<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-happy-happyeyeballs-v3-04" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Happy Eyeballs v3">Happy Eyeballs Version 3: Better Connectivity Using Concurrency</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-happy-happyeyeballs-v3-04"/>
    <author fullname="Tommy Pauly">
      <organization>Apple Inc</organization>
      <address>
        <email>tpauly@apple.com</email>
      </address>
    </author>
    <author fullname="David Schinazi">
      <organization>Google LLC</organization>
      <address>
        <email>dschinazi.ietf@gmail.com</email>
      </address>
    </author>
    <author fullname="Nidhi Jaju">
      <organization>Google LLC</organization>
      <address>
        <email>nidhijaju@google.com</email>
      </address>
    </author>
    <author fullname="Kenichi Ishibashi">
      <organization>Google LLC</organization>
      <address>
        <email>bashi@google.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="02"/>
    <area>WIT</area>
    <workgroup>HAPPY Working Group</workgroup>
    <keyword>ipv6</keyword>
    <keyword>ipv4</keyword>
    <keyword>racing</keyword>
    <keyword>tcp</keyword>
    <keyword>quic</keyword>
    <keyword>svcb</keyword>
    <keyword>ech</keyword>
    <abstract>
      <?line 53?>

<t>Many communication protocols operating over the modern Internet use
hostnames. These often resolve to multiple IP addresses, each of
which may have different performance and connectivity
characteristics. Since specific addresses or address families (IPv4
or IPv6) may be blocked, broken, or sub-optimal on a network, clients
that attempt multiple connections in parallel have a chance of
establishing a connection more quickly. This document defines the
algorithm for "Happy Eyeballs", a technique for reducing user-visible
delays on dual-stack hosts. This document updates the algorithm
in RFC 8305.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://ietf-wg-happy/draft-happy-eyeballs-v3/draft-ietf-happy-happyeyeballs-v3.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-happy-happyeyeballs-v3/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        HAPPY Working Group mailing list (<eref target="mailto:happy@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/happy/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/happy/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/ietf-wg-happy/draft-happy-eyeballs-v3"/>.</t>
    </note>
  </front>
  <middle>
    <?line 66?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Many communication protocols operating over the modern Internet use
hostnames. These often resolve to multiple IP addresses, each of
which may have different performance and connectivity
characteristics. Since specific addresses or address families (IPv4
or IPv6) may be blocked, broken, or sub-optimal on a network, clients
that attempt multiple connections in parallel have a chance of
establishing a connection more quickly.</t>
      <t>This document defines the algorithm for "Happy Eyeballs", a technique
for reducing user-visible delays on dual-stack hosts. This
definition updates the description in <xref target="HEV2"/>, which
itself obsoleted <xref target="RFC6555"/>.</t>
      <t>The Happy Eyeballs algorithm of racing connections to resolved
endpoints has several stages to avoid delays to the user whenever
possible, while respecting client priorities, such as preferring
the use of IPv6 or the availability of protocols like HTTP/3 <xref target="HTTP3"/> and
TLS Encrypted Client Hello <xref target="ECH"/>. This document discusses
how to initiate DNS queries when starting a connection, how to
sort the list of destination addresses received from DNS answers,
and how to race the connection attempts.</t>
      <t>The major difference between the algorithm defined in this document
and <xref target="HEV2"/> is the addition of support for SVCB / HTTPS resource
records <xref target="SVCB"/>. SVCB records provide alternative
endpoints and information about application protocol support, Encrypted
Client Hello <xref target="ECH"/> keys, address hints, and other relevant details
about the services being accessed. Discovering protocol support during
resolution, such as for HTTP/3 over QUIC <xref target="HTTP3"/>, allows
upgrading between protocols on the current connection attempts,
instead of waiting for subsequent attempts to use information from
other discovery mechanisms such as HTTP Alternative Services
<xref target="AltSvc"/>. These records can be queried along with A and
AAAA records, and the updated algorithm defines how to handle SVCB
responses to improve connection establishment.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

</section>
    <section anchor="overview">
      <name>Overview</name>
      <t>This document defines a method of connection establishment, named the
"Happy Eyeballs Connection Setup". This approach has several
distinct phases:</t>
      <ol spacing="normal" type="1"><li>
          <t>Asynchronous resolution of a hostname into destination endpoints (<xref target="resolution"/>)</t>
        </li>
        <li>
          <t>Sorting of the resolved destination endpoints (<xref target="sorting"/>)</t>
        </li>
        <li>
          <t>Initiation of asynchronous connection attempts (<xref target="connections"/>)</t>
        </li>
        <li>
          <t>Successful establishment of one connection and cancellation of
other attempts (<xref target="connections"/>)</t>
        </li>
      </ol>
      <t>Note that this document assumes that the preference policy for the
destination address family favors IPv6 over IPv4. IPv6 has many
desirable properties designed to be improvements over IPv4
<xref target="IPV6"/>.</t>
      <t>This document also assumes that the preference policy favors QUIC over
TCP. QUIC only requires one packet to establish a secure connection,
making it quicker compared to TCP <xref target="QUIC"/>.</t>
      <t>If the host is configured to have different preferences, the
recommendations in this document can be easily adapted.</t>
    </section>
    <section anchor="resolution">
      <name>Hostname Resolution</name>
      <t>When a client is trying to establish a connection to a named host,
it needs to determine which destination endpoint it can use
to establish a connection. The client resolves the endpoints
by sending DNS queries and collecting the answers.
This section describes how a client initiates DNS queries
and asynchronously handles the answers.</t>
      <section anchor="sending-dns-queries">
        <name>Sending DNS Queries</name>
        <t>Clients first need to determine which DNS resource records
they will include in queries for a named host.</t>
        <t>This decision is based on if client has "connectivity" using IPv4 and IPv6.
In this case, "connectivity" for an address family is defined
as having at least one local address of the family from which
to send packets, and at least one non-link local route for
the address family.</t>
        <t>When a client has both IPv4 and IPv6 connectivity, it needs to
send out queries for both AAAA and A records. On a network with
only IPv4 connectivity, it will send a query for A records. On a
network with only IPv6 connectivity, the client will either send
out queries for both AAAA and A records, or only a query for AAAA
records, depending on the network configuration. See <xref target="v6only"/>
for more discussion of handling IPv6-mostly and IPv6-only networks.</t>
        <t>In addition to requesting AAAA and A records, depending on which
application is establishing the connection, clients can request
either SVCB or HTTPS records <xref target="SVCB"/>. For applications using
HTTP or HTTPS (including applications using WebSockets), the
client <bcp14>SHOULD</bcp14> send a query for HTTPS records.</t>
        <t>All of the DNS queries <bcp14>SHOULD</bcp14> be made as soon after one another as
possible. The order in which the queries are sent <bcp14>SHOULD</bcp14> be as
follows (omitting any query that doesn't apply based on the
logic described above):</t>
        <ol spacing="normal" type="1"><li>
            <t>SVCB or HTTPS query</t>
          </li>
          <li>
            <t>AAAA query</t>
          </li>
          <li>
            <t>A query</t>
          </li>
        </ol>
      </section>
      <section anchor="handling-dns-answers-asynchronously">
        <name>Handling DNS Answers Asynchronously</name>
        <t>Once the client receives sufficient answers to its DNS queries, it can
move onto the phases of sorting endpoints (<xref target="sorting"/>)
and establishing connections (<xref target="connections"/>).</t>
        <t>Implementations <bcp14>SHOULD NOT</bcp14> wait for all answers to return
before starting the next steps of connection establishment. If one query
fails or takes significantly longer to return, waiting for
those answers can significantly delay connection
establishment that could otherwise proceed with already received answers.</t>
        <t>Therefore, the client <bcp14>SHOULD</bcp14> treat DNS resolution as asynchronous,
processing different record types independently.
Note that if the platform does not offer an asynchronous DNS API,
this behavior can be simulated by making separate synchronous queries
for each record type in parallel.</t>
        <t>The client moves onto sorting endpoints and establishing connections
once one of the following condition sets is met:</t>
        <t>Either:</t>
        <ul spacing="normal">
          <li>
            <t>Some positive (non-empty) address answers have been received AND</t>
          </li>
          <li>
            <t>A postive (non-empty) or negative (empty) answer has been received
for the preferred address family that was queried AND</t>
          </li>
          <li>
            <t>SVCB/HTTPS service information has been received (or has received
a negative response)</t>
          </li>
        </ul>
        <t>Or:</t>
        <ul spacing="normal">
          <li>
            <t>Some positive (non-empty) address answers have been received AND</t>
          </li>
          <li>
            <t>A resolution time delay has passed after which other answers have
not been received</t>
          </li>
        </ul>
        <t>Positive answers can be IP addresses received either from AAAA or A
records, or IP address hints received directly in SVCB/HTTPS records.</t>
        <t>Negative answers are exclusively responses to AAAA or A records
that contain no IP addresses (with or without an error like NXDOMAIN).
If all answers come back with negative answers, the
connection establishment will fail or need to wait until other answers
are received.</t>
        <t>On networks that have both default routes for IPv6 and IPv4, IPv6 is
assumed to be the preferred address family. If only one of IPv6 or IPv4 has
a default route, that address family should be considered the preferred address
family for progressing the algorithm.</t>
        <t>The resolution time delay is a short time that provides a chance
to receive preferred addresses (via AAAA records) along
with service information (via SVCB/HTTPS records). This accounts
for the case where the AAAA or SVCB/HTTPS records follow the
A records by a few milliseconds. This delay is referred to as
the "Resolution Delay".</t>
        <t>The <bcp14>RECOMMENDED</bcp14> value for the Resolution Delay is 50 milliseconds.</t>
        <section anchor="resolving-svcbhttps-aliases-and-targets">
          <name>Resolving SVCB/HTTPS Aliases and Targets</name>
          <t>SVCB and HTTPS records describe information for network services. Individual
records are either AliasMode or ServiceMode records, where AliasMode requires
another SVCB/HTTPS query for the alias name. ServiceMode records either are
associated with the original name being queried, in which case their TargetName
is ".", or are associated with another service name (see <xref section="2.5" sectionFormat="of" target="SVCB"/>).</t>
          <t>The algorithm in this document does not consider service information to be received
until ServiceMode records are available.</t>
          <t>ServiceMode records can contain IP address hints via <tt>ipv6hint</tt> and <tt>ipv4hint</tt>
parameters. When these are received, they <bcp14>SHOULD</bcp14> be considered as positive
non-empty answers for the purpose of the algorithm when A and AAAA records
corresponding to the TargetName are not available yet. Note that clients are
still required to issue A and AAAA queries for those TargetNames if they haven't
yet received those records. When those records are received, they replace the hints
and update the available set of responses as new answers (see <xref target="new-answers"/>).</t>
        </section>
        <section anchor="examples">
          <name>Examples</name>
          <t>The following examples provide various sequences that might be seen for receiving
DNS answers, in order to show how the logic described above is used in
practice to determine when to move onto the sorting and connecting phases.</t>
          <t>A simple dual-stack case where AAAA answers return slight before A answers:</t>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="336" width="296" viewBox="0 0 296 336" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,48 L 24,304" fill="none" stroke="black"/>
                <path d="M 256,48 L 256,304" fill="none" stroke="black"/>
                <path d="M 128,48 L 152,48" fill="none" stroke="black"/>
                <path d="M 128,64 L 152,64" fill="none" stroke="black"/>
                <path d="M 128,80 L 152,80" fill="none" stroke="black"/>
                <path d="M 64,144 L 88,144" fill="none" stroke="black"/>
                <path d="M 64,160 L 88,160" fill="none" stroke="black"/>
                <path d="M 64,256 L 88,256" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="160,80 148,74.4 148,85.6" fill="black" transform="rotate(0,152,80)"/>
                <polygon class="arrowhead" points="160,64 148,58.4 148,69.6" fill="black" transform="rotate(0,152,64)"/>
                <polygon class="arrowhead" points="160,48 148,42.4 148,53.6" fill="black" transform="rotate(0,152,48)"/>
                <polygon class="arrowhead" points="72,256 60,250.4 60,261.6" fill="black" transform="rotate(180,64,256)"/>
                <polygon class="arrowhead" points="72,160 60,154.4 60,165.6" fill="black" transform="rotate(180,64,160)"/>
                <polygon class="arrowhead" points="72,144 60,138.4 60,149.6" fill="black" transform="rotate(180,64,144)"/>
                <g class="text">
                  <text x="28" y="36">Client</text>
                  <text x="224" y="36">DNS</text>
                  <text x="268" y="36">Server</text>
                  <text x="84" y="52">HTTPS?</text>
                  <text x="88" y="68">AAAA?</text>
                  <text x="100" y="84">A?</text>
                  <text x="112" y="116">(30ms</text>
                  <text x="164" y="116">delay)</text>
                  <text x="120" y="148">HTTPS</text>
                  <text x="160" y="148">(no</text>
                  <text x="204" y="148">hints)</text>
                  <text x="116" y="164">AAAA</text>
                  <text x="148" y="164">(2</text>
                  <text x="204" y="164">addresses)</text>
                  <text x="56" y="196">Start</text>
                  <text x="108" y="196">w/IPv6</text>
                  <text x="108" y="228">(2ms</text>
                  <text x="156" y="228">delay)</text>
                  <text x="104" y="260">A</text>
                  <text x="124" y="260">(2</text>
                  <text x="180" y="260">addresses)</text>
                  <text x="60" y="292">Update</text>
                  <text x="116" y="292">w/IPv6</text>
                  <text x="152" y="292">+</text>
                  <text x="180" y="292">IPv4</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
 Client                    DNS Server
   |    HTTPS?  --->            |
   |     AAAA?  --->            |
   |        A?  --->            |
   |                            |
   |        (30ms delay)        |
   |                            |
   |    <--- HTTPS (no hints)   |
   |    <--- AAAA (2 addresses) |
   |                            |
   | Start w/IPv6               |
   |                            |
   |        (2ms delay)         |
   |                            |
   |    <--- A (2 addresses)    |
   |                            |
   | Update w/IPv6 + IPv4       |
   |                            |
]]></artwork>
          </artset>
          <t>A case in which A answers return before AAAA answers, but AAAA
answers do arrive after a short delay:</t>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="336" width="296" viewBox="0 0 296 336" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,48 L 24,304" fill="none" stroke="black"/>
                <path d="M 256,48 L 256,304" fill="none" stroke="black"/>
                <path d="M 128,48 L 152,48" fill="none" stroke="black"/>
                <path d="M 128,64 L 152,64" fill="none" stroke="black"/>
                <path d="M 128,80 L 152,80" fill="none" stroke="black"/>
                <path d="M 64,144 L 88,144" fill="none" stroke="black"/>
                <path d="M 64,160 L 88,160" fill="none" stroke="black"/>
                <path d="M 64,256 L 88,256" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="160,80 148,74.4 148,85.6" fill="black" transform="rotate(0,152,80)"/>
                <polygon class="arrowhead" points="160,64 148,58.4 148,69.6" fill="black" transform="rotate(0,152,64)"/>
                <polygon class="arrowhead" points="160,48 148,42.4 148,53.6" fill="black" transform="rotate(0,152,48)"/>
                <polygon class="arrowhead" points="72,256 60,250.4 60,261.6" fill="black" transform="rotate(180,64,256)"/>
                <polygon class="arrowhead" points="72,160 60,154.4 60,165.6" fill="black" transform="rotate(180,64,160)"/>
                <polygon class="arrowhead" points="72,144 60,138.4 60,149.6" fill="black" transform="rotate(180,64,144)"/>
                <g class="text">
                  <text x="28" y="36">Client</text>
                  <text x="224" y="36">DNS</text>
                  <text x="268" y="36">Server</text>
                  <text x="84" y="52">HTTPS?</text>
