name>Example 1: Plain DNS</name>
        <t>Configuration:</t>
        <ul spacing="normal">
          <li>
            <t>Server: <tt>192.0.2.53</tt></t>
          </li>
          <li>
            <t>Port: <tt>53</tt> (default)</t>
          </li>
          <li>
            <t>Properties: DNSSEC (bit 0 set)</t>
          </li>
        </ul>
        <t>Step-by-step encoding:</t>
        <ol spacing="normal" type="1"><li>
            <t>Protocol identifier: <tt>0x00</tt></t>
          </li>
          <li>
            <t>Properties: <tt>0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00</tt> (bit 0 set, little-endian)</t>
          </li>
          <li>
            <t>LP(“192.0.2.53”): 0x0A ‖ “192.0.2.53” = 0x0A 0x31 0x39 0x32 0x2E 0x30 0x2E 0x32 0x2E 0x35 0x33</t>
          </li>
          <li>
            <t>Concatenate: <tt>0x00 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x0A 0x31 0x39 0x32 0x2E 0x30 0x2E 0x32 0x2E 0x35 0x33</tt></t>
          </li>
          <li>
            <t>Base64url encode: <tt>AAEAAAAAAAAACjE5Mi4wLjIuNTM</tt></t>
          </li>
          <li>
            <t>Final stamp: <tt>sdns://AAEAAAAAAAAACjE5Mi4wLjIuNTM</tt></t>
          </li>
        </ol>
      </section>
      <section anchor="example-2-dnscrypt">
        <name>Example 2: DNSCrypt</name>
        <t>Configuration:</t>
        <ul spacing="normal">
          <li>
            <t>Server: <tt>198.51.100.1</tt></t>
          </li>
          <li>
            <t>Port: <tt>5553</tt></t>
          </li>
          <li>
            <t>Provider public key: <tt>e801...bf82</tt> (32 bytes)</t>
          </li>
          <li>
            <t>Provider name: <tt>2.dnscrypt-cert.example.com</tt></t>
          </li>
          <li>
            <t>Properties: DNSSEC, No logs, No filter (bits 0, 1, 2 set)</t>
          </li>
        </ul>
        <t>Step-by-step encoding:</t>
        <ol spacing="normal" type="1"><li>
            <t>Protocol identifier: <tt>0x01</tt></t>
          </li>
          <li>
            <t>Properties: <tt>0x07 0x00 0x00 0x00 0x00 0x00 0x00 0x00</tt></t>
          </li>
          <li>
            <t>LP(“198.51.100.1:5553”): 0x11 ‖ address</t>
          </li>
          <li>
            <t>LP(public key): 0x20 ‖ 32 bytes of key</t>
          </li>
          <li>
            <t>LP(“2.dnscrypt-cert.example.com”): 0x1B ‖ provider name</t>
          </li>
          <li>
            <t>Concatenate all components</t>
          </li>
          <li>
            <t>Base64url encode</t>
          </li>
          <li>
            <t>Final stamp: <tt>sdns://AQcAAAAAAAAAETE5OC41MS4xMDAuMTo1NTUzIOgBsd...</tt></t>
          </li>
        </ol>
      </section>
      <section anchor="example-3-dns-over-https">
        <name>Example 3: DNS-over-HTTPS</name>
        <t>Configuration:</t>
        <ul spacing="normal">
          <li>
            <t>Hostname: <tt>dns.example.com</tt></t>
          </li>
          <li>
            <t>Path: <tt>/dns-query</tt></t>
          </li>
          <li>
            <t>No specific IP address</t>
          </li>
          <li>
            <t>Certificate hash: <tt>3b7f...b663</tt> (32 bytes)</t>
          </li>
          <li>
            <t>Properties: No logs (bit 1 set)</t>
          </li>
        </ul>
        <t>Step-by-step encoding:</t>
        <ol spacing="normal" type="1"><li>
            <t>Protocol identifier: <tt>0x02</tt></t>
          </li>
          <li>
            <t>Properties: <tt>0x02 0x00 0x00 0x00 0x00 0x00 0x00 0x00</tt></t>
          </li>
          <li>
            <t>LP(“”): 0x00 (empty address)</t>
          </li>
          <li>
            <t>VLP(cert hash): Since it’s the only hash, same as LP: 0x20 ‖ 32 bytes</t>
          </li>
          <li>
            <t>LP(“dns.example.com”): 0x0F ‖ hostname</t>
          </li>
          <li>
            <t>LP(“/dns-query”): 0x0A ‖ path</t>
          </li>
          <li>
            <t>No bootstrap IPs</t>
          </li>
          <li>
            <t>Concatenate, base64url encode</t>
          </li>
          <li>
            <t>Final stamp: <tt>sdns://AgIAAAAAAAAAAAAAD2Rucy5leGFtcGxlLmNvbQovZG5zLXF1ZXJ5</tt></t>
          </li>
        </ol>
      </section>
    </section>
    <section anchor="test-vectors">
      <name>Test Vectors</name>
      <t>This appendix provides test vectors for validating DNS stamp implementations.</t>