                  <text x="88" y="68">AAAA?</text>
                  <text x="100" y="84">A?</text>
                  <text x="112" y="116">(30ms</text>
                  <text x="164" y="116">delay)</text>
                  <text x="120" y="148">HTTPS</text>
                  <text x="160" y="148">(no</text>
                  <text x="204" y="148">hints)</text>
                  <text x="104" y="164">A</text>
                  <text x="124" y="164">(2</text>
                  <text x="180" y="164">addresses)</text>
                  <text x="48" y="196">Set</text>
                  <text x="84" y="196">50ms</text>
                  <text x="128" y="196">timer</text>
                  <text x="112" y="228">(10ms</text>
                  <text x="164" y="228">delay)</text>
                  <text x="116" y="260">AAAA</text>
                  <text x="148" y="260">(2</text>
                  <text x="204" y="260">addresses)</text>
                  <text x="56" y="292">Start</text>
                  <text x="108" y="292">w/IPv6</text>
                  <text x="144" y="292">+</text>
                  <text x="172" y="292">IPv4</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
 Client                    DNS Server
   |    HTTPS?  --->            |
   |     AAAA?  --->            |
   |        A?  --->            |
   |                            |
   |        (30ms delay)        |
   |                            |
   |    <--- HTTPS (no hints)   |
   |    <--- A (2 addresses)    |
   |                            |
   | Set 50ms timer             |
   |                            |
   |        (10ms delay)        |
   |                            |
   |    <--- AAAA (2 addresses) |
   |                            |
   | Start w/IPv6 + IPv4        |
   |                            |
]]></artwork>
          </artset>
          <t>A case in which A answers return significantly before AAAA answers:</t>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="400" width="296" viewBox="0 0 296 400" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,48 L 24,368" fill="none" stroke="black"/>
                <path d="M 256,48 L 256,368" fill="none" stroke="black"/>
                <path d="M 128,48 L 152,48" fill="none" stroke="black"/>
                <path d="M 128,64 L 152,64" fill="none" stroke="black"/>
                <path d="M 128,80 L 152,80" fill="none" stroke="black"/>
                <path d="M 64,144 L 88,144" fill="none" stroke="black"/>
                <path d="M 64,160 L 88,160" fill="none" stroke="black"/>
                <path d="M 64,320 L 88,320" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="160,80 148,74.4 148,85.6" fill="black" transform="rotate(0,152,80)"/>
                <polygon class="arrowhead" points="160,64 148,58.4 148,69.6" fill="black" transform="rotate(0,152,64)"/>
                <polygon class="arrowhead" points="160,48 148,42.4 148,53.6" fill="black" transform="rotate(0,152,48)"/>
                <polygon class="arrowhead" points="72,320 60,314.4 60,325.6" fill="black" transform="rotate(180,64,320)"/>
                <polygon class="arrowhead" points="72,160 60,154.4 60,165.6" fill="black" transform="rotate(180,64,160)"/>
                <polygon class="arrowhead" points="72,144 60,138.4 60,149.6" fill="black" transform="rotate(180,64,144)"/>
                <g class="text">
                  <text x="28" y="36">Client</text>
                  <text x="224" y="36">DNS</text>
                  <text x="268" y="36">Server</text>
                  <text x="84" y="52">HTTPS?</text>
                  <text x="88" y="68">AAAA?</text>
                  <text x="100" y="84">A?</text>
                  <text x="112" y="116">(30ms</text>
                  <text x="164" y="116">delay)</text>
                  <text x="120" y="148">HTTPS</text>
                  <text x="160" y="148">(no</text>
                  <text x="204" y="148">hints)</text>
                  <text x="104" y="164">A</text>
                  <text x="124" y="164">(2</text>
                  <text x="180" y="164">addresses)</text>
                  <text x="48" y="196">Set</text>
                  <text x="84" y="196">50ms</text>
                  <text x="128" y="196">timer</text>
                  <text x="112" y="228">(50ms</text>
                  <text x="164" y="228">delay)</text>
                  <text x="56" y="260">Start</text>
                  <text x="108" y="260">w/IPv4</text>
                  <text x="116" y="292">(100ms</text>
                  <text x="172" y="292">delay)</text>
                  <text x="116" y="324">AAAA</text>
                  <text x="148" y="324">(2</text>
                  <text x="204" y="324">addresses)</text>
                  <text x="60" y="356">Update</text>
                  <text x="116" y="356">w/IPv6</text>
                  <text x="152" y="356">+</text>
                  <text x="180" y="356">IPv4</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
 Client                    DNS Server
   |    HTTPS?  --->            |
   |     AAAA?  --->            |
   |        A?  --->            |
   |                            |
   |        (30ms delay)        |
   |                            |
   |    <--- HTTPS (no hints)   |
   |    <--- A (2 addresses)    |
   |                            |
   | Set 50ms timer             |
   |                            |
   |        (50ms delay)        |
   |                            |
   | Start w/IPv4               |
   |                            |
   |        (100ms delay)       |
   |                            |
   |    <--- AAAA (2 addresses) |
   |                            |
   | Update w/IPv6 + IPv4       |
   |                            |
]]></artwork>
          </artset>
          <t>A case in which SVCB/HTTPS answers are slightly delayed:</t>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="336" width="296" viewBox="0 0 296 336" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,48 L 24,304" fill="none" stroke="black"/>
                <path d="M 256,48 L 256,304" fill="none" stroke="black"/>
                <path d="M 128,48 L 152,48" fill="none" stroke="black"/>
                <path d="M 128,64 L 152,64" fill="none" stroke="black"/>
                <path d="M 128,80 L 152,80" fill="none" stroke="black"/>
                <path d="M 64,144 L 88,144" fill="none" stroke="black"/>
                <path d="M 64,160 L 88,160" fill="none" stroke="black"/>
                <path d="M 64,256 L 88,256" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="160,80 148,74.4 148,85.6" fill="black" transform="rotate(0,152,80)"/>
                <polygon class="arrowhead" points="160,64 148,58.4 148,69.6" fill="black" transform="rotate(0,152,64)"/>
                <polygon class="arrowhead" points="160,48 148,42.4 148,53.6" fill="black" transform="rotate(0,152,48)"/>
                <polygon class="arrowhead" points="72,256 60,250.4 60,261.6" fill="black" transform="rotate(180,64,256)"/>
                <polygon class="arrowhead" points="72,160 60,154.4 60,165.6" fill="black" transform="rotate(180,64,160)"/>
                <polygon class="arrowhead" points="72,144 60,138.4 60,149.6" fill="black" transform="rotate(180,64,144)"/>
                <g class="text">
                  <text x="28" y="36">Client</text>
                  <text x="224" y="36">DNS</text>
                  <text x="268" y="36">Server</text>
                  <text x="84" y="52">HTTPS?</text>
                  <text x="88" y="68">AAAA?</text>
                  <text x="100" y="84">A?</text>
                  <text x="112" y="116">(30ms</text>
                  <text x="164" y="116">delay)</text>
                  <text x="116" y="148">AAAA</text>
                  <text x="148" y="148">(2</text>
                  <text x="204" y="148">addresses)</text>
                  <text x="104" y="164">A</text>
                  <text x="124" y="164">(2</text>
                  <text x="180" y="164">addresses)</text>
                  <text x="48" y="196">Set</text>
                  <text x="84" y="196">50ms</text>
                  <text x="128" y="196">timer</text>
                  <text x="112" y="228">(10ms</text>
                  <text x="164" y="228">delay)</text>
                  <text x="120" y="260">HTTPS</text>
                  <text x="160" y="260">(no</text>
                  <text x="204" y="260">hints)</text>
                  <text x="56" y="292">Start</text>
                  <text x="108" y="292">w/IPv6</text>
                  <text x="144" y="292">+</text>
                  <text x="172" y="292">IPv4</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
 Client                    DNS Server
   |    HTTPS?  --->            |
   |     AAAA?  --->            |
   |        A?  --->            |
   |                            |
   |        (30ms delay)        |
   |                            |
   |    <--- AAAA (2 addresses) |
   |    <--- A (2 addresses)    |
   |                            |
   | Set 50ms timer             |
   |                            |
   |        (10ms delay)        |
   |                            |
   |    <--- HTTPS (no hints)   |
   |                            |
   | Start w/IPv6 + IPv4        |
   |                            |
]]></artwork>
          </artset>
          <t>A case in which SVCB/HTTPS answers are significantly delayed,
or never arrive:</t>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="304" width="296" viewBox="0 0 296 304" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,48 L 24,272" fill="none" stroke="black"/>
                <path d="M 256,48 L 256,272" fill="none" stroke="black"/>
                <path d="M 128,48 L 152,48" fill="none" stroke="black"/>
                <path d="M 128,64 L 152,64" fill="none" stroke="black"/>
                <path d="M 128,80 L 152,80" fill="none" stroke="black"/>
                <path d="M 64,144 L 88,144" fill="none" stroke="black"/>
                <path d="M 64,160 L 88,160" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="160,80 148,74.4 148,85.6" fill="black" transform="rotate(0,152,80)"/>
                <polygon class="arrowhead" points="160,64 148,58.4 148,69.6" fill="black" transform="rotate(0,152,64)"/>
                <polygon class="arrowhead" points="160,48 148,42.4 148,53.6" fill="black" transform="rotate(0,152,48)"/>
                <polygon class="arrowhead" points="72,160 60,154.4 60,165.6" fill="black" transform="rotate(180,64,160)"/>
                <polygon class="arrowhead" points="72,144 60,138.4 60,149.6" fill="black" transform="rotate(180,64,144)"/>
                <g class="text">
                  <text x="28" y="36">Client</text>
                  <text x="224" y="36">DNS</text>
                  <text x="268" y="36">Server</text>
                  <text x="84" y="52">HTTPS?</text>
                  <text x="88" y="68">AAAA?</text>
                  <text x="100" y="84">A?</text>
                  <text x="112" y="116">(30ms</text>
                  <text x="164" y="116">delay)</text>
                  <text x="116" y="148">AAAA</text>
                  <text x="148" y="148">(2</text>
                  <text x="204" y="148">addresses)</text>
                  <text x="104" y="164">A</text>
                  <text x="124" y="164">(2</text>
                  <text x="180" y="164">addresses)</text>
                  <text x="48" y="196">Set</text>
                  <text x="84" y="196">50ms</text>
                  <text x="128" y="196">timer</text>
                  <text x="112" y="228">(50ms</text>
                  <text x="164" y="228">delay)</text>
                  <text x="56" y="260">Start</text>
                  <text x="108" y="260">w/IPv6</text>
                  <text x="144" y="260">+</text>
                  <text x="172" y="260">IPv4</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
 Client                    DNS Server
   |    HTTPS?  --->            |
   |     AAAA?  --->            |
   |        A?  --->            |
   |                            |
   |        (30ms delay)        |
   |                            |
   |    <--- AAAA (2 addresses) |
   |    <--- A (2 addresses)    |
   |                            |
   | Set 50ms timer             |
   |                            |
   |        (50ms delay)        |
   |                            |
   | Start w/IPv6 + IPv4        |
   |                            |
]]></artwork>
          </artset>
          <t>A case in which AAAA answers are delayed, but hints
are available:</t>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="224" width="296" viewBox="0 0 296 224" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,48 L 24,192" fill="none" stroke="black"/>
                <path d="M 256,48 L 256,192" fill="none" stroke="black"/>
                <path d="M 128,48 L 152,48" fill="none" stroke="black"/>
                <path d="M 128,64 L 152,64" fill="none" stroke="black"/>
                <path d="M 128,80 L 152,80" fill="none" stroke="black"/>
                <path d="M 64,144 L 88,144" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="160,80 148,74.4 148,85.6" fill="black" transform="rotate(0,152,80)"/>
                <polygon class="arrowhead" points="160,64 148,58.4 148,69.6" fill="black" transform="rotate(0,152,64)"/>
                <polygon class="arrowhead" points="160,48 148,42.4 148,53.6" fill="black" transform="rotate(0,152,48)"/>
                <polygon class="arrowhead" points="72,144 60,138.4 60,149.6" fill="black" transform="rotate(180,64,144)"/>
                <g class="text">
                  <text x="28" y="36">Client</text>
                  <text x="224" y="36">DNS</text>
                  <text x="268" y="36">Server</text>
                  <text x="84" y="52">HTTPS?</text>
                  <text x="88" y="68">AAAA?</text>
                  <text x="100" y="84">A?</text>
                  <text x="112" y="116">(30ms</text>
                  <text x="164" y="116">delay)</text>
                  <text x="120" y="148">HTTPS</text>
                  <text x="184" y="148">(w/hints)</text>
                  <text x="56" y="180">Start</text>
                  <text x="108" y="180">w/IPv6</text>
                  <text x="144" y="180">+</text>
                  <text x="172" y="180">IPv4</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
 Client                    DNS Server
   |    HTTPS?  --->            |
   |     AAAA?  --->            |
   |        A?  --->            |
   |                            |
   |        (30ms delay)        |
   |                            |
   |    <--- HTTPS (w/hints)    |
   |                            |
   | Start w/IPv6 + IPv4        |
   |                            |
]]></artwork>
          </artset>
          <t>A case in which SVCB/HTTPS answers return with multiple
service names ("." indicating that the service applies
to the original requested name, and "alt" being an
alternative service name). In this case, connection attempts
can start in parallel with new AAAA and A queries.</t>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="432" width="296" viewBox="0 0 296 432" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,48 L 24,400" fill="none" stroke="black"/>
                <path d="M 256,48 L 256,368" fill="none" stroke="black"/>
                <path d="M 128,48 L 152,48" fill="none" stroke="black"/>
                <path d="M 128,64 L 152,64" fill="none" stroke="black"/>
                <path d="M 128,80 L 152,80" fill="none" stroke="black"/>
                <path d="M 64,144 L 88,144" fill="none" stroke="black"/>
                <path d="M 64,160 L 88,160" fill="none" stroke="black"/>
                <path d="M 64,176 L 88,176" fill="none" stroke="black"/>
                <path d="M 64,192 L 88,192" fill="none" stroke="black"/>
                <path d="M 192,256 L 216,256" fill="none" stroke="black"/>
                <path d="M 192,272 L 216,272" fill="none" stroke="black"/>
                <path d="M 64,336 L 88,336" fill="none" stroke="black"/>
                <path d="M 64,352 L 88,352" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="224,272 212,266.4 212,277.6" fill="black" transform="rotate(0,216,272)"/>
                <polygon class="arrowhead" points="224,256 212,250.4 212,261.6" fill="black" transform="rotate(0,216,256)"/>
                <polygon class="arrowhead" points="160,80 148,74.4 148,85.6" fill="black" transform="rotate(0,152,80)"/>
                <polygon class="arrowhead" points="160,64 148,58.4 148,69.6" fill="black" transform="rotate(0,152,64)"/>
                <polygon class="arrowhead" points="160,48 148,42.4 148,53.6" fill="black" transform="rotate(0,152,48)"/>
                <polygon class="arrowhead" points="72,352 60,346.4 60,357.6" fill="black" transform="rotate(180,64,352)"/>
                <polygon class="arrowhead" points="72,336 60,330.4 60,341.6" fill="black" transform="rotate(180,64,336)"/>
                <polygon class="arrowhead" points="72,192 60,186.4 60,197.6" fill="black" transform="rotate(180,64,192)"/>
                <polygon class="arrowhead" points="72,176 60,170.4 60,181.6" fill="black" transform="rotate(180,64,176)"/>
                <polygon class="arrowhead" points="72,160 60,154.4 60,165.6" fill="black" transform="rotate(180,64,160)"/>
                <polygon class="arrowhead" points="72,144 60,138.4 60,149.6" fill="black" transform="rotate(180,64,144)"/>
                <g class="text">
                  <text x="28" y="36">Client</text>
                  <text x="224" y="36">DNS</text>
                  <text x="268" y="36">Server</text>
                  <text x="84" y="52">HTTPS?</text>
                  <text x="88" y="68">AAAA?</text>
                  <text x="100" y="84">A?</text>
                  <text x="112" y="116">(30ms</text>
                  <text x="164" y="116">delay)</text>
                  <text x="120" y="148">HTTPS</text>
                  <text x="168" y="148">(".")</text>
                  <text x="120" y="164">HTTPS</text>
                  <text x="176" y="164">("alt")</text>
                  <text x="116" y="180">AAAA</text>
                  <text x="148" y="180">(2</text>
                  <text x="204" y="180">addresses)</text>
                  <text x="104" y="196">A</text>
                  <text x="124" y="196">(2</text>