      <section anchor="test-vector-1-plain-dns-with-ipv6">
        <name>Test Vector 1: Plain DNS with IPv6</name>
        <artwork><![CDATA[
Input:
  Protocol: Plain DNS
  Address: [2001:db8::1]:53
  Properties: DNSSEC

Encoded stamp:
  sdns://AAEAAAAAAAAADlsyMDAxOmRiODo6MV0

Decoded:
  Protocol ID: 0x00
  Properties: 0x0100000000000000
  Address: "[2001:db8::1]"
]]></artwork>
      </section>
      <section anchor="test-vector-2-doh-with-multiple-certificate-hashes">
        <name>Test Vector 2: DoH with Multiple Certificate Hashes</name>
        <artwork><![CDATA[
Input:
  Protocol: DNS-over-HTTPS
  Hostname: dns.example.com
  Path: /dns-query
  Cert Hash 1: 1111111111111111111111111111111111111111111111111111111111111111
  Cert Hash 2: 2222222222222222222222222222222222222222222222222222222222222222
  Properties: None

Encoded stamp:
  sdns://AgAAAAAAAAAAACCRERERERERERERERERERERERERERERERERERERERERESAiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiD2Rucy5leGFtcGxlLmNvbQovZG5zLXF1ZXJ5

Decoded:
  Protocol ID: 0x02
  Properties: 0x0000000000000000
  Address: ""
  Hash count: 2
  Hash 1: 1111111111111111111111111111111111111111111111111111111111111111
  Hash 2: 2222222222222222222222222222222222222222222222222222222222222222
  Hostname: "dns.example.com"
  Path: "/dns-query"
]]></artwork>
      </section>
      <section anchor="test-vector-3-dot-with-bootstrap">
        <name>Test Vector 3: DoT with Bootstrap</name>
        <artwork><![CDATA[
Input:
  Protocol: DNS-over-TLS
  Hostname: dot.example.com:853
  Address: 192.0.2.1
  Bootstrap: 198.51.100.1, 203.0.113.1
  Properties: No logs, No filter

Encoded stamp:
  sdns://AwYAAAAAAAAACTE5Mi4wLjIuMQAPZG90LmV4YW1wbGUuY29tCwwxOTguNTEuMTAwLjELMjAzLjAuMTEzLjE

Decoded:
  Protocol ID: 0x03
  Properties: 0x0600000000000000
  Address: "192.0.2.1"
  No certificate hashes
  Hostname: "dot.example.com:853"
  Bootstrap count: 2
  Bootstrap 1: "198.51.100.1"
  Bootstrap 2: "203.0.113.1"
]]></artwork>
      </section>
    </section>
    <section anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The author would like to thank the DNSCrypt community for their extensive feedback and implementation experience. Special recognition goes to the developers of the various DNS stamp implementations who helped refine the format through practical deployment.</t>