                  <text x="180" y="196">addresses)</text>
                  <text x="56" y="228">Start</text>
                  <text x="108" y="228">w/IPv6</text>
                  <text x="144" y="228">+</text>
                  <text x="172" y="228">IPv4</text>
                  <text x="88" y="260">AAAA?</text>
                  <text x="144" y="260">("alt")</text>
                  <text x="100" y="276">A?</text>
                  <text x="144" y="276">("alt")</text>
                  <text x="112" y="308">(30ms</text>
                  <text x="164" y="308">delay)</text>
                  <text x="116" y="340">AAAA</text>
                  <text x="148" y="340">(1</text>
                  <text x="196" y="340">address)</text>
                  <text x="104" y="356">A</text>
                  <text x="124" y="356">(1</text>
                  <text x="172" y="356">address)</text>
                  <text x="60" y="388">Update</text>
                  <text x="116" y="388">w/IPv6</text>
                  <text x="152" y="388">+</text>
                  <text x="180" y="388">IPv4</text>
                  <text x="264" y="388">|</text>
                  <text x="256" y="404">|</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
 Client                    DNS Server
   |    HTTPS?  --->            |
   |     AAAA?  --->            |
   |        A?  --->            |
   |                            |
   |        (30ms delay)        |
   |                            |
   |    <--- HTTPS (".")        |
   |    <--- HTTPS ("alt")      |
   |    <--- AAAA (2 addresses) |
   |    <--- A (2 addresses)    |
   |                            |
   | Start w/IPv6 + IPv4        |
   |                            |
   |     AAAA? ("alt")  --->    |
   |        A? ("alt")  --->    |
   |                            |
   |        (30ms delay)        |
   |                            |
   |    <--- AAAA (1 address)   |
   |    <--- A (1 address)      |
   |                            |
   | Update w/IPv6 + IPv4        |
   |                            |
]]></artwork>
          </artset>
          <t>An IPv4-only network connection where SVCB/HTTPS answers
are slightly delayed:</t>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="304" width="296" viewBox="0 0 296 304" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 24,48 L 24,272" fill="none" stroke="black"/>
                <path d="M 256,48 L 256,272" fill="none" stroke="black"/>
                <path d="M 128,48 L 152,48" fill="none" stroke="black"/>
                <path d="M 128,64 L 152,64" fill="none" stroke="black"/>
                <path d="M 64,128 L 88,128" fill="none" stroke="black"/>
                <path d="M 64,224 L 88,224" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="160,64 148,58.4 148,69.6" fill="black" transform="rotate(0,152,64)"/>
                <polygon class="arrowhead" points="160,48 148,42.4 148,53.6" fill="black" transform="rotate(0,152,48)"/>
                <polygon class="arrowhead" points="72,224 60,218.4 60,229.6" fill="black" transform="rotate(180,64,224)"/>
                <polygon class="arrowhead" points="72,128 60,122.4 60,133.6" fill="black" transform="rotate(180,64,128)"/>
                <g class="text">
                  <text x="28" y="36">Client</text>
                  <text x="224" y="36">DNS</text>
                  <text x="268" y="36">Server</text>
                  <text x="84" y="52">HTTPS?</text>
                  <text x="100" y="68">A?</text>
                  <text x="112" y="100">(30ms</text>
                  <text x="164" y="100">delay)</text>
                  <text x="104" y="132">A</text>
                  <text x="124" y="132">(2</text>
                  <text x="180" y="132">addresses)</text>
                  <text x="48" y="164">Set</text>
                  <text x="84" y="164">50ms</text>
                  <text x="128" y="164">timer</text>
                  <text x="112" y="196">(10ms</text>
                  <text x="164" y="196">delay)</text>
                  <text x="120" y="228">HTTPS</text>
                  <text x="160" y="228">(no</text>
                  <text x="204" y="228">hints)</text>
                  <text x="56" y="260">Start</text>
                  <text x="108" y="260">w/IPv4</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
 Client                    DNS Server
   |    HTTPS?  --->            |
   |        A?  --->            |
   |                            |
   |        (30ms delay)        |
   |                            |
   |    <--- A (2 addresses)    |
   |                            |
   | Set 50ms timer             |
   |                            |
   |        (10ms delay)        |
   |                            |
   |    <--- HTTPS (no hints)   |
   |                            |
   | Start w/IPv4               |
   |                            |
]]></artwork>
          </artset>
        </section>
      </section>
      <section anchor="new-answers">
        <name>Handling New Answers</name>
        <t>If new records arrive while connection attempts are in progress,
but before any connection has been established, then any newly
received endpoints are incorporated into the list of available candidate
endpoints (see <xref target="changes"/>) and the process of connection attempts will
continue with the new endpoints added, until one connection is
established.</t>
      </section>
      <section anchor="handling-expired-answers">
        <name>Handling Expired Answers</name>
        <t>Previously received DNS answers might expire (exceed their TTL)
while connection attempts are still in progress. A Happy Eyeballs client will not cancel those ongoing attempts when the answers
expire. However, the client <bcp14>MAY</bcp14> trigger new DNS queries to fetch non-expired answers after the original records have expired,
in the case in which the original answers have not yet led to a successful connection.
Addition of any new answers is handled as described in <xref target="new-answers"/> and <xref target="changes"/>; that is, ongoing connection attempts
will not be cancelled, but any endpoint for which a connection
attempt had not yet been started that is no longer in the resolved
endpoint list will be removed.</t>
        <t>Additionally, the fact that Happy Eyeballs enables clients to handle
updates to the resolved endpoint list asynchronously enables
the use of expired answers "optimistically" while waiting for non-expired
answers. This approach is called "optimistic DNS", and is described
in <xref target="OPTIMISTIC-DNS"/>.</t>
      </section>
      <section anchor="handling-multiple-dns-server-addresses">
        <name>Handling Multiple DNS Server Addresses</name>
        <t>If multiple DNS server addresses are configured for the current
network, the client may have the option of sending its DNS queries
over IPv4 or IPv6. In keeping with the Happy Eyeballs approach,
queries <bcp14>SHOULD</bcp14> be sent over IPv6 first (note that this is not
referring to the sending of AAAA or A queries, but rather the address
of the DNS server itself and IP version used to transport DNS
messages). If DNS queries sent to the IPv6 address do not receive
responses, that address may be marked as penalized and queries can be
sent to other DNS server addresses.</t>
        <t>As native IPv6 deployments become more prevalent and IPv4 addresses
are exhausted, it is expected that IPv6 connectivity will have
preferential treatment within networks. If a DNS server is
configured to be accessible over IPv6, IPv6 should be assumed to be
the preferred address family.</t>
        <t>Client systems <bcp14>SHOULD NOT</bcp14> have an explicit limit to the number of DNS
servers that can be configured, either manually or by the network.
If such a limit is required by hardware limitations, the client
<bcp14>SHOULD</bcp14> use at least one address from each address family from the
available list.</t>
      </section>
    </section>
    <section anchor="sorting">
      <name>Grouping and Sorting Endpoints</name>
      <t>Before attempting to connect to any of the resolved destination
endpoints, the client defines the order in which to start the
attempts. Once the order has been defined, the client can use a
simple algorithm for racing each option after a short delay (see
<xref target="connections"/>). It is important that the ordered list involve all
endpoints from both address families and all protocols that have been received
by this point, as this allows the client to get the racing effect of
Happy Eyeballs for the entire list, not just the first IPv4 and first
IPv6 addresses.</t>
      <t>The client performs three levels of grouping
and sorting of endpoints based on the DNS answers received.
Each subsequent level of sorting only changes orders and
preferences within the previously defined groups.</t>
      <ol spacing="normal" type="1"><li>
          <t>Grouping and sorting by application protocol and security requirements (<xref target="application-group"/>)</t>
        </li>
        <li>
          <t>Grouping and sorting by service priorities (<xref target="service-group"/>)</t>
        </li>
        <li>
          <t>Sorting by destination endpoint preferences (<xref target="endpoint-sorting"/>)</t>
        </li>
      </ol>
      <section anchor="application-group">
        <name>Grouping By Application Protocols and Security Requirements</name>
        <t>Clients first group based on which application protocols the
destination endpoints support and which security features
those endpoints offer. These are based on
information from SVCB/HTTPS records about application-layer protocols
("alpn" values) and other parameters like TLS Encrypted Client Hello
configuration ("ech" values, see <xref target="SVCB-ECH"/>).</t>
        <t>For cases where the answers do not include any SVCB/HTTPS information,
or if all of the answers are associated with the same SVCB/HTTPS record,
this step is trivial: all answers belong to one group, and the client
assumes they support the same protocols and security properties.</t>
        <t>However, the client is aware of different sets of destination endpoints
that advertise different capabilities when it receives multiple distinct
SVCB/HTTPS records. The client <bcp14>SHOULD</bcp14> separate these
endpoints into different groups, such that all endpoints in a
group share the same application protocols and relevant security
properties. The specific parameters that are relevant to the client
depend on the client implementation and application.</t>
        <t>Note that some destination endpoints might need to be added to
multiple groups at this stage. For example, consider the following
HTTPS records:</t>
        <artwork><![CDATA[
 example.com. 60 IN HTTPS 1 svc1.example.com. (
     alpn="h3,h2" ipv6hint=2001:db8::2 )
 example.com. 60 IN HTTPS 1 svc2.example.com. (
     alpn="h2" ipv6hint=2001:db8::4 )
]]></artwork>
        <t>In this case, 2001:db8::2 can be used with HTTP/3 and HTTP/2,
but 2001:db8::4 can only be used with HTTP/2. If the client
creates a grouping for HTTP/3-capable endpoints and
HTTP/2-capable endpoints, 2001:db8::2 would exist in both
groups (assuming that all other security properties are
the same).</t>
        <t>Connection racing as described in <xref target="connections"/> applies
to different destination endpoint options within one of these groups.
The logic for prioritizing and falling back between groups
of endpoints with different security properties and protocol
properties is implementation-defined.</t>
        <section anchor="when-to-apply-application-preferences">
          <name>When to Apply Application Preferences</name>
          <t>Whether or not specific application protocols or security features
are grouped separately is a client application decision. Clients
<bcp14>SHOULD</bcp14> avoid grouping and sorting separately in cases where their
use of an application protocol or feature is non-critical.</t>
          <t>For example, an HTTP client loading a simple webpage may not see a large
difference between using HTTP/3 or HTTP/2, and thus can group the ALPNs together
to respect service-determined priorities where HTTP/3 might be
prioritized behind HTTP/2. However, another client might see significant
performance improvements by using HTTP/3's ability to send unreliable
frames for its application use-case and will group HTTP/3 before HTTP/2.</t>
          <t>Similarly, a particular application might require or strongly prefer the
use of TLS ECH for privacy-sensitive traffic, while others might
support ECH opportunistically.</t>
          <t><xref section="8" sectionFormat="of" target="SVCB-ECH"/> recommends against SVCB record sets that contain
some answers that include ECH configuration and some that don't, but notes
that such cases are possible. It is possible that services only include
ECH configurations on SVCB answers that are prioritized behind others
that don't include ECH configurations; for example, this might be
used as an experimenation or roll-out strategy. Due to such cases, clients
ought to not arbitrarily group ECH-containing answers and sort them
first if they won't use the ECH information, or if the connection would
not benefit from the use of ECH. However, for cases where there is a
reason for an application preference for ECH, the client <bcp14>MAY</bcp14> group
and prioritize those answers separately. Even though this might conflict
with the published service record priorities, any answers published
by the service are eligible to be used by clients, and clients can
choose to use them.</t>
        </section>
      </section>
      <section anchor="service-group">
        <name>Grouping By Service Priority</name>
        <t>The next step of grouping and sorting is to group across different
services (as defined by SVCB/HTTPS records), and sort these groups
by priority.</t>
        <t>This step allows server-published priorities to be reflected
in the client connection establishment algorithm.</t>
        <t>SVCB <xref target="SVCB"/> records indicate a priority for each ServiceMode response.
This priority applies to any IPv4 or IPv6 address hints in the record
itself, as well as any addresses received on A or AAAA queries for the
name in the ServiceMode record. The priority in a SVCB ServiceMode record is
always greater than 0.</t>
        <t>SVCB answers with the lowest numerical value (such as 1) are sorted
first, and answers with higher numerical values are sorted later.</t>
        <t>Note that a SVCB record with the TargetName "." applies to the owner
name in the record, and the priority of that SVCB record applies to
any A or AAAA records for the same owner name. These answers are
sorted according to that SVCB record's priority.</t>
        <t>All endpoints received from a particular SVCB service (within a group
as defined in <xref target="application-group"/>), either by an associated AAAA
or A record or address hints, <bcp14>SHOULD</bcp14> be separated into a group by
the client. These service-based groups <bcp14>SHOULD</bcp14> then be sorted
using the service priority.</t>
        <t>For cases where the answers do not include any SVCB/HTTPS information,
or if all of the answers are associated with the same SVCB/HTTPS record,
this step is trivial: all answers belong to one group that has the same
priority.</t>
        <t>When there are multiple services, and thus multiple groups, with the
same priority, the client <bcp14>SHOULD</bcp14> shuffle these groups randomly.</t>
        <t>If there are some SVCB/HTTPS services received, but there are AAAA or A
records that do not have an associated service (for example, if no
SVCB/HTTPS record is received for the original name using the "."
TargetName), the unassociated addresses <bcp14>SHOULD</bcp14> be put in a group of
endpoints that is prioritized at the end of the list.</t>
      </section>
      <section anchor="endpoint-sorting">
        <name>Sorting Destination Endpoints Within Groups</name>
        <t>Within each group of endpoints, after grouping based on the logic
in <xref target="application-group"/> and <xref target="service-group"/>, the client sorts
the endpoints based on preference and historical data.</t>
        <t>First, the client <bcp14>MUST</bcp14> sort the endpoints using Destination Address
Selection (<xref section="6" sectionFormat="comma" target="RFC6724"/>).</t>
        <t>If the client is stateful and has a history of expected round-trip
times (RTTs) for the routes to access each endpoint's IP address,
it <bcp14>SHOULD</bcp14> add a Destination Address Selection rule between rules 8 and 9 that prefers
addresses with lower RTTs. If the client keeps track of which
addresses it used in the past, it <bcp14>SHOULD</bcp14> add another Destination
Address Selection rule between the RTT rule and rule 9, which prefers
used addresses over unused ones. This helps servers that use the
client's IP address during authentication, as is the case for TCP
Fast Open <xref target="RFC7413"/> and some Hypertext Transport Protocol (HTTP)
cookies. This historical data <bcp14>MUST</bcp14> be partitioned using the same
boundaries used for privacy-sensitive information specific to that endpoint,
and <bcp14>MUST NOT</bcp14> be used across different Provisioning Domains (PvDs)
<xref target="RFC7556"/>. The data <bcp14>SHOULD</bcp14> be flushed whenever a device changes the
PvD to which it is attached. However, if a client can reliably
identify a previously attached PvD, it <bcp14>MAY</bcp14> retain and resume using
historical data associated with that PvD upon reconnection. Clients
that use historical data <bcp14>MUST</bcp14> ensure that clients with different
historical data will eventually converge toward the same behaviors.
For example, clients can periodically ignore historical data to ensure
that fresh addresses are attempted.</t>
        <t>Next, the client <bcp14>SHOULD</bcp14> modify the ordered list to interleave
address families. Whichever address family is first in the list
should be followed by an endpoint of the other address family. For example,
if the first endpoint in the sorted list has an IPv6 address, then
the first IPv4 endpoint should be moved up in the list to be second
in the list. An implementation <bcp14>MAY</bcp14> choose to favor one
address family more by allowing multiple addresses of that
family to be attempted before trying the next.