      <t>Thanks also to the teams behind secure DNS protocols: DNSCrypt, DoH, DoT, and DoQ whose work made DNS stamps both necessary and useful. Their efforts to improve DNS privacy and security provided the foundation for this specification.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA81c61IjR5b+r6fIxT8GNpBaEgjTirks5uJmFxoa6PZ4HA5T
UqWkcpeqNHUB5HFP7FPs732WfZR9kj3fOZlZWSWhxmNPxNIRtCjl5eS557lU
u91uFVER66HauptpdfL2Vt0WwXyRq9uFHkeTaBwUUZpstYLRKNMPNKwastUK
03ESzGlymAWToh3qJMrbYZK3cx7Q7vZbNF9P02w5VHkRtlrRIhuqIivzot/t
vqbvP+rlY5qFQ3WeFDpLdNE+wVqtvBzNozynve+WC9rh/PTurNWidZPwhyBO
E3q01HkrnwdZ8cNfy7TQuTxZREP1XZGOd1WeZkWmJzl9Ws7x4ftWKyiLWZoN
W6rdUvQTJTTrrKNOADk/kfOcZUHy0XuaZtMgiX5iXADUMHqIwjKI1XGaFFk0
Kos044F6HkTxUE1C/W/d7qRD52m1kjSb08wHTduqm7PjXndvYD7uvT48MB/3
D/YPzcdB/7BrPh70+nbsl4cDO+Bw/3DffHzdH9DYVpRMGrvsDQZ9u16vZ3c5
3Ot13cw9zGy32yoY5UUWjAnWu1mUKyJrOddJoXLhAZ17jLGrAjVO5wsarmRP
Vczol07GaUgjC2IjB02aqETrUIeqSGlWkmiaRR+xXKbzNH7QWd7x2U6WUUEc
08yxzvMgW6pFkBFZiD9yWnocl2GUTFUQhrRErgmiWZoXIBx9HGfLRZFOs2Ax
i8aKuAsAJ6FaZCkxRRq3zZnGAGcSTctMwIwSAitQOa0ca+LVDFuUOW+kmO2C
LFTvb87NoTsK8pL7QqLycrEgnsvVvIyLaIF19LjMRKwsAP4R6Pkx4N3Fp3ZK
yGi/ubu7vlXbJ+mbHe/p3QU/u/OfvXt/foyH73bkhFejmLgyLYlY6ZuOEHYe
hWGsW60vIF5ZGpZjAAoyE1Ap8Wqi3hLe1O0yL/ScVnt7u6NmAZHhAbQJCR/T
hA+YFPFSTbJ0riI6YJpF0ygh/ieK0whFMyyvhHQ+9be/GT7/9KmjvplFhApi
sDDC7jQL+EgXmlBPDIPDqDIhwgMVNP/9yTUf6O742vIMTaOBiQJ61f1g735X
zYlNsoSXCvUiTpfgWEZupgMm45Lop1W1LkGQ5EIgojXRg2RYCxuQ5iqiII6K
Je9MzKCnGf3FVM4dHZs01I6CdOJ/OW+fdIwKXGQkiNCEvPenT+tIKUiCVNe+
9xhARkDYayMqwssAqAAMaDBBfUEzco9GEm+cBuPZOuYkofxrGZFYqTCaTHQG
JVCXk0oUO9XhIeM5yYnBaaYWJcHB4meFT55DSMEfJLvMCyBErjNwgBPnDvi3
AkTA10m4SCMQmNcLihmPu+M/CRUMggJum2JtZW2ss0JEVasHInW4eh5RfhF0
EjiB4KwvZmASRgObgX09CVHjGektnUzpMWkJNUqLGXgwE6iDxSI2qoIeFCRw
iwKQiWrkfWoao1KQrdZxmTExaI0sJeLp3KrROoh5CbKJoOaaJpO0xdE8KmTb
jrpiscO2ucg8eD2bBGOsuFwQfDEJjtFkJHL0x/l1RRw+F7YVqpFyFdpiwSRV
c00oIAmYM2FZIyytBDK2nQDRMrDFkLvxKiWOKlQ9p7AnpFRyFQfjj049GwNN
uiH4CICigtk4GpM6ZoBmQabryxAhxlma+/zOSI0jfIzmpMRBbou9yyCB1W/w
GKnLLEuzNp0u0bs4SIE9g4yQ90hHJAVFDEcAPUbEEHUL5Zm2OPqoPclhHPlc