The number of contiguous endpoints of the first address family of
properties will be referred to as the "Preferred Address Family
Count" and can be a configurable value. This avoids waiting through a
long list of endpoints for a given address family if connectivity
over that address family is impaired.</t>
        <t>Note that the endpoint selection described in this section only
applies to destination addresses; Source Address Selection
(<xref section="3.2" sectionFormat="comma" target="RFC6724-UPDATE"/>) is performed
once per destination address and is out of scope of this document.</t>
      </section>
    </section>
    <section anchor="connections">
      <name>Connection Attempts</name>
      <t>Once the list of endpoints received up to this point has been
constructed, the client will attempt to make connections. In order to
avoid unreasonable network load, connection attempts <bcp14>SHOULD NOT</bcp14> be
made simultaneously. Instead, one connection attempt to a single
endpoint is started first, followed by the others, one at a
time. Starting a new connection attempt does not affect previous
attempts, as multiple connection attempts may occur in parallel.  Once
one of the connection attempts succeeds (<xref target="success"/>), all other
connections attempts that have not yet succeeded <bcp14>SHOULD</bcp14> be canceled.
Any endpoint that was not yet attempted as a connection <bcp14>SHOULD</bcp14> be
ignored.  At that time, any asynchronous DNS queries <bcp14>MAY</bcp14> be canceled as
new endpoints will not be used for this connection. However, the DNS
client resolver <bcp14>SHOULD</bcp14> still process DNS replies from the network for
a short period of time (recommended to be 1 second), as they will
populate the DNS cache and can be used for subsequent connections.</t>
      <t>If grouping endpoints by application or security requirements
(<xref target="application-group"/>) produced multiple groups, the application
<bcp14>SHOULD</bcp14> start with connection attempts to the most preferred option.
The policy for attempting any endpoints outside of the most preferred
group is up to the client implementation and out of scope for this document.</t>
      <t>If grouping endpoints by service (<xref target="service-group"/>) produced multiple
groups, all of the endpoints of the first group <bcp14>SHOULD</bcp14> be started
before starting attempts using the next group. Attempts across service groups
<bcp14>SHOULD</bcp14> be allowed to continue in parallel; in effect, the groups
are flattened into a single list. The intent of these groups is to
strictly prioritize the most preferred service. Therefore, if a higher
priority group has many endpoints, there is a potential for long
delays before falling back to lower priority groups.</t>
      <t>A simple implementation can have a fixed delay for how long to wait
before starting the next connection attempt. This delay is referred to
as the "Connection Attempt Delay". One recommended value for a default
delay is 250 milliseconds. A more nuanced implementation's delay
should correspond to the time when the previous attempt is retrying
its handshake (such as sending a second TCP SYN or a second QUIC
Initial), based on the retransmission timer (<xref target="RFC6298"/>,
<xref target="RFC9002"/>). If the client has historical RTT data gathered from
other connections to the same host or prefix, it can use this
information to influence its delay. Note that this algorithm should
only try to approximate the time of the first handshake packet
retransmission, and not any further retransmissions that may be
influenced by exponential timer back off. Clients that support
session resumption mechanisms (such as TLS session tickets
<xref target="RFC8446"/> or QUIC 0-RTT <xref target="RFC9001"/>) <bcp14>SHOULD</bcp14> use the same
Connection Attempt Delay for resumed connections as for new
connections.</t>
      <t>The Connection Attempt Delay <bcp14>MUST</bcp14> have a lower bound, especially if it
is computed using historical data. More specifically, a subsequent
connection <bcp14>MUST NOT</bcp14> be started within 10 milliseconds of the previous
attempt. The recommended minimum value is 100 milliseconds, which is
referred to as the "Minimum Connection Attempt Delay". This minimum
value is required to avoid congestion collapse in the presence of high
packet-loss rates. The Connection Attempt Delay <bcp14>SHOULD</bcp14> have an upper
bound, referred to as the "Maximum Connection Attempt Delay". The
current recommended value is 2 seconds.</t>
      <t>The Connection Attempt Delay is used to set a timer, referred to as
the "Next Connection Attempt Timer". Whenever this timer fires and
a connection has not been successfully established, the next
connection attempt starts, and the timer either is reset to a new
delay value or, in the case of the end of the list being reached,
is cancelled. Note that the delay value can be different for each
connection attempt (depending on the protocol being used and
the estimated RTT).</t>
      <section anchor="success">
        <name>Determining successful connection establishment</name>
        <t>The determination of when a connection attempt has successfully
completed (and other attempts can be cancelled) ultimately depends
on the client application's interpretation of the connection
state being ready to use. This will generally include at least
the transport-level handshake with the remote endpoint (such as
the TCP or QUIC handshake), but can involve other higher-level
handshakes or state checks as well.</t>
        <t>Client connections that use TCP only (without TLS or another protocol
on top, such as for unencrypted HTTP connections) will determine
successful establishment based on completing the TCP handshake
only. When TLS is used on top of of TCP (such as for encrypted HTTP
connections), clients <bcp14>SHOULD</bcp14> wait for the TLS handshake to
successfully complete before cancelling other connection
attempts. This is particularly useful for networks in which a
TCP-terminating proxy might be causing TCP handshakes to succeed
quickly, even though end-to-end connectivity with the TLS-terminating
server will fail. QUIC connections inherently include a secure
handshake in their main handshakes, and thus usually only need to
wait for a single handshake to complete.</t>
        <t>Beyond TCP, TLS, and/or QUIC handshakes, clients may also wait for
other requirements to be met before determining that the connection
establishment was successful. For example, clients generally validate that
the server's certificate provided via TLS is trusted, and that operation can
be asynchronous.</t>
        <t>In cases where the connection establishment determination goes beyond
the initial transport handshake, the Next Connection Attempt Timer
ought to be adjusted after the initial transport handshake is completed.
When the connection establishment makes progress, but has not completed,
the timer <bcp14>SHOULD</bcp14> be extended to a new value that represents an estimated
time for the full connection establishment to complete.</t>
        <t>For example, consider a case where connection establishment involves
both a TCP handshake and a TLS handshake. If the timer is initially set
to be roughly at the time when a TCP SYN packet would be retransmitted,
and the TCP handshake completes before the timer fires, the timer should
be adjusted to allow for the time in which the TLS handshake could complete.</t>
        <t>While transport layer handshakes generally do not have restrictions on
attempts to establish a connection, some cryptographic handshakes may
be dependent on SVCB ServiceMode records and could impose limitations on
establishing a connection.  For instance, ECH-capable clients may
become SVCB-reliant clients (<xref section="3" sectionFormat="of" target="SVCB"/>) when SVCB records
contain the "ech" SvcParamKey <xref target="SVCB-ECH"/>. If the
client is either an SVCB-reliant client or a SVCB-optional client that
might switch to SVCB-reliant connection establishment during the
process, the client <bcp14>MUST</bcp14> wait for SVCB records before proceeding with the
cryptographic handshake.</t>
      </section>
      <section anchor="handling-application-layer-protocol-negotiation-alpn">
        <name>Handling Application Layer Protocol Negotiation (ALPN)</name>
        <t>The <tt>alpn</tt> and <tt>no-default-alpn</tt> SvcParamKeys in SVCB records indicate the
"SVCB ALPN set," which specifies the underlying transport protocols
supported by the associated service endpoint. When the client requests
SVCB records, it <bcp14>SHOULD</bcp14> perform the procedure specified in <xref section="7.1.2" sectionFormat="of" target="SVCB"/> to determine the underlying transport protocols that both
the client and the service endpoint support. The client <bcp14>SHOULD NOT</bcp14>
attempt to make a connection to a service endpoint whose SVCB ALPN set
does not contain any protocols that the client supports. For example,
suppose the client is an HTTP client that only supports TCP-based
versions such as HTTP/1.1 and HTTP/2, and it receives the following
HTTPS record:</t>
        <artwork><![CDATA[
 example.com. 60 IN HTTPS 1 svc1.example.com. (
     alpn="h3" no-default-alpn ipv6hint=2001:db8::2 )
]]></artwork>
        <t>In this case, attempting a connection to 2001:db8::2 or any other
address resolved for <tt>svc1.example.com</tt> would be incorrect because the
record indicates that <tt>svc1.example.com</tt> only supports HTTP/3, based on
the ALPN value of "h3".</t>
        <t>If the client is an HTTP client that supports both Alt-Svc
<xref target="AltSvc"/> and SVCB (HTTPS) records, the client <bcp14>SHOULD</bcp14> ensure
that connection attempts are consistent with both the Alt-Svc
parameters and the SVCB ALPN set, as specified in <xref section="9.3" sectionFormat="of" target="SVCB"/>.</t>
      </section>
      <section anchor="dropping-or-pending-connection-attempts">
        <name>Dropping or Pending Connection Attempts</name>
        <t>Some situations related to handling SVCB responses can
require connection attempts to be dropped, or pended until
SVCB responses return.</t>
        <t><xref section="3.1" sectionFormat="of" target="SVCB"/> describes client behavior for handling
resolution failures when responses are "cryptographically protected"
using DNSSEC <xref target="DNSSEC"/> or encrypted DNS (<xref target="DOT"/>,
<xref target="DOH"/>, or <xref target="DOQ"/>, for example). If SVCB
resolution fails when using cryptographic protection, clients
<bcp14>SHOULD</bcp14> abandon connection attempts altogether to avoid
downgrade attacks.</t>
        <t>Use of cryptographic protection in DNS can influence other
parts of Happy Eyeballs connection establishment, as well.</t>
        <t>Situations in which DNS is not protected allow for any records
to be blocked or modified, so security properties derived from
SVCB records are opportunistic only. However, when DNS is cryptographically
protected, clients can be stricter about relying on the properties
from SVCB records.</t>
        <t><xref section="5.1" sectionFormat="of" target="SVCB"/> explains that clients "<bcp14>MUST NOT</bcp14> transmit any
information that could be altered by the SVCB response until it arrives",
and specifically mentions properties that affect the TLS ClientHello.
This restriction specifically applies when a client's behavior will
be altered by the SVCB response, which depends both on the client
implementation's ability to support a particular feature, as well
as the client implementation's willingness to rely on the SVCB
response to enable a particular feature.</t>
        <t>Based on this, clients in some scenarios <bcp14>MUST</bcp14> pend starting
a TLS handshake (either after TCP or as part of QUIC) until SVCB
responses have been received, even after the "Resolution Delay"
defined in <xref target="resolution"/> has been reached. Specifically, clients
<bcp14>MUST</bcp14> pend starting handshakes if <em>all</em> of the following are true:</t>
        <ol spacing="normal" type="1"><li>
            <t>DNS responses are cryptographically protected with DNSSEC or
encrypted DNS. Note that, if unencrypted and unsigned DNS is used, SVCB
information is opportunistic; clients <bcp14>MAY</bcp14> wait for SVCB responses
but do not need to.</t>
          </li>
          <li>
            <t>The client implementation supports parsing and using a particular
security-related SVCB parameter, such as the "ech" SvcParamKey
<xref target="SVCB-ECH"/>. (In contrast,
implementations that do not support actively using ECH do
not need to wait for SVCB resolution if that is the only
reason to do so).</t>
          </li>
          <li>
            <t>The client relies on the presence of the particular
SVCB-related parameter to enable the relevant protocol feature.
For example, if a connection attempt would normally be
using cleartext HTTP unless an HTTPS DNS record would
cause the client to upgrade, the client needs to
wait for the record; however, if the client already
would be using HTTP over TLS, then it is not relying
on that signal from SVCB. As another example, some SVCB
properties can affect the TLS ClientHello in ways that optimize
performance (like <tt>tls-supported-groups</tt> <xref target="I-D.ietf-tls-key-share-prediction"/>)
but only aim to save round trips. The other TLS groups
can be discovered through the TLS handshake itself, instead
of SVCB, and thus do not require waiting for SVCB responses.</t>
          </li>
        </ol>
      </section>
    </section>
    <section anchor="changes">
      <name>DNS Answer Changes During Happy Eyeballs Connection Setup</name>
      <t>If, during the course of connection establishment, the DNS answers
change by either adding resolved endpoints (for example due to DNS
push notifications <xref target="RFC8765"/>) or removing previously resolved
endpoints (for example, due to expiry of the TTL on that DNS record),
the client should react based on its current progress. Additionally, endpoints
from SVCB IP hints <bcp14>SHOULD</bcp14> be removed from the list once A and AAAA records are
received for the corresponding name, if the endpoints from the hints are absent from the
received records <xref section="7.3" sectionFormat="of" target="SVCB"/>.</t>
      <t>If an endpoint is removed from the list that already had a connection
attempt started, the connection attempt <bcp14>SHOULD NOT</bcp14> be canceled, but
rather be allowed to continue. If the removed endpoint had not yet
had a connection attempt started, it <bcp14>SHOULD</bcp14> be removed from the list
of endpoints to try.</t>
      <t>If an endpoint is added to the list, its position <bcp14>SHOULD</bcp14> be determined by
applying the sorting rules (see <xref target="sorting"/>) to the complete list of endpoints,
including those previously received. This ensures that sorting rules, such as address family
interleaving, are maintained correctly regardless of when endpoints arrive. For
example, consider a connection attempt in which only IPv6 addresses
are available initially, and an attempt to one IPv6 address endpoint is already in progress.