S3p5pplNCVDsSgh3lukxWOKIYZSLP6LZSMe0suOj5snZbD+mZRwSiYIR6Wjh
VVoGGhRsQACTohjp4lHjGA5HddXBsg0u9ey44Ri4A6Q/PcEYLcXGs2UlK+8h
wMhX01kIatJQt9S7zhdpmOy6pSZkWckxZ4XgztlEE1NgSjrZgKgsLadEuXSx
bC8CEptd9e5Gsb+zCyq9v7kgupwXFhk5+0hJTsQAtoybtMJp67lsl+AgQ02L
1NmMeawCxixaqTIxAKs+SCVzdmpA5lZMdc1/qflhs+BBE+GJ6g48Me0JuYaZ
MTD2BHXNBlWXMTOFoLZVQ4aza7QUJyAVpuMB+QwsE2XWLNRJ0RHXJYObncCg
ENWKmssa5dZZp90D6Ks4Th+JOrfiRqi+0iQ0vJOg+AE6yAIe6kmUGC/WsSlZ
c9KgZBdyOZTBY1oWPK6BRLvRns8Ns2g6a8eEiZj9nYdIPwrstTuXZVi7xD7B
U9CFIq/tY0kPVazZkAvNdeXlVksM6IhQ1AbV4n8FWKrwPdGpTszXrL8gRMJP
FX9Vax7QN0G8/AlCBEUAY8nsHmpLJzf2S6ikccm2o87oz0459O4d50dvj4jc
U6g1Ow4cQBxHLkEEKbGOHBljEgdaIzX2Vj8F2BBM8wUuajVCn4DQ7IPkwlPw
VXATzdXW5fvbu61d+V+9veLPN6fkdt2cnuDz7Zujiwv3oWVG3L65en9xUn2q
Zh5fXV6evj2RyfRU1R61ti6Pvt0SbG9dXd+dX709utiCqNU5GzJFUjLSYrIX
mS6YxVvEYWPS+SKeXx1f/89/9/bhj5LD1+/1Xn/6ZP447H1JjiRbJNmNrbv8
Sfy1bAGpQcb+GSnmcbAgtyHG/YnoPEsfEwXDQ9j81++Ame+H6vej8aK3/0fz
AAeuPbQ4qz1knK0+WZksSFzzaM02Dpu15w1M1+E9+rb2t8W79/D3fyKbrVW7
d/inP7aIhb5QdzqbR0kap9Nl86Zc5kZpiL5ht64aPfRMY2uojmCd2iLFoKEx
XbVrdMM0rr1F1w0jEebauvHnfKEhCcp4O3OrHS3F9y217BXZUblTRO4iQL6g
0YDCV6yAAL9ss4BfonNe/WC/PSJXi25PRazbEMsgkSsUKWinRE1MIMYWZrYK
RlaHNg5CyD61E6+d9hVBrTC8TkE7y1NT0lFe19JEkPv//c//uif4T3SC4BHw
Ci8rEd1EupmxlZNLQtuwErn/2R8PqOnYjxG5N1c3lXrFQHJ1tp927ldwv10m
uC4QdIeMMoOkHTo6iXMOajAfaAVniXxFAuP+6R74x3wSxUf2/fgZzEoNRoye
B0/RvJzb+f3BAPA8VAB9IG+HfT0zwuKwo07/CteW2MqCr6KJ3YlBIsdHaVHg
2IpcME226oq+yxgL2i2w3X067KqflSy0Q7f1CMpa7h3zlE5g1rH2GUBeXBsQ
Lxgy8qZJRT/p0IG4a6wz23UDpCIqqqd7zP+ABXq76qm/qzqdzlNSO287bqxK
wD+zsmCrZ9bu8X/yrG+e9bGB9zwxz5P7jjrDzcZQvW3RRZvtKoFwR/3hD0rO
Cqi/e/q+zlUklwbp6cKaa9LVc/LvSfWnxOekMjBzFOT6YL/MYoM2yAY5ou08
mBC78ZeVhBhGasZpKi+BBnCIAGFIBBNwVYHsLHBVx/WZ3GRys8XP/8J3Ws7E
G7kybo3RjLlZ+R/0geisE/CJ+D98XbXej1NR9nC5KAx4/LdFVo4Lupq0WkfV
oiIr+J6PiKAr7CAuY3WVLXuTcvj73//eysMkH756VaF5ESzjNAh3+FtWRawQ
CdRpRF6FWy+n6/mchNQscG82EG84UG7BtlWvZmHxbMwf6+T7FxuI9Zr12uzg
IQsbiwsYwxrJY0ucCiKDGUuBH5wByZj/3XNLqx/IcwwqdNmFgphuq3kNb05i
+MSOxN4GfPhQi1Wl85NDgiM6X4hBlYsBSMn6UjDqEO4Zo1zuLIIxcfaLKPNA
zKtgsFPtKpgUciWxlsLcYXEHpas/6TOD4VU7vGK81pxRrJdRRYTrn0l7wVj/
XC248vMzqQ64fxJfWfvzMy3Uxo8y/6/72fSdG0ILdZ+6Xex6HSN4DOZahejO
C/X6gV032izUY/BtEHHd0ex3i2fObxbqm8F+wLO5kCIhyiIbb26OMQvt1RZC
OHEVovpCzTFmof3aQhyx/cxCzTFmoQEG10L76i7IprpwyJa/zHUZd8L6aLPQ
ISP7KEmT5Zzvxg63Nzom2/Kz+d/E9+SrwAwX7jcLrYFIplqIqoUakFRHqzxV
n/uNm5kFyVRjp267+3R2xkIB7yhDQgLLZtjgFfHE07IW3ZA78SPCYRa1JN0p
HBQbr3TyaV3Qs0jHYat1a4IUotHh/FYx/sB3WScYDz8soos36+hN7i95Vbig
i68nfigvUDl8ebX80ipcq65ZBXxFc0UDyJiXSHyDjZry/QJZXxF7x7W3p8eG
8WDqhOtMkEDyhBgALzeADckrKHoy7W2qLtJp3lwiTDUCmgXdw/WCybdUsYyr
lui7Jc6iGKp4/RIT+RIR+Dgdf6QvYBVyXmKvfbDHPGr4iT5fljn8DfYIiV9+
0lm6AZ2tbxDRrTzHMrG+oyPjCCkyvhHXV0UqjKPBL51LWExNPDSA3VCTkg2z
fiLzk5uAWGVu2jZnb9we8czyhkdWBVfY7j15idwNESWWCcPOZnSE2AszMY1j
Kw7Ynfuwa1g9rLjV5GKdGfYTKkYynVkRd5A0hXuS1zLEnu8DsIsNNsdPpHxB
mwhejC9jDP4fxLIZN4a2wSdy0xHHNh4fT8WRCKp7jIbXvUaRMTwLCzZcdV7R
jK4pErV9aG92Nf2xg1nYGpOq/ItEbey1gDM04qhwAKFDIx8OvFyNZSPCRpzm
4vHndEkjDhqRM/9RF0ii6UmA/AivRiRFdtXg6cjsavHVxgb7Q3Xfe93vdDv9
Tu8eQlb9ORzs0WwZd0Djvut3u71hODocDnvfy9jaIzMehHc2x9LdPdhI9mqU
p983ULj3DIXtH4uP1UeT2PgBSctnWKC3iQUsbP9cDviNqL6/z2S/X3w0UPLZ
f5er07A/GPRe+yndbVYa8VLt9S3sWfBIqitBsYZohx1z6gqFfM31HDovI7yt
O9MOXZD7HZsybyPx1TER3A751/c7hrQ3ns4AS/LFooLNnb4BYscOrW1sRwdi
wlhb4IsNoxFVrDwDuY7ITYDoGqVhx7Kz74w6piY36HP87M97IVf3N3E1og5I
HfY4LLLLaUQJWLQqu4YxpoimEoCgmO2o79wiozQtEIZf2JXcA1ru+/UC0v+M
gHiH/U3FxHhSgj/kbTl6goz70oZbo4mrGxILUdpsrs1DYu0VzGGj2zdH/cGB
CqOpzgvezMvTOj/WqzIYz2ANttm2NjmTj2Ah4dXFnXHAsWltyPzz8ktE48Dj
iE+kOeyBh07IXqFAjx0slqn7DWTFQld245UyADGrQKUF9RkRPV5JYj8rpux+
WOlzGHCCRzOILca0sAuewNaWyRJ/2GdOenFsnksyR3hiRG692sL3X9lD1g7F
ThYzDra1eVtCL7NYQ7Rx9asE++6Fgo1ZLxTrvd9WrH+dJO+9SJLpdHQqjgmL
4JpMssPpXAccnwnkTpibmkL9NNYLRN7aq6x9yB5JG24/U1QUQuQuaE2Vyzfp
ijDvXkgYnvZCyuz/f6LM/osog+P9AtJYdhbcrg1AWBRf4VlhwhCbUF1fpfAD
F5/F+GAV4+sN1nocDTbhaB1c+T9ujv75ulyI8nwwZ8WH5ojJZuLUYz084XNE
Oex9/pZ0+CIXudrvOZ9XUHUNFNWLbglhc9RAFWm2XMesdYxcSW3hZ7FRX+Nl
2FjDov8/vLDDzdxfO+EvVd0cgHifB1Mt9ac2Vt6MOtgiBRe4NxUnUi+X61q1
ifbv+xGSSOQlRGPxL9TXplZFCqgdae+qNU1mnBcgm9JDbUnMOREpHSESZVGw
PtHQafU7knyWozdjfzi+EX6AVg/7mQKe1p5bgl0+x1ymPM2r5iHhrWUmcY9v
7XdQr2KSDLqRYnDZeLdAmoWAeyB1k8t1CQ+T5XA1gTbl1Dogoco0imnU/ZbJ
WG3dcx6JC1wlQ8a13jb9D+46r5fy1D2++pe5Ky4yBDN0hWPGBv+DJTpHcBt5
rbnWLjxVDxe1CcU5l8yyPy/JE7nGvb87ax9ixC1Nfi7IZoNyCFfY+xzt7ZSJ
FQKOLs10IxJGs7623GYOxOCPiQtGWniaE36M8ihYU01qknFcbNXkZJ6/ysYf
6Io5WVbFGLUcmkc/YeInbupgwaqSjhx91H5ij9n1RgehoXWGcCjScEFeP7gv