Then, when IPv4 addresses are later received, an IPv4 address endpoint should be placed next in the list of endpoints to attempt
(to account for interleaving address families) ahead of any remaining IPv6 address endpoints, as if it had been available initially.</t>
      <t>When DNS answers change while a Connection Attempt Delay timer is running, the
client <bcp14>MAY</bcp14> reschedule the timer. While a DNS update alone does not justify
rescheduling the timer, if at least one connection attempt started before the
DNS update has not made progress within an expected time window, the client <bcp14>MAY</bcp14> treat this as a signal that
the previous addresses may no longer be viable and fire the timer sooner
to start a connection attempt to the next address in the updated list, subject
to the Minimum Connection Attempt Delay.</t>
    </section>
    <section anchor="v6only">
      <name>Supporting IPv6-Mostly and IPv6-Only Networks</name>
      <t>While many IPv6 transition protocols have been standardized and
deployed, most are transparent to client devices. Supporting IPv6-only
networks often requires specific client-side changes, especially when
interacting with IPv4-only services. Two primary mechanisms for this
are the combined use of NAT64 <xref target="RFC6146"/> with DNS64 <xref target="RFC6147"/>, or
leveraging NAT64 with a discovered PREF64 prefix <xref target="RFC8781"/>.</t>
      <t>One possible way to handle these networks is for the client device
networking stack to implement 464XLAT <xref target="RFC6877"/>. 464XLAT has the
advantage of not requiring changes to user space software; however, it
requires per-packet translation if the application is using IPv4
literals and does not encourage client application software to support
native IPv6. On platforms that do not support 464XLAT, the Happy
Eyeballs engine <bcp14>SHOULD</bcp14> follow the recommendations in this section to
properly support IPv6-mostly (<xref target="V6-MOSTLY"/>) and IPv6-only networks.</t>
      <t>The features described in this section <bcp14>SHOULD</bcp14> only be enabled when the
host detects an IPv6-mostly or IPv6-only network. A simple heuristic
to detect one of these networks is to check if the network offers
routable IPv6 addressing, does not offer routable IPv4 addressing, and
offers a DNS resolver address.</t>
      <section anchor="literals">
        <name>IPv4 Address Literals</name>
        <t>If client applications or users wish to connect to IPv4 address
literals, the Happy Eyeballs engine will need to perform NAT64 address
synthesis for them. The solution is similar to "Bump-in-the-Host"
<xref target="RFC6535"/> but is implemented inside the Happy Eyeballs client.</t>
        <t>Note that some IPv4 prefixes are scoped to a given host or network,
such as 0.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, and
255.255.255.255/32, and therefore do not require NAT64 address
synthesis.</t>
      </section>
      <section anchor="pref64-detection">
        <name>Discovering and Utilizing PREF64</name>
        <t>When an IPv4 address is passed into the Happy Eyeballs implementation
instead of a hostname, it <bcp14>SHOULD</bcp14> use PREF64s received from Router
Advertisements <xref target="RFC8781"/>.</t>
        <t>With PREF64 available, networks might choose to not deploy DNS64, as
the latter has a number of disadvantages (see
<xref section="4.3.4" sectionFormat="comma" target="V6-MOSTLY"/>). To ensure
compatibility with such networks, if PREF64 is available, clients
<bcp14>SHOULD</bcp14> send an A query in addition to an AAAA query for a given
hostname. This allows the client to receive any existing IPv4 A
records and perform local NAT64 address synthesis, eliminating the
network's need to run DNS64.</t>
        <t>If the network does not provide PREF64s, the implementation <bcp14>SHOULD</bcp14>
query the network for the NAT64 prefix using "Discovery of the IPv6
Prefix Used for IPv6 Address Synthesis" <xref target="RFC7050"/>. It then
synthesizes an appropriate IPv6 address (or several) using the
encoding described in "IPv6 Addressing of IPv4/ IPv6 Translators"
<xref target="RFC6052"/>. The synthesized addresses are then inserted into the
list of addresses as if they were results from DNS A queries;
connection attempts follow the algorithm described above (see
<xref target="connections"/>).</t>
        <t>Such translation also applies to any IPv4 addresses received in A
records and IPv4 address hints received in SVCB records.</t>
      </section>
      <section anchor="dns64">
        <name>Supporting DNS64</name>
        <t>If PREF64 is not available and the NAT64 prefix cannot be discovered,
clients <bcp14>SHOULD</bcp14> assume the network is relying on DNS64 for IPv4-to-IPv6
address synthesis. In this scenario, clients will typically only
receive AAAA records from DNS queries, as DNS64 servers synthese these
records for IPv4-only domains.</t>
      </section>
      <section anchor="broken">
        <name>Hostnames with Broken AAAA Records</name>
        <t>At the time of writing, there exist a small but non-negligible number
of hostnames that resolve to valid A records and broken AAAA records,
which we define as AAAA records that contain seemingly valid IPv6
addresses but those addresses never reply when contacted on the usual
ports. These can be, for example, caused by:</t>
        <ul spacing="normal">
          <li>
            <t>Mistyping of the IPv6 address in the DNS zone configuration</t>
          </li>
          <li>
            <t>Routing black holes</t>
          </li>
          <li>
            <t>Service outages</t>
          </li>
        </ul>
        <t>While an algorithm complying with the other sections of this document
would correctly handle such hostnames on a dual-stack network, they
will not necessarily function correctly on IPv6-only networks with
NAT64 and DNS64. Since DNS64 recursive resolvers rely on the
authoritative name servers sending negative (no error, no data)
responses for AAAA records in order to synthesize, they will not
synthesize records for these particular hostnames and will instead
pass through the broken AAAA record.</t>
        <t>In order to support these scenarios, the client device needs to query
the DNS for the A record and then perform local synthesis. Since
these types of hostnames are rare and, in order to minimize load on
DNS servers, this A query should only be performed when the client
has given up on the AAAA records it initially received. This can be
achieved by using a longer timeout, referred to as the "Last Resort
Local Synthesis Delay"; the delay is recommended to be 2 seconds.
The timer is started when the last connection attempt is fired. If
no connection attempt has succeeded when this timer fires, the device
queries the DNS for the IPv4 address and, on reception of a valid A
record, treats it as if it were provided by the application (see
<xref target="literals"/>).</t>
      </section>
      <section anchor="virtual-private-networks">
        <name>Virtual Private Networks</name>
        <t>Some Virtual Private Networks (VPNs) may be configured to handle DNS
queries from the device. The configuration could encompass all
queries or a subset such as "*.internal.example.com". These VPNs can
also be configured to only route part of the IPv4 address space, such
as 192.0.2.0/24. However, if an internal hostname resolves to an
external IPv4 address, these can cause issues if the underlying
network is IPv6-only. As an example, let's assume that
"www.internal.example.com" has exactly one A record, 198.51.100.42,
and no AAAA records. The client will send the DNS query to the
company's recursive resolver and that resolver will reply with these
records. The device now only has an IPv4 address to connect to and
no route to that address. Since the company's resolver does not know
the NAT64 prefix of the underlying network, it cannot synthesize the
address. Similarly, the underlying network's DNS64 recursive
resolver does not know the company's internal addresses, so it cannot
resolve the hostname. Because of this, the client device needs to
resolve the A record using the company's resolver and then locally
synthesize an IPv6 address, as if the resolved IPv4 address were
provided by the application (<xref target="literals"/>).</t>
      </section>
    </section>
    <section anchor="summary-of-configurable-values">
      <name>Summary of Configurable Values</name>
      <t>The values that may be configured as defaults on a client for use in
Happy Eyeballs are as follows:</t>
      <ul spacing="normal">
        <li>
          <t>Resolution Delay (<xref target="resolution"/>): The time to wait for AAAA and/or SVCB/HTTPS
records after receiving an A record. Recommended to be 50 milliseconds.</t>
        </li>
        <li>
          <t>Preferred Address Family Count (<xref target="sorting"/>): The number of
endpoints belonging to the preferred address family (such as IPv6)
that should be attempted before attempting the next address family.
Recommended to be 1; 2 may be used to more aggressively favor a
particular combination of address family and protocol.</t>
        </li>
        <li>
          <t>Connection Attempt Delay (<xref target="connections"/>): The time to wait between
connection attempts in the absence of RTT data. Recommended to be
250 milliseconds.</t>
        </li>
        <li>
          <t>Minimum Connection Attempt Delay (<xref target="connections"/>): The minimum time to
wait between connection attempts. Recommended to be 100
milliseconds. <bcp14>MUST NOT</bcp14> be less than 10 milliseconds.</t>
        </li>
        <li>
          <t>Maximum Connection Attempt Delay (<xref target="connections"/>): The maximum time to
wait between connection attempts. Recommended to be 2 seconds.</t>
        </li>
        <li>
          <t>Last Resort Local Synthesis Delay (<xref target="broken"/>): The time to wait
after starting the last IPv6 attempt and before sending the A
query. Recommended to be 2 seconds.</t>
        </li>
      </ul>
      <t>The delay values described in this section were determined
empirically by measuring the timing of connections on a very wide set
of production devices. They were picked to reduce wait times noticed
by users while minimizing load on the network. As time passes, it is
expected that the properties of networks will evolve. For that
reason, it is expected that the values chosen by implementations
will change over time. Implementors <bcp14>MAY</bcp14> use values different from the
recommended values listed above, without changing this specification,
as long as they do not violate any of the normative requirements (such
as minimum delays).</t>
    </section>
    <section anchor="limitations">
      <name>Limitations</name>
      <t>Happy Eyeballs will handle initial connection failures at the transport
layer (such as TCP or QUIC); however, other failures or performance
issues may still affect the chosen connection.</t>
      <section anchor="path-maximum-transmission-unit-discovery">
        <name>Path Maximum Transmission Unit Discovery</name>
        <t>Connections that use TCP only (without TLS or another protocol on top)
perform connection racing only during the TCP handshake. Such connections
can encounter issues where the handshake (using small packets) completes
but then large packets are dropped or incorrectly handled by the network
due to a small MTU being configured on the network. Such issues might be
specific to IPv6 traffic due to the IPv6 header being
larger than the IPv4 header.</t>
        <t>This problem can also occur when TLS is used, but the larger
messages used in many TLS handshakes are often sufficient to
ensure maximum-size TCP segments are deliverable. For QUIC
connections, a minimum MTU of at least 1200 bytes
<xref section="8.1-5" sectionFormat="comma" target="RFC9000"/> is guaranteed, but there is a chance that
larger values may not be available.</t>
        <t>Solving these issues is out of scope of this document. One suggested
approach is to use "Packetization Layer Path MTU Discovery" <xref target="RFC4821"/>.</t>
      </section>
      <section anchor="application-layer">
        <name>Application Layer</name>
        <t>If the DNS returns multiple endpoints for different application
servers, the application itself may not be operational and functional
on all of them. Common examples include Transport Layer Security
(TLS) and HTTP.</t>
      </section>
      <section anchor="hiding-operational-issues">
        <name>Hiding Operational Issues</name>
        <t>It has been observed in practice that Happy Eyeballs can hide issues
in networks. For example, if a misconfiguration causes IPv6 to
consistently fail on a given network while IPv4 is still functional,
Happy Eyeballs may impair the operator's ability to notice the issue.
It is recommended that network operators deploy external means of
monitoring to ensure functionality of all address families.</t>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>Note that applications should not rely upon a stable
hostname-to-address mapping to ensure any security properties, since
DNS results may change between queries. Happy Eyeballs may make it
more likely that subsequent connections to a single hostname use
different IP addresses.</t>
      <t>When using HTTP, HTTPS resource records indicate that clients should
require HTTPS when connecting to an origin (see <xref section="9.5" sectionFormat="of" target="RFC9460"/>), so an active attacker can attempt a downgrade attack by
interfering with the successful delivery of HTTPS resource records.
When clients use insecure DNS mechanisms, any on-path attacker can
simply drop HTTPS resource records, so clients cannot tell the
difference between an attack and a resolver that fails to respond to
HTTPS queries.</t>
      <t>However, when using cryptographically protected DNS mechanisms, as
described in <xref section="3.1" sectionFormat="of" target="RFC9460"/>, both SVCB-reliant and
SVCB-optional clients <bcp14>MUST NOT</bcp14> send any unencrypted data after the TCP
handshake completes unless they have received a valid HTTPS response.
Those clients need to complete a TLS handshake before proceeding if
that response is non-negative.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document does not require any IANA actions.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="ECH">
          <front>
            <title>TLS Encrypted Client Hello</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="K. Oku" initials="K." surname="Oku"/>
            <author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="March" year="2026"/>
            <abstract>
              <t>This document describes a mechanism in Transport Layer Security (TLS) for encrypting a message under a server public key.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9849"/>
          <seriesInfo name="DOI" value="10.17487/RFC9849"/>
        </reference>
        <reference anchor="SVCB">
          <front>
            <title>Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records)</title>
            <author fullname="B. Schwartz" initials="B." surname="Schwartz"/>
            <author fullname="M. Bishop" initials="M." surname="Bishop"/>
            <author fullname="E. Nygren" initials="E." surname="Nygren"/>
            <date month="November" year="2023"/>
            <abstract>
              <t>This document specifies the "SVCB" ("Service Binding") and "HTTPS" DNS resource record (RR) types to facilitate the lookup of information needed to make connections to network services, such as for HTTP origins. SVCB records allow a service to be provided from multiple alternative endpoints, each with associated parameters (such as transport protocol configuration), and are extensible to support future uses (such as keys for encrypting the TLS ClientHello). They also enable aliasing of apex domains, which is not possible with CNAME. The HTTPS RR is a variation of SVCB for use with HTTP (see RFC 9110, "HTTP Semantics"). By providing more information to the client before it attempts to establish a connection, these records offer potential benefits to both performance and privacy.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9460"/>
          <seriesInfo name="DOI" value="10.17487/RFC9460"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="SVCB-ECH">
          <front>
            <title>Bootstrapping TLS Encrypted ClientHello with DNS Service Bindings</title>
            <author fullname="B. Schwartz" initials="B." surname="Schwartz"/>
            <author fullname="M. Bishop" initials="M." surname="Bishop"/>
            <author fullname="E. Nygren" initials="E." surname="Nygren"/>
            <date month="March" year="2026"/>
            <abstract>
              <t>To use TLS Encrypted ClientHello (ECH), the client needs to learn the ECH configuration for a server before it attempts a connection to the server. This specification provides a mechanism for conveying the ECH configuration information via DNS, using a SVCB or HTTPS resource record (RR).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9848"/>
          <seriesInfo name="DOI" value="10.17487/RFC9848"/>
        </reference>
        <reference anchor="RFC6724">
          <front>
            <title>Default Address Selection for Internet Protocol Version 6 (IPv6)</title>
            <author fullname="D. Thaler" initials="D." role="editor" surname="Thaler"/>
            <author fullname="R. Draves" initials="R." surname="Draves"/>
            <author fullname="A. Matsumoto" initials="A." surname="Matsumoto"/>
            <author fullname="T. Chown" initials="T." surname="Chown"/>
            <date month="September" year="2012"/>
            <abstract>
              <t>This document describes two algorithms, one for source address selection and one for destination address selection. The algorithms specify default behavior for all Internet Protocol version 6 (IPv6) implementations. They do not override choices made by applications or upper-layer protocols, nor do they preclude the development of more advanced mechanisms for address selection. The two algorithms share a common context, including an optional mechanism for allowing administrators to provide policy that can override the default behavior. In dual-stack implementations, the destination address selection algorithm can consider both IPv4 and IPv6 addresses -- depending on the available source addresses, the algorithm might prefer IPv6 addresses over IPv4 addresses, or vice versa.</t>
              <t>Default address selection as defined in this specification applies to all IPv6 nodes, including both hosts and routers. This document obsoletes RFC 3484. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6724"/>
          <seriesInfo name="DOI" value="10.17487/RFC6724"/>
        </reference>
        <reference anchor="RFC6724-UPDATE">
          <front>
            <title>Prioritizing known-local IPv6 ULAs through address selection policy</title>
            <author fullname="Nick Buraglio" initials="N." surname="Buraglio">
              <organization>Energy Sciences Network</organization>
            </author>
            <author fullname="Tim Chown" initials="T." surname="Chown">
              <organization>Jisc</organization>
            </author>
            <author fullname="Jeremy Duncan" initials="J." surname="Duncan">
              <organization>Tachyon Dynamics</organization>
            </author>
            <date day="11" month="August" year="2025"/>
            <abstract>
              <t>   This document updates the default address selection algorithm for
   Internet Protocol Version 6 (IPv6), originally specified in RFC 6724,
   based on accumulated operational experience.  It introduces the
   concept of "known-local" Unique Local Address (ULA) prefixes within
   the fd00::/8 block and specifies that ULA-to-ULA communications using
   such prefixes should be preferred over both IPv4-to-IPv4 and GUA-to-
   GUA (Global Unicast Address) communications in local use scenarios.
   The document defines mechanisms for nodes to identify and incorporate
   known-local prefixes into their address selection policy tables.  It
   introduces a requirement to implement Rule 5.5 of RFC 6724 and
   reduces the default precedence for 6to4 addresses.  These updates
   enhance the supportability of typical deployment environments,
   including automatic and unmanaged configurations, and promote
   consistent IPv6-over-IPv4 precedence behavior for both ULA and GUA
   within local networks.  The document acknowledges that certain
   atypical deployment models may require explicit configuration to
   achieve intended operational outcomes.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-6man-rfc6724-update-25"/>
        </reference>
        <reference anchor="RFC6298">
          <front>
            <title>Computing TCP's Retransmission Timer</title>
            <author fullname="V. Paxson" initials="V." surname="Paxson"/>
            <author fullname="M. Allman" initials="M." surname="Allman"/>
            <author fullname="J. Chu" initials="J." surname="Chu"/>
            <author fullname="M. Sargent" initials="M." surname="Sargent"/>
            <date month="June" year="2011"/>
            <abstract>
              <t>This document defines the standard algorithm that Transmission Control Protocol (TCP) senders are required to use to compute and manage their retransmission timer. It expands on the discussion in Section 4.2.3.1 of RFC 1122 and upgrades the requirement of supporting the algorithm from a SHOULD to a MUST. This document obsoletes RFC 2988. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6298"/>
          <seriesInfo name="DOI" value="10.17487/RFC6298"/>
        </reference>
        <reference anchor="RFC6146">
          <front>
            <title>Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers</title>
            <author fullname="M. Bagnulo" initials="M." surname="Bagnulo"/>
            <author fullname="P. Matthews" initials="P." surname="Matthews"/>
            <author fullname="I. van Beijnum" initials="I." surname="van Beijnum"/>
            <date month="April" year="2011"/>
            <abstract>
              <t>This document describes stateful NAT64 translation, which allows IPv6-only clients to contact IPv4 servers using unicast UDP, TCP, or ICMP. One or more public IPv4 addresses assigned to a NAT64 translator are shared among several IPv6-only clients. When stateful NAT64 is used in conjunction with DNS64, no changes are usually required in the IPv6 client or the IPv4 server.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6146"/>
          <seriesInfo name="DOI" value="10.17487/RFC6146"/>
        </reference>
        <reference anchor="RFC6147">
          <front>
            <title>DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers</title>
            <author fullname="M. Bagnulo" initials="M." surname="Bagnulo"/>
            <author fullname="A. Sullivan" initials="A." surname="Sullivan"/>
            <author fullname="P. Matthews" initials="P." surname="Matthews"/>
            <author fullname="I. van Beijnum" initials="I." surname="van Beijnum"/>
            <date month="April" year="2011"/>
            <abstract>
              <t>DNS64 is a mechanism for synthesizing AAAA records from A records. DNS64 is used with an IPv6/IPv4 translator to enable client-server communication between an IPv6-only client and an IPv4-only server, without requiring any changes to either the IPv6 or the IPv4 node, for the class of applications that work through NATs. This document specifies DNS64, and provides suggestions on how it should be deployed in conjunction with IPv6/IPv4 translators. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6147"/>
          <seriesInfo name="DOI" value="10.17487/RFC6147"/>
        </reference>
        <reference anchor="RFC8781">
          <front>
            <title>Discovering PREF64 in Router Advertisements</title>
            <author fullname="L. Colitti" initials="L." surname="Colitti"/>
            <author fullname="J. Linkova" initials="J." surname="Linkova"/>
            <date month="April" year="2020"/>
            <abstract>
              <t>This document specifies a Neighbor Discovery option to be used in Router Advertisements (RAs) to communicate prefixes of Network Address and Protocol Translation from IPv6 clients to IPv4 servers (NAT64) to hosts.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8781"/>
          <seriesInfo name="DOI" value="10.17487/RFC8781"/>
        </reference>
        <reference anchor="RFC6535">
          <front>
            <title>Dual-Stack Hosts Using "Bump-in-the-Host" (BIH)</title>
            <author fullname="B. Huang" initials="B." surname="Huang"/>
            <author fullname="H. Deng" initials="H." surname="Deng"/>
            <author fullname="T. Savolainen" initials="T." surname="Savolainen"/>
            <date month="February" year="2012"/>
            <abstract>
              <t>Bump-in-the-Host (BIH) is a host-based IPv4 to IPv6 protocol translation mechanism that allows a class of IPv4-only applications that work through NATs to communicate with IPv6-only peers. The host on which applications are running may be connected to IPv6-only or dual-stack access networks. BIH hides IPv6 and makes the IPv4-only applications think they are talking with IPv4 peers by local synthesis of IPv4 addresses. This document obsoletes RFC 2767 and RFC 3338. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6535"/>
          <seriesInfo name="DOI" value="10.17487/RFC6535"/>
        </reference>
        <reference anchor="RFC7050">
          <front>
            <title>Discovery of the IPv6 Prefix Used for IPv6 Address Synthesis</title>
            <author fullname="T. Savolainen" initials="T." surname="Savolainen"/>
            <author fullname="J. Korhonen" initials="J." surname="Korhonen"/>
            <author fullname="D. Wing" initials="D." surname="Wing"/>
            <date month="November" year="2013"/>
            <abstract>
              <t>This document describes a method for detecting the presence of DNS64 and for learning the IPv6 prefix used for protocol translation on an access network. The method depends on the existence of a well-known IPv4-only fully qualified domain name "ipv4only.arpa.". The information learned enables nodes to perform local IPv6 address synthesis and to potentially avoid NAT64 on dual-stack and multi-interface deployments.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7050"/>
          <seriesInfo name="DOI" value="10.17487/RFC7050"/>
        </reference>
        <reference anchor="RFC6052">
          <front>
            <title>IPv6 Addressing of IPv4/IPv6 Translators</title>
            <author fullname="C. Bao" initials="C." surname="Bao"/>
            <author fullname="C. Huitema" initials="C." surname="Huitema"/>
            <author fullname="M. Bagnulo" initials="M." surname="Bagnulo"/>
            <author fullname="M. Boucadair" initials="M." surname="Boucadair"/>
            <author fullname="X. Li" initials="X." surname="Li"/>
            <date month="October" year="2010"/>
            <abstract>
              <t>This document discusses the algorithmic translation of an IPv6 address to a corresponding IPv4 address, and vice versa, using only statically configured information. It defines a well-known prefix for use in algorithmic translations, while allowing organizations to also use network-specific prefixes when appropriate. Algorithmic translation is used in IPv4/IPv6 translators, as well as other types of proxies and gateways (e.g., for DNS) used in IPv4/IPv6 scenarios. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6052"/>
          <seriesInfo name="DOI" value="10.17487/RFC6052"/>
        </reference>
        <reference anchor="RFC9000">
          <front>
            <title>QUIC: A UDP-Based Multiplexed and Secure Transport</title>
            <author fullname="J. Iyengar" initials="J." role="editor" surname="Iyengar"/>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9000"/>
          <seriesInfo name="DOI" value="10.17487/RFC9000"/>
        </reference>
        <reference anchor="RFC4821">
          <front>
            <title>Packetization Layer Path MTU Discovery</title>
            <author fullname="M. Mathis" initials="M." surname="Mathis"/>
            <author fullname="J. Heffner" initials="J." surname="Heffner"/>
            <date month="March" year="2007"/>
            <abstract>
              <t>This document describes a robust method for Path MTU Discovery (PMTUD) that relies on TCP or some other Packetization Layer to probe an Internet path with progressively larger packets. This method is described as an extension to RFC 1191 and RFC 1981, which specify ICMP-based Path MTU Discovery for IP versions 4 and 6, respectively. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4821"/>
          <seriesInfo name="DOI" value="10.17487/RFC4821"/>
        </reference>
        <reference anchor="RFC9460">
          <front>
            <title>Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records)</title>
            <author fullname="B. Schwartz" initials="B." surname="Schwartz"/>
            <author fullname="M. Bishop" initials="M." surname="Bishop"/>
            <author fullname="E. Nygren" initials="E." surname="Nygren"/>
            <date month="November" year="2023"/>
            <abstract>
              <t>This document specifies the "SVCB" ("Service Binding") and "HTTPS" DNS resource record (RR) types to facilitate the lookup of information needed to make connections to network services, such as for HTTP origins. SVCB records allow a service to be provided from multiple alternative endpoints, each with associated parameters (such as transport protocol configuration), and are extensible to support future uses (such as keys for encrypting the TLS ClientHello). They also enable aliasing of apex domains, which is not possible with CNAME. The HTTPS RR is a variation of SVCB for use with HTTP (see RFC 9110, "HTTP Semantics"). By providing more information to the client before it attempts to establish a connection, these records offer potential benefits to both performance and privacy.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9460"/>
          <seriesInfo name="DOI" value="10.17487/RFC9460"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="HEV2">
          <front>
            <title>Happy Eyeballs Version 2: Better Connectivity Using Concurrency</title>
            <author fullname="D. Schinazi" initials="D." surname="Schinazi"/>
            <author fullname="T. Pauly" initials="T." surname="Pauly"/>
            <date month="December" year="2017"/>
            <abstract>
              <t>Many communication protocols operating over the modern Internet use hostnames. These often resolve to multiple IP addresses, each of which may have different performance and connectivity characteristics. Since specific addresses or address families (IPv4 or IPv6) may be blocked, broken, or sub-optimal on a network, clients that attempt multiple connections in parallel have a chance of establishing a connection more quickly. This document specifies requirements for algorithms that reduce this user-visible delay and provides an example algorithm, referred to as "Happy Eyeballs". This document obsoletes the original algorithm description in RFC 6555.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8305"/>
          <seriesInfo name="DOI" value="10.17487/RFC8305"/>
        </reference>
        <reference anchor="RFC6555">
          <front>
            <title>Happy Eyeballs: Success with Dual-Stack Hosts</title>
            <author fullname="D. Wing" initials="D." surname="Wing"/>
            <author fullname="A. Yourtchenko" initials="A." surname="Yourtchenko"/>
            <date month="April" year="2012"/>
            <abstract>
              <t>When a server's IPv4 path and protocol are working, but the server's IPv6 path and protocol are not working, a dual-stack client application experiences significant connection delay compared to an IPv4-only client. This is undesirable because it causes the dual- stack client to have a worse user experience. This document specifies requirements for algorithms that reduce this user-visible delay and provides an algorithm. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6555"/>
          <seriesInfo name="DOI" value="10.17487/RFC6555"/>
        </reference>
        <reference anchor="HTTP3">
          <front>
            <title>HTTP/3</title>
            <author fullname="M. Bishop" initials="M." role="editor" surname="Bishop"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The QUIC transport protocol has several features that are desirable in a transport for HTTP, such as stream multiplexing, per-stream flow control, and low-latency connection establishment. This document describes a mapping of HTTP semantics over QUIC. This document also identifies HTTP/2 features that are subsumed by QUIC and describes how HTTP/2 extensions can be ported to HTTP/3.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9114"/>
          <seriesInfo name="DOI" value="10.17487/RFC9114"/>
        </reference>
        <reference anchor="AltSvc">
          <front>
            <title>HTTP Alternative Services</title>
            <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
            <author fullname="P. McManus" initials="P." surname="McManus"/>
            <author fullname="J. Reschke" initials="J." surname="Reschke"/>
            <date month="April" year="2016"/>
            <abstract>
              <t>This document specifies "Alternative Services" for HTTP, which allow an origin's resources to be authoritatively available at a separate network location, possibly accessed with a different protocol configuration.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7838"/>
          <seriesInfo name="DOI" value="10.17487/RFC7838"/>
        </reference>
        <reference anchor="IPV6">
          <front>
            <title>Internet Protocol, Version 6 (IPv6) Specification</title>
            <author fullname="S. Deering" initials="S." surname="Deering"/>
            <author fullname="R. Hinden" initials="R." surname="Hinden"/>
            <date month="July" year="2017"/>
            <abstract>
              <t>This document specifies version 6 of the Internet Protocol (IPv6). It obsoletes RFC 2460.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="86"/>
          <seriesInfo name="RFC" value="8200"/>
          <seriesInfo name="DOI" value="10.17487/RFC8200"/>
        </reference>
        <reference anchor="QUIC">
          <front>
            <title>QUIC: A UDP-Based Multiplexed and Secure Transport</title>
            <author fullname="J. Iyengar" initials="J." role="editor" surname="Iyengar"/>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9000"/>
          <seriesInfo name="DOI" value="10.17487/RFC9000"/>
        </reference>
        <reference anchor="OPTIMISTIC-DNS">
          <front>
            <title>Optimistic DNS</title>
            <author fullname="Gautam Akiwate" initials="G." surname="Akiwate">
              <organization>Apple Inc.</organization>
            </author>
            <author fullname="Phil Flack" initials="P." surname="Flack">
              <organization>Apple Inc.</organization>
            </author>
            <author fullname="Stuart Cheshire" initials="S." surname="Cheshire">
              <organization>Apple Inc.</organization>
            </author>
            <date day="3" month="June" year="2026"/>
            <abstract>
              <t>   DNS lookups introduce user-visible delay, particularly when cached
   records have expired and must be refreshed from the network.  This
   document describes Optimistic DNS, a client-side stub resolver
   mechanism that immediately returns expired cached DNS records to
   applications while simultaneously refreshing them with a network
   query.  The application receives an answer in microseconds rather
   than milliseconds, and if the data has changed receives an updated
   answer shortly thereafter.  Optimistic DNS is complementary to RFC
   8767, which addresses serving stale data at recursive resolvers.