JMSi1wxjlXIz+ArGY2JIj+ncfCsdxKiO5kC5mcikXgkJfqFOUfio3tAxkAhe
ZS/28JEZNGedYaQ2ladcNYmUnUQHc+a480T4ZFVQ6Mv3yccExU5rjo17RVay
YLqsrbecKakwJQY5fXMZxDg08hZGHTeBNzVNtojNBUsfLOhz9MBMWdm4Eopa
NaB3zZwEUVxmRk1+qJ7XxRM4lRoLbwzQclGHv7p2wTvXoUdqa/dy8j46v+yG
x4K7ElPaPH7F/WoOPrRjPQvdOFzt+mrnC90Q1cQ9sh5Iw8ZvbGNRY4aNEwl0
XG/rYvZ+Euu+1z4YDPYGfH+5RteCHUdia6T2lQ233hJ6UQ7fAHwNbg3TjFyM
AZUrU+Q4UGVccIm6F5AwKKwiWbUVoFJMIlw/RTlnqjhu7V+SXQjdm5nBtqG2
RvhNGvhMianxI1utCoP1KL5Fl0uEuTKzKCMRjFhJQXYYS34BWlUusVYRgF8D
NoM2LFBZQVNUkpN698MWDJtxZyRFU5lp57mzjyy4reVuM9t1YvuUdpuKXuAS
mJoOiANtxcqMtJSz8/W2VsHOKuzaZEQRrQrCYBRx8xJ3GxgMSy2BBEmwehjl
C3LyaO7RQxqFKF4sR7EJmkhRRF6y1jrikumVYyALJYhd6aWrMjpljDo9MLMp
DD6uVfkyp0h26tw2WUlxpIGaEFkgVmYLi9ukDtEistJ04UqXm/1Dz/cAPtNM
UbV7IZJnvU66GeS5tIWpNlniOR1QauYZ+jH3TWQ6JL06LqrOiTnx/pgvDs2s
090MDhUHxG7LUV5ERSntpDea6DLGUWJSC0U093wKVhHVmuQBsllhWEwpI5GL
BK/RESmHXttAghAL2TdCT6j9zRs9bjUISLPItwwAH+eSIJ1aoq63asyoVyOh
p6zGpQ5e4w/hEx1DiY5ztS0xb2mSWduttQNvUVwgy+RG67HJbk/TNJQC11xE
IXggiwgVRRO/CbLE0Im/I/Ymxc0nN5VnaJoqE+5OBp3TMhszumrOyrPtO0a5
0A7M5L7a9hU66gOrogVRNKYn8M0uAi/4hZ5OAxUK/2y+wcSdjRV4YdjZ9jC6
hkcPsEWUSLVU6Twv8mDJ/pfsCJPfAaI6+2REerO3X/n1QimyxLFG7SjxTm1z
A6/ExonpuavNNRGGfExa5kyisq7T6blGPmIsLu9D9/SnTzCcMz3+uDocJ5BU
jUQWqlqFCmaGy5tooavfu6xtEPRceQ0WTaW3QT5uTaud69dZlVg2zdKhRYwj
fOQsuhrHKNo33UFQ9KsOoVPqVehpQrw8QvNc4TWRfaNH1/9x7i0ALKLb8Dmk
09IEdu6btHhpSmyih2C8qv49VQ/OzvSDJmj8hnEpCl/fiyUYE4V/kZqOo2Hd
tzN+MgoanZiigwTbt1F7MuWq8hQ6FS8N8J3LOJh6C6B6UaHNIjG4eMdlKeZo
w7XuEQ6Va+KSlHwG4yS0Wu9Z7eQzNhq4kGaMc2PxBVMwt66JSvJX5AqNicl0
4jfLH/nNVsYbM7YdYRz9gLumF7Vg/ohNbKxxb7ciLRxs76K3wUTjWXV7ccYZ
8NN1e4rS/kY7z0MZ4z7MnggQC1J9Je2oqA2ewKcY1nWpXJic6kSNy9jy3blp
IPDmikCbWxa5BOixLAxdb7Toa7r1zgJS4GwZL9AW4GrixXDjyiLHPa5pcnto
T92vu6ZUQQbpR67CEGvkVtpN52QkxLtFx1MB8pCRh0l6j9ZIHwppvhVTSzeI
kAxSUs5HxmbRQynzlXyHNeLwBU1vU6tV4w5TxsNV96vtgJW7XBYphE+2D926
pouYoSE1ESMW2+yEl4J3k6hnmr/VUoxVW4UD62lVFePGSYnTc/rF018yfLRc
BIgI11uHs7pBkt4EhrPyy3mtfFfeT9GQAhEiuopAEXNVFF+9SefMpPI48fu1
nTMUxObG82CazBrStcb1vSaO5VuNeL/GJ3BK0TVemzBSZEbhfodez4y9QK6h
h4B5ZgdiKw3dF/iW9aT8vV6TMkaLxzT72HCsi5SoCim4fusaVH1YuTCoYrJq
OzIeapSRoKLYuW27iZ6In9NJ8Ugi4G0ZRgHRPcdlV/aToEQ0ylBB4pb0Wkxj