   This document focuses exclusively on client-side stub resolver
   behavior, including explicit signaling from the application to inform
   the stub resolver that the application is able to handle old and
   possibly incorrect information.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-gakiwate-dnsop-optimistic-dns-00"/>
        </reference>
        <reference anchor="RFC7413">
          <front>
            <title>TCP Fast Open</title>
            <author fullname="Y. Cheng" initials="Y." surname="Cheng"/>
            <author fullname="J. Chu" initials="J." surname="Chu"/>
            <author fullname="S. Radhakrishnan" initials="S." surname="Radhakrishnan"/>
            <author fullname="A. Jain" initials="A." surname="Jain"/>
            <date month="December" year="2014"/>
            <abstract>
              <t>This document describes an experimental TCP mechanism called TCP Fast Open (TFO). TFO allows data to be carried in the SYN and SYN-ACK packets and consumed by the receiving end during the initial connection handshake, and saves up to one full round-trip time (RTT) compared to the standard TCP, which requires a three-way handshake (3WHS) to complete before data can be exchanged. However, TFO deviates from the standard TCP semantics, since the data in the SYN could be replayed to an application in some rare circumstances. Applications should not use TFO unless they can tolerate this issue, as detailed in the Applicability section.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7413"/>
          <seriesInfo name="DOI" value="10.17487/RFC7413"/>
        </reference>
        <reference anchor="RFC7556">
          <front>
            <title>Multiple Provisioning Domain Architecture</title>
            <author fullname="D. Anipko" initials="D." role="editor" surname="Anipko"/>
            <date month="June" year="2015"/>
            <abstract>
              <t>This document is a product of the work of the Multiple Interfaces Architecture Design team. It outlines a solution framework for some of the issues experienced by nodes that can be attached to multiple networks simultaneously. The framework defines the concept of a Provisioning Domain (PvD), which is a consistent set of network configuration information. PvD-aware nodes learn PvD-specific information from the networks they are attached to and/or other sources. PvDs are used to enable separation and configuration consistency in the presence of multiple concurrent connections.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7556"/>
          <seriesInfo name="DOI" value="10.17487/RFC7556"/>
        </reference>
        <reference anchor="RFC9002">
          <front>
            <title>QUIC Loss Detection and Congestion Control</title>
            <author fullname="J. Iyengar" initials="J." role="editor" surname="Iyengar"/>
            <author fullname="I. Swett" initials="I." role="editor" surname="Swett"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document describes loss detection and congestion control mechanisms for QUIC.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9002"/>
          <seriesInfo name="DOI" value="10.17487/RFC9002"/>
        </reference>
        <reference anchor="RFC8446">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC9001">
          <front>
            <title>Using TLS to Secure QUIC</title>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <author fullname="S. Turner" initials="S." role="editor" surname="Turner"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document describes how Transport Layer Security (TLS) is used to secure QUIC.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9001"/>
          <seriesInfo name="DOI" value="10.17487/RFC9001"/>
        </reference>
        <reference anchor="DNSSEC">
          <front>
            <title>DNS Security Extensions (DNSSEC)</title>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="February" year="2023"/>
            <abstract>
              <t>This document describes the DNS Security Extensions (commonly called "DNSSEC") that are specified in RFCs 4033, 4034, and 4035, as well as a handful of others. One purpose is to introduce all of the RFCs in one place so that the reader can understand the many aspects of DNSSEC. This document does not update any of those RFCs. A second purpose is to state that using DNSSEC for origin authentication of DNS data is the best current practice. A third purpose is to provide a single reference for other documents that want to refer to DNSSEC.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="237"/>
          <seriesInfo name="RFC" value="9364"/>
          <seriesInfo name="DOI" value="10.17487/RFC9364"/>
        </reference>
        <reference anchor="DOT">
          <front>
            <title>Specification for DNS over Transport Layer Security (TLS)</title>
            <author fullname="Z. Hu" initials="Z." surname="Hu"/>
            <author fullname="L. Zhu" initials="L." surname="Zhu"/>
            <author fullname="J. Heidemann" initials="J." surname="Heidemann"/>
            <author fullname="A. Mankin" initials="A." surname="Mankin"/>
            <author fullname="D. Wessels" initials="D." surname="Wessels"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <date month="May" year="2016"/>
            <abstract>
              <t>This document describes the use of Transport Layer Security (TLS) to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626. In addition, this document specifies two usage profiles for DNS over TLS and provides advice on performance considerations to minimize overhead from using TCP and TLS with DNS.</t>
              <t>This document focuses on securing stub-to-recursive traffic, as per the charter of the DPRIVE Working Group. It does not prevent future applications of the protocol to recursive-to-authoritative traffic.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7858"/>
          <seriesInfo name="DOI" value="10.17487/RFC7858"/>
        </reference>
        <reference anchor="DOH">
          <front>
            <title>DNS Queries over HTTPS (DoH)</title>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <author fullname="P. McManus" initials="P." surname="McManus"/>
            <date month="October" year="2018"/>
            <abstract>
              <t>This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS. Each DNS query-response pair is mapped into an HTTP exchange.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8484"/>
          <seriesInfo name="DOI" value="10.17487/RFC8484"/>
        </reference>
        <reference anchor="DOQ">
          <front>
            <title>DNS over Dedicated QUIC Connections</title>
            <author fullname="C. Huitema" initials="C." surname="Huitema"/>
            <author fullname="S. Dickinson" initials="S." surname="Dickinson"/>
            <author fullname="A. Mankin" initials="A." surname="Mankin"/>
            <date month="May" year="2022"/>
            <abstract>
              <t>This document describes the use of QUIC to provide transport confidentiality for DNS. The encryption provided by QUIC has similar properties to those provided by TLS, while QUIC transport eliminates the head-of-line blocking issues inherent with TCP and provides more efficient packet-loss recovery than UDP. DNS over QUIC (DoQ) has privacy properties similar to DNS over TLS (DoT) specified in RFC 7858, and latency characteristics similar to classic DNS over UDP. This specification describes the use of DoQ as a general-purpose transport for DNS and includes the use of DoQ for stub to recursive, recursive to authoritative, and zone transfer scenarios.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9250"/>
          <seriesInfo name="DOI" value="10.17487/RFC9250"/>
        </reference>
        <reference anchor="I-D.ietf-tls-key-share-prediction">
          <front>
            <title>TLS Key Share Prediction</title>
            <author fullname="David Benjamin" initials="D." surname="Benjamin">
              <organization>Google LLC</organization>
            </author>
            <date day="19" month="March" year="2026"/>
            <abstract>
              <t>   This document defines a mechanism for servers to communicate
   supported key share algorithms in DNS.  Clients may use this
   information to reduce TLS handshake round-trips.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-key-share-prediction-04"/>
        </reference>
        <reference anchor="RFC8765">
          <front>
            <title>DNS Push Notifications</title>
            <author fullname="T. Pusateri" initials="T." surname="Pusateri"/>
            <author fullname="S. Cheshire" initials="S." surname="Cheshire"/>
            <date month="June" year="2020"/>
            <abstract>
              <t>The Domain Name System (DNS) was designed to return matching records efficiently for queries for data that are relatively static. When those records change frequently, DNS is still efficient at returning the updated results when polled, as long as the polling rate is not too high. But, there exists no mechanism for a client to be asynchronously notified when these changes occur. This document defines a mechanism for a client to be notified of such changes to DNS records, called DNS Push Notifications.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8765"/>
          <seriesInfo name="DOI" value="10.17487/RFC8765"/>
        </reference>
        <reference anchor="RFC6877">
          <front>
            <title>464XLAT: Combination of Stateful and Stateless Translation</title>
            <author fullname="M. Mawatari" initials="M." surname="Mawatari"/>
            <author fullname="M. Kawashima" initials="M." surname="Kawashima"/>
            <author fullname="C. Byrne" initials="C." surname="Byrne"/>
            <date month="April" year="2013"/>
            <abstract>
              <t>This document describes an architecture (464XLAT) for providing limited IPv4 connectivity across an IPv6-only network by combining existing and well-known stateful protocol translation (as described in RFC 6146) in the core and stateless protocol translation (as described in RFC 6145) at the edge. 464XLAT is a simple and scalable technique to quickly deploy limited IPv4 access service to IPv6-only edge networks without encapsulation.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6877"/>
          <seriesInfo name="DOI" value="10.17487/RFC6877"/>
        </reference>
        <reference anchor="V6-MOSTLY">
          <front>
            <title>IPv6-mostly Networks: Deployment and Operations Considerations</title>
            <author fullname="Nick Buraglio" initials="N." surname="Buraglio">
              <organization>Energy Sciences Network</organization>
            </author>
            <author fullname="Ondřej Caletka" initials="O." surname="Caletka">
              <organization>RIPE NCC</organization>
            </author>
            <author fullname="Jen Linkova" initials="J." surname="Linkova">
              <organization>Google</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   This document discusses a deployment scenario called "an IPv6-mostly
   network", when IPv6-only and IPv4-enabled endpoints coexist on the
   same network (network segment, VLAN, SSID etc).  The proposed
   approach enables smooth and incremental transition from dual-stack to
   IPv6-only network by allowing IPv6-capable devices to remain
   IPv6-only while the network is seamlessly supplying IPv4 to those
   that require it.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-v6ops-6mops-07"/>
        </reference>
      </references>
    </references>
    <?line 1208?>

<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The authors thank Dan Wing, Andrew Yourtchenko, and everyone else who