/i5iVoCfuO65c1AmcMqwkUE6aRCYF9TQI509d7dTVgNk4NbGlQxbjGEATWZS
blNCKrYOrtotb9zUV43k2vu09+Vxxaq0QSE3zgXeRSBdxE7kDNjV8EvnqbVY
E+K1F/6LM7CQk39rk9oVt9ZupFBNMMDccElmUzAuIbWGNHF9JzHGGP5ivPSc
GW/gguhrL7ionDcvMnCmEZ0bxDISPsB7CFbEZo3BE3IYoxfWyIILpLygQeye
c33Qve15+4hwx9FilJLj40Fu+rq9hthXOQljIrFB63PJVr6iIr0MdworIcHh
+mI9Q0wf0bqAN6mIAtejUpwRs/nnooOGCdERg7SB8WTsndX27dZZyegtT+I2
cKrpNsZBPZGh+00m005tMLXQT4Upu+QgAnk2acFC9IW07K5RfV6PD7fqSJfM
jdfbS+fHXFOBo/kWRmSS9l8t8RGOcW/xCqbPxlwjtt4nEWtW5wlUzRdqm8bv
mC1ptmkoXoo7KcvIi5+wOp4RAUr4hho4gGC1a37XKyeMw2f74MtmXB+iyZ3/
Yz1UtfZReVkP8w+3KpskzalpYK7iP0gzPVU9VS6dY1udwQyVMXFRGb5SEwoX
7dGyjf9pAolO4icizGaqN6yKcFut42e8b68IVCo+EQQdcvGo2g4lob1Ti9wO
bW34Nqrhu6iL3mm1bmtAGXgl17EmX0kbSN1tv1NbmUsxpYB34697b/Nm5h5J
kIvr7a3qWFs7Q8w64tSr/1wqEo7o1x523XuNX3361T/Fp677VD0b4NdeI7Fn
jqNeCP0/uOk98i1f1TMd2Pro6PTI/hz/eDq4jPYfL348L9/eXd4jLXhWJf2G
rplt4ySfjfpVsednuOiwM+h1et1up+fz0cCw1eobhehbfdjtdTqd0eSwTyR1
hXTNMPdwc0XpWvbcRZkRGg/4g+kk2OaEYXdX9XZV/1dwbm8t5375Es6t2LPC
1xBYEi7tSSmGuQWDz1A64HDGY/pS3u5K7UhX0FfgDiy8AVNmi69sfUOFYfDJ
85nq1perjNc6fI6z3o0dZ53enQ6ujvd7l7f7T5cnR+XlXdp7e/f+p/Or6Vd5
SJSv89resFFKuo7jbCKCdqQNVxiBXP1hrTZSCs5chLsKMaxJydDMvdGXE7Dk
wcHeKks6chveEjXU+xWc1F/LSf1fwklGvXXVtpTFmuPtgHlQaAIu4NPRuNsI
jkBU/E5CYPziCHy1K5UhQU4rrmExy1sNhJudz3isC6IdyNiKBDX9izIY8BNh
0BW8EFFy8JPHgbvNnK5uvX6O4abnR/7PSf+mHC8Hsf76rBh//RRfzN8+jN6l
D3/5evDTxZ/Pen/5878PwHfqDi8a+SAvGnnWNNfeRuJH5fwiiPUlAd76NWss
ZhxJSik+Ok8WZYGXOVou8S23st0bQ9VsuZAZDb3Xap0mnhuNZdeo/JM4X5JA
Pl3Nb6Krk/Tg8kOXbq/if/uQqPMTYa7GXtCB3dqPD+hWDdItW8tUQwjsSvpG
UHFp7zS+PL6RJMdzGGooCuXphQaXYhprhYoj6RG24j1Amt6v/KmtRyfr/8qf
BrbfkhreQNepx/zHxzenL/13exSdv/jfS6RqIws1DwWu2sBCWyAp0DlOy4Q8
ib79+7ch129IqYrxVvSjYz1fG64VB5i+9E7EwUUXPs/8dxcN1k9rBn94yFrC
YdU1eNFDtwseV74IOUbdPRrU6+3xsDVWz/OoNnDl47cVU95VDublu6Prv3z9
unsx/7D/7Te9x9HX78tv+6+L48fHp6u7KTmgp+QmHNHY04vLH49+uvgRbsMp
/X+6kb2a2pAeHWxgL4cJ0IiOsya9WqfsKmK3fCT6bFo97PFOFXLrU4j9tjxk
W8ZQR2NkQWMdTk0glF+UxS88Nq/54zcMclUWXm9s3g4hBbgE3LxMOHgmlQhR
ZttMH7QLb8jbUetRTrpKIpRDDkJHXhod4DWi43Qqr9dS01QyWNguRGQPyHYd
Ojam+axNVI+zVM10vOACJBTymZd2mFcPyyvtTIUov5HWvgyW6ybooHhXRp5a
EAodzJFxmEXI/a15P291cUEm1uZk7XtGH5GPURzEnAdhrVCVX/dZvbQYM8oc
oTHOwAKfk4l9+ywdkjwFu7MkgAILkIkbSRZUDlsmNtDE1Gm+z6jT+j8aLZ2d
ylsAAA==

-->

</rfc>