worked on the original Happy Eyeballs design <xref target="RFC6555"/>, Josh
Graessley, Stuart Cheshire, and the rest of team at Apple that helped
implement and instrument this algorithm, and Jason Fesler and Paul
Saab who helped measure and refine this algorithm. The authors would
also like to thank Fred Baker, Nick Chettle, Lorenzo Colitti, Igor
Gashinsky, Geoff Huston, Jen Linkova, Paul Hoffman, Philip Homburg,
Warren Kumari, Erik Nygren, Jordi Palet Martinez, Rui Paulo, Stephen
Strowes, Jinmei Tatuya, Dave Thaler, Joe Touch, and James Woodyatt
for their input and contributions.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+1963LcRpbm/3wKLPXDZG9ViaQoWpanp5uW5JZ6dBuTtsex
sRFGVaFYaKGAGiSKdFmjeZZ9ln2yPdfMkwAouac9Ez0b9sS0SBDI68lzP19O
p1PXlV1VPM4Onufb7T57ti/meVX57Lui9WVTZw8eZ18VXVe02ZOmrotFV96U
3T771pf1NT5a7Nq2qBf7A5fP521xM2zp5sGBW+Rdcd20+8eZ75bOLZtFnW+g
12Wbr7ppWXSr6Rq/4v8t5NPpzYPp8Znzu/mm9Diabr+Fj148u/ra1bvNvGgf
uyW0/NgtmtoXtd/5x1nX7goHw3jg8rbIH2ffv7hyt0377rptdtvH2fOLt29/
yL6HBziBP+FD967YwxvLxy6bZuX25lz+PcN/23wBL+JP3WKL//zrrlzgv/5m
Mcd/i8Xa3RT1DkaRZbYT+JXHm3aWZZu8rB5nNNM/4tRnTQsdZHm7WMPjrtv6
x/fv40v4pLwpZvrSfXxwf942t764T9/fxz7Lbr2bP85oFW+veQnv88ryopr1
hPcrWDHfwT5pV7/ow/uf3KrZuttUB87lu27dtLiY0FmWrXZVxZt91Ww2++xt
vqv29BeYUV6XP+cd7Ozj7GK7rYrsRb2gvxW8SAfdFl//Y45/nC2azcGw2af5
TbnMLmGp6vznUlt+nP2paa6hxZcvnyQtLr28Scv6x2t8fEfLr8vlusz+nP9l
98lWa3z1L/DmH6/phTta/KeiLqH77IVfl/Mc/mdkIe7ogV5PWnd1027goxsg
PVfWK/Obm06nWT73HZBv59yrvN5n8M1mB91TN9m2bbpm0cD5bLZFC8+AQJsb
OObdusg2zbJoa9gMOPd10WU7X7h14zuchJ9lV+vCF1mz6oo6awvfVDdF1jXZ
Zld1JW3i2yxfLuEvvvCTrMgXa3jZ3a5h6kD8eyB9+GBZrlYFsI4ug/5p7PWi
yPJ6CQONjMYt1jnOoWhL35UL6PyyxPf8tliUq3IRO4JV1F+yVb4pqxKeHb54
C8cY/gL/nh9R5/Mim1fN4l2xnGRwlN4V9QQ/BSYzbbZducmrDJYnz2DeyDYm
2QJaqjvvunXeZTmwws22i3PVwQIDykpYVhhtVRUVzzHPYPg4XJg+nLl8XpWw
ibDSufkOVrstiK28q/a4uKXPgEHuNrg2y2JV1jAR2BWXV8BC4bBvMliuPps9
mECjHTCjuvzXXUFvtMVyh8wLt6+d3pS+nFeFWxZVvvc4x+Uur6YwqsW7DDfX
9/vebZG5Ut9Z6BsILfvm6yfZowfHD2dMZ5tyuYSG3T0kmLaBTnFav1HdfyOq
c+5Ossv+CrJzd5Jd9imyc9RlSUOzhLcs/KItt/QcZvr+/R+eP/vu9PdAgkiB
Hz5MMtphV3a+qFZZMwfCKLpiiW/CS+cPH8JLNL8i6ykmcWLNSuR8srBAXEJn
S1fUy21TwobAEvvMF0CzsGUwi+uCXsxvGhBCMkn4HYeO84fRFTW+7baNp5Wg
AcOCQNNb7Ak7pb2Gw1HieEokX78DqoWetm0B9NqiCiJN4mCRrpB8aHtuUFOY
A+WBWgZ/i0esKt/BnK+u3t5/QOsGPz3Ahfvi5OTswwckenf18jJ7Vi/a/RaX
7AmP43lRVQ188T+ePXlO7z86+wLWsM+ZSr/Y4RGAM3qLU6bdg33Lnr6+BMKC
swNLg9PHZWq7PgFOMv7O+abtaCZAph3OALYc3maGEQ9aWywKEG7LbNU2G+oj
r/0taKkTh8dXBgHbWFBjhtLl9Hihgk3+F1g6ZQTw+hzOXAHDTImdj8ASia6z
E6fe3r9HKoRFLOWMLJdMujB8v9tucUp4Fi6/e/JVdp824ZKIadcuCgdTAXXT
4xLjC7TGZ+fHuMb0gf4dthJUGxwUckSS7YYQcRxB6uM0580OWAVoSn1uq0Oa
xL12vb2GrYbZgCIMtKf8bI3dTKifBiaJJ7sqbnJiDx0QnXfcJS4AkPpNuYBt
mhe00YsF7tpylj0FMkEOj0/74wFWQJRNp2zHRKGEj6sntEsC4p+/ffEElx2J
GE89nGBQg91ue93mS2xcd9GIGN5StlC6MYqYgDTzXZEvcd9u85KIdMV82RdA
w3XgvXSq8fjZJUdSdLw2S5nnPtsUyH5Lv/FhMjjq7CLuYnYpy+XgXMLzy5sF
EsHnjx484oOGkk6pYJHXKD74RC1h4g0M8hZoNLugM3wB/+nLvFvEKYiHLgcE
7fWkwBhBahPB4QZs0YKiSZYbpLvkBAUpggdghpIeTT+wephRYp9PA/v2fMyA
lrJbmsDBq28vr0BQ0L/Z6zf08zfPYEe/efYUf758fvHyZfjByRuXz998+/Jp
/Cl++eTNq1fPXj/lj+FpljxyB68ufjjglTh48/bqxZvXFy8PBucY7C3SH+a4
pbAzwGlpvVASociZ89n/6snb//t/Ts7wrMIOnZ6cACuUXx6dfI58FFmcnJK6
2suvsAV7B2exyFtsBagV9nFbdnmFewSUAbtQZ0A4BSzn7/4Xrsz/fpz9w3yx
PTn7R3mAE04e6polD2nNhk8GH/Mijjwa6SasZvK8t9LpeC9+SH7XdTcP/+EP
FdBfNj159Id/BAsFiOjNDR6D4vYu7SOHswS2JJ3Ou6hxkqF6SDTv+p6HJ/Gb
y6LbbQ9EhsFbbYP6oZHlbomqXr0AMQxPCw9G1Mksu/D7erFum7rZ+SyyKRxQ
nqluivTTJFIrMunD9+/jZx8+HFGrlw2LQ2gFj6oqGXc34fkD/f4FS1odiB3j
CJPDBoxaEwaxIx4Ntmm6oNhkU6cCFNVj1CirSnsVrvexPl43HYrivOufO+/h
B69/KkTHIVG8bUB47YkF44aOaAKsZcMroHG1XjQhFBCoc8/4d9xWUOz3+H3Z
5qh+woaDwo+6Fa5yeY2SXQ4/szscmo8tIWN+8fa7c1I0T4+PRYdM5lH55hdN
hkdKAgzbd1dP3s7kV2QYLQiaskVTAlZ9C2oxmD4wtLApQGm+ACFmt2TiNjn5
lMqOdXgYNlhaYAfwvKALVPmwE9IujmUGL5jikHJRdYEGV+X1Tj7qG0hhJp74
GaktG5j6Mg+GR7qzIqmK3OMO5cscNQ0SF8/1qHwTz9D7e+ZkOPc9aoq56sKo
V7V7nGFvKQxZototpx8nBMK8A/upWJIUAxWlaDfIcNgCHDtbuHo4ZjQ07+yG
xLEOS44qK33hiLr5HraoJjXEKr9sVoJhxmo+KYqss86YlrzMRCUOC+e4CKJR
e9sq6Z/2zFd7keU+7cHduwdsL47qn+V7Uf3gJJWt5xUbWzD8RDVWVS/QBgEJ
V4I0A1ZZ7ZbI+8J08dTaDQknBoxm8iXDz3PgrSgos3Kls8TTemCt7wPYEBw0
nkNaQzzUM/dCyG0BTUz6X1DfAyZBnZMa73K03G5IN+2yCki0o/MGNjnYcfqZ
MGRlMWhosHUJ64MbLMdT1KykobqppyDf3kmLLSjG5IVxYh6YYc36xI4rMAeG
ms448UhMMkPcjsaCqrddemqBlEFsIaiEs+yNcSyQ4uiI71Bngz5oc6n9nFpn
ZtxrzdnWMm2tP+IunhtqtShJZmDj7hcOnpwk1H4yGvjPhTeWxVaoXBR+HZxy
t5yP8WVRAE+8OcfmPnwgVwX5QMSQFWlKR0mo73y6ATLGzmVLpjQUaR+P2Is6
mn7kLoBBejrsY3NJRsqEZc01oNbEXZOascElRCxLenKypmQ2isV0mUX7Ep+j
RfE1Ho/YlecT5sguCZ8d8pmmMzJ4N/u+mF82RP1HLA5ka0WJHJBMMhRYqgug
ADlflkfK53O0y9HUBabYoLRfYcgJD1Zei6rhgwuFWTK0W5ByzfwKGw6Mt0WL
NA5ujg3DjpPNmB02m7Jjf0S9lxGT/F42ha8/Yxt6H1kVTrZqrstFFi0DsHxv
iiNWEtPFp/ZId0QKiL/Jj8iVnyuN4UJcML9OVM0K3ntTqydDRQ/5P9CoXK3K
BT0TXk9WW5dIiYnINrdBU66pxSXFui15KUQHvUvPRNJNqNF6xgbaHh6FzbYi
LUqoJhoXZFkzhwYaMGMGi2vX1m5erPAcBi8Rn+GfOnhSbP3HlH/Q91hZ5bVd
oVOC/GL5O1woUPPQW5vXeIbRbEZHs3Y7sQY/cOnGB9lJJyz9mjx7Zhwu1ZmJ
fBbNrhJXyW3pSedcoHAlJplXbZEv99GNFeX0FZqBuAQJy5T16+CzLghjUZ3g
lFgNYOKoK0/nNCpwfPYoCInKGnOfAqczM8p5yWdyC6o9OjboEIA0QztgVbBQ
tQYGkezbFxNHsnheoFCFFRfVz5ebXUV+B1CJREX1BbqnoTvbjCozSBXkqjeD
tR5t8dnJmiAxe6bmIf1+jGJB4qE/vC6CiCdeIG8JA/fA25AJg9EJB/sZcVb4
YQr22ga1eV+S7+YQRT1aPfujINiVcEiFnhcUoZB9vnj9FJq4wO8Hn8Pk6+Ka
XUKH2iQ1xTqBbciJUaQuYSShVNuh7bzNfXAVcdfInu4zbxIvXeLDGnQE/JG7
Dz3ncZTqKQL77s2vuDiGtrtyI9ECGsQ2Rz+iyAPm9CIPTKsO6TVdLfdWh2QP
9TwNE8WBiBwllY8YN6oZzmoh8Tt2jMZvl2C9LZBJAN2axY6i77Wung4F5VPx
EwhbD0/JBDT+t9C90bqJuwBrhR7qJp3CIetgLbEZ8gADk2xbeED+/9f/8vTN
q4sXr4FFA6+0DHiBGzfHMAy1UPcGKUL+Ds7LGh0yXCZitiGI0e/qDp/aTcJU
jLBeM5RtQYliqmXSQB0Q9PV8V3WsQLNuSKqlqGBnE/61hDbJ9FYz/mMnQ8QE
LLRwAI2fkAoMVAYUnvQ74VH1zpdfE4Ofk1bmS9A+2O807NepBQF9AGu+boU3
JxEGYW3jpI9eKuwQQyP4lMYj8QAfInyOpBkt63AQSBs3ZZ5Z//ARu48d7fgY
N6AvhkR8pJ6zBQg5tHiVGaExhi7PlndAaXfYgnBcIqowHJQSebYqbjNYLiCt
AplxiEPrQoSJocFPNmh2YPwIT/G9A1lN45/MbvJKIuH4Sf8LbPnhcdoxamf3
+E0yFc00LqqSVCekw6u8vQZZ4RxpfvgknaqqiWmsgM4JWyYaLUFX3hKsJQyJ
hqgQMQdmR9Tpq2ZZ0JryR/RrYEy89PE9dSY5VZvNFKJuznQI35C1PhtrWocA
o8GT1ixKEutEOB1p3+V1WYOlS24djvqI3JlEpZzIA14vW1m01/C2g5U/mB0Q
V8XJ9pvXoSt9Ug+Hnsy3S2FGp7OHeJDZvjmSzY+xjoFrKmg1enRHqZ9ZSZAh
zMnGFoeGzYHXCj34Y++gvFGmPRAeeMx+xFwz/PVHoiH89Yx+daj9bNAfAxRC
roKOIkKWi3KIwRg4hieh2BTp54I8Dnw/6BG7dtv4oBHFxaOYrRivhneALGhZ
UC3FL4efxW2l4eESh4XJ9gWo6FHVVAMWaQqUIRAgQq50tEvg54Xt1/oHWD+P
nXnRWzmtA4w2B31FkcyvB5+FrKF5NraWbQFKsBhdtEtkBHEgzYbaKzQuyU8e
5TYeJWBjusZCrfBoKo+YSpG9PPspR1NJwmRRES3keQj73uRtiboyRyIX6mXe
lNfrjpRtVHg44wLngQa9DYvjIWAbGdVldCyumf9mo8Ys8sOdp6AXmBM5HLNF
0fcLFnREUpNSFXGbQ4OxXrI00e5HowBzVkzeh5Ea4ifhZWPLLPOVTJHswvBn
UDf//d//Pctzf3PtNFlh5D9cBDyQRYsJdP+Gj4gB/iHLptPpP9pX/y28QQP5
+Bv40iffGPsvfePwwfFGpNvRf6SNf8CcK/HYgDJIlHo0fIMW9vA0agNHv7yX
SzTFs9v7pCd9bC6/YLang8n+9bPtT+SvaeNbPr8ymf/JOt8vHwdQHNIwUWwQ
awOKVVI1xDzJ5qCMk6tSX16C/tK2pGOTOaMaHi3Pb9T9V1H330ARl8C8H+Io
UbNuPzKXXzDbk19htr/aSU2I+5dT96fJO/WFjRD7b8T735F4H/4NszWEdzb+
xi8fx8nxYCD/pYfoP0NEGLvLen1YtVGHcrH87eD8wi38uzo4vwbX/yib+NRc
fgWu/0sJdhgGAYPJkTPjhvwDLZec/EbG/+3I+Ffi/78aCSa2IBKfkhup0mKS
W8/Lb2Q34Ce39wM7+bvjJ6JNkpNPS1mc9fL57PBghqm6S0o+II95niSYc2ZC
4Z14H4IbUhIiiiU1JNm/edUdaEZ67UwafeJbPEI3rM0tGkmidBQSpmWy9TYS
Obm16R7itpr9Rpv4k6VN2NuRNpI3cMeORt/4T2arf9sJyNJ9CfPQ1R/syyfe
+EQv2a8qqk500cZNleTPf00vH1Gr/wq2UtN3SeaVPaDsRRwyG/dfr21nf0cn
7u9Fxfg70pT/I2YqkaDN2HqNvF7E2ft71r9PydUoCmKEgVx9XO03lpePFFrW
IUA8cajliHOFS2fDNyFJIwThJWpR05vQbbV3MZkh5sRQFzCebdNSgK1Ut70W
28WYBki4ZYkn1tSYSRwDo83XBcYwQn2RZBz1srPC3DA9AJMHQIjvihg1xPUx
o1sucRqSMJDWHJTembnO0l149tOWokayE869bYubknOhwyqYWIjETAr6LDss
fqK8LIlLXr08ch/fJI5Vma3CdL5erYlNdKU4I9VLSNCpqa8bTj3W5VlrvaHM
gIc2y543t2hWJZlgry5+yDrQczB9DRfQpk/Cbq6KDtQtivPJsgQVmrzMPTWJ
iZMSLuR9rIKLwfwkoTJ8l+Tw4Pww3FZJTB7r3LSWxCTOuwtTFSlkGhoqvWSt
U7gyKbnqxc0yLrgMNPil5K1hWo6s65jCFnZiXmjxiloSOJZQA4ABNJ6wzfp3
WnK9zpdhvnQCSQkk6qFBYD6OpBbKKg5qhvms0XgouozxM6RoXR6gH8mWXuUL
ySXsUVdR4xH1IYIa6vdcqJVu0lqitPNevYA0Z0uK+7RzQGXpVP6O4zsQPmaL
JA3JaYijX2BFKjUuvG0PCVjq80qz9Y7Lu7Fy7NWLy6sXT6bw3u9fTJ/OrvN3
5S3McrqsfbOdxpbwAdW1WObwSovkoxTPLlQSEpfe2Dc8vxGTZnKutNHCmJDp
wmWkLlTomxMa4AXozGxDJbBke/dyc12oMpIcpHMyQN4VxbbU0s5upFxdFnXi
hrnTlOyszZ5LZQdIzKQCi4i1c6GiXGlGhwkjjrlnIY8YDwzIjrVwEs1wMqnc
soJSgc+JWtmN4AdRSBk7aoFEqOgXPnFg6nksnT+i1CzL0GgmMjBO/JK8iWVD
51DYeyxZ7eVqCdjCJm/fSSYEEHtV/kykvQzdcDKg09444WSMHPCcYpoMWY00
oGWxrZo914vNC8qiozqCLcigvOK07KWUcgSy44y/db5DE5WSszHb/ydEAFBe
MqigYJZB+Y1ai9WVwIspJViS8GBjYy4dLWae7AlmbdgaL8yEJ15NoAyBYiSr
Lma4Jcl17qPJdVpQlPk9TG6TZH4zHkWNM63KRYncaFOG/WUMJ6Q7pAkesiQ5
SLJmHPxEE5I2eb1DjoRkOt/bgg/KcOSSa+mHksckw2SOR7Rd3uJO0F85T92e
YycjR5aYFPeEGWN6KKUr96sR8Q+E0RLUKeS7VPtGsE+aIaGln8+CEvT+nmbd
O/eVKH8se+SICkmQpK33HysajYpbwp0smEe/aKIRpwaNXXESslB7wK8H7VOK
qZLWpYAuy53keaR4IYKrwXAszBlHgt+kaLpBVUH2gvYQ2oU3c82zDwOD2ZN0
K+sbQoMBsjC6K+0J5ZQOAFqoegvOVsQKMFmoSRoxUViJ+VQl1hrnnn9l9AG7
DLCS1wWPTae8WuG2NSvXY+QqUfA4t0woE+JtfwHuwHoA8e9QDUa/OssNC58m
xguYDY6oBY29Ah2yIt38WoiPUpl8rDuOy2TLXBKdOebrPsPNM5AI1LwtIiHj
XBQ03hpaY2dKSJVXCStRbV1RNmicOKmTWXpgtAvMFB2DtqB3sDwWGaYcdubN
h+/fmy+m1ANWtnykB/UKRiQWqorhp0kLl/Gj0cpSO3NoQp9PbSX3PcMbvtoT
AJpO720gTGIaOr9v7Pze3xtOr1/cSU/jFoueO7KOflBvHSlE0TpwKNxCWPAV
SKJdS5ok2jnxGyoeUSQLZLk6BtfHzxjLFR5AmUzRfdPG0Tr0n23rA87x9UcG
pCTmTnIC/N0QN0E0SurzQbFYa4uTjC1fAmiZRiCcR5zH9zWVvHgGuJHcZ5Pl
g4dZC2SRZ5spmulTFK3kpHxNwjTBj7GsW495loMFk2IcLJfiwmlQH/LqcZLt
Py8INwR1HRBoRBcRLETEXyxmL/Zh10O324QmAwnEynpYlzHzFdklSV2E9gnF
SVRs0wP7iQXVotLdYMPeFqUv8i1jHQVwodKUxgXFXsEc3Eg9hq3nDsWLUqJE
ebZGhjCyQ+iduZSA1PAYsa7VvA5ikM+cX+dCF7R442cOFzKA6uiKOrOiNNaA
OmZImzunHFb5XHQq2Uou9goQOLITSYkeS8E4rpmFbPANlSKMsQP2pWjJx7xg
Nw6WJYfl53XK1PAgmCwuQpUk10nMw06qsVyyVeyudfoRoh7OsvPj7MVr8Qme
IArnySz5+6Ej3x2yh98frB9M1qcHmSZa//70+Pjk8XL+6PHj0+zoUw2ffqzh
8VbPoFXyGaYBJdutaLZkF9G5FpQjLSO4f8qOQNsofkMydvjhKSn9ZucXaB1Q
jYjKfoOlNKXzUxVp2ZzjloZ/TEd+S8ZB8ROrXKRaOdnpQ2IdIWBHHE1y+Ads
gtK/9WAgMzUwLaI6DT1CiWJog4DxcI7KYVY5g/YRKwB9EXSOq5ASzfU6LPt/
Vv1gBbMhUY+Zy4oyxd+6RJOiTbEcbmTqiCEgx9+cc1FyzeGcimIkOePfS+r1
BVUmp5pCUDQIVoBWnZwznYErHOU+TTsiyJGn0OSKZWCLldQjCRuxrSm2w0wk
q1cbigHxrscULdts3RejZevEI4WVp2MaHwxbRssejXq6wP1a5JUI5sBjoAWq
cJdxVw0jheWakX5bzLfAmchnQOtVIHhihUUGbgQfjuvgFZSs1dMqUnTHTgXm
/lQL9fLta/TLXdOecKkWQf6pmjkNqfVLq3HyUkg3muzvAlmiKVsALS/D+Q9C
Vwtn1CtF3+KkTBKPs7iXCfYNqLJ2hp+hGsaogop+satB2pTIItyqpXA9Hhj0
btmNgu2bkieZ9EV0YfCayIwkwCGDd+4SbHFYcnSB5ijhYCd38HvSJM9EtHui
264Fbabai55NyquQDel7T57rWb7JF/spYkNzMWjX5lg9ryCMtF4i0pxqPPh1
Qz/u6uAAhZHG6qNHWns0Zdy8gIwDK3GdI6acBfJjXccWcToSr6ESnjzJoi5i
56leykdHawCXTf1Zx145dO+JqkQKCZ8kPMARKIENaP1dZLti9ZFIkY7doGMC
0JMKNzNQan9IjLySLo7x7hn5L2lzwjElQRkIneQbFriT16hoS1hXQZ1qsxYU
hSnaBohs3BXX+1n2dEdlKnEFInZqs8M2O9bH83ZewkctumuYIGFgU9kQZlGi
ewurQqLaOLajtNjolma246I2mpnV5zPW57sUfpLEplQo18DVu+AtUt87tGNO
8WpoWzCryx2Idi+lhAPuGGCn8K/Q4iCERJN2LIF0+7IU9yBy5ln27IZrpmAN
7Q7hTkKvnQs2yXYnQbpgPgvZWzxTtIK0l/CBE/9dyO1BJ2lVXjOpNkHbgddk
S5nZGiAUt1g3OAMBZ8Qtmw0sa6nOA1lJA9qjzy2x6dmXEjAnrOMkkVwlxVmY
evJF26BbWuW9C8fqMA+wQzj0kWraSUJkQRXB9ZBFC5C8NB5xN7GHdBoX3EgN
LV1cVeRSDiE9cdLdVcZtq5HprCtmTLDFJRkLJaOOLQuoDWndI3vkBdsqvCzK
mvovbdyjVxQZAmjYsyD6ks/ttkBL1jMVDYv3GyxXFFygXtVg4QShj1oelmmy
hRXGigYc87zhq1RzXt0iwO816djYPhzD41koBGb6DicDNq1AhC0wqluUIlKR
fKiwoCdHHF5uMKDInEaQpWxLazh3GPlNW/HmU4L0bxP7LU8EUBiRqdbERDuz
NeRUva1BUbELJv4FE/WXhSIlOk/FXGzN4UbFLYkl4G20iKkzqT8WN1F0fjiZ
GNabt7HcNO3wM29Py0ViiadowYliQS0oyzkUwyBX9hiPLtkdYx7EEIpAn2Rt
/TRU7WWgGyw6uKDp2pgdM1tJysjVWbd38eDq0ii7Yi+aGF2KEIO2wTyQ0S4g
DfS8mfv/X/xW6qz3oWlnpqj10i3Lk+CTUPZs9PWev2ISxuvE4cWNjsHy+PVu
taqKhH2D9Vovmw3pimyTyxhIexvCsEQqZX0ufjBAIFHdj3ZIg2pmoQM5J4oV
7FHdDF1gHBbT89H0MkTo+EciAjbhItdg6C8wBEzfkSFH2t7uuiyeKgKiD0dT
EyesEilRHXJZMUVp+OxecLU/NfZ9DJ99z+f3T7wD7+8NPO1AEfwKCSwdj/Vx
cDwqCPwkIEJ+AXcXK5DUlF6AIKEXHAYnWoyEXIzWRhjmMOeGefwy73I8rywT
rCaHwMABMj22yTtm10hyHtxlUYnoP2Tc4vPPT88mmdoy5wLfZZ1IGTvtugIz
emhkKHxlfHtJF+HQNUy5Xk7h6G4dpguC9vPN1ZU/CnQlOC7I4CjuzNug4/7M
G2gEAvBU98ES0eRGppPF6bS7Khrn+IsHwwxH+0UmcCm4uiC0A4HS+Uap3GY4
yp7rjDIwkA2howcBwRmhL3xddlogz7Iwx63pDVkscDNw94mBY1MwGH5IDmH8
4Qu51yBMgs2ieO0ERu539Y4JqdDEm3VRbVVPlJMmarHA9SULLvjrGd7Yg8HI
hZgxuVdce7LjcSuvnrx1X2M4/M22qOVuhc/PTh7IGSAO93yP7ixUoq9CsocG
srJD5EBHbtE078o43JTgmbiRfaC0xrHA7Iw8Q04/R3rLScOjyY+b+TbIFLxg
qkIo8fHFAYq0HayNvmKPc7ghJxedsGaDBn52+PbmqT9yshIPH54LcDtPJHLC
VbUjVV3vgcgQaoh4tcZLcXOgMcJPoi3nxIW86+CkIIR+sAxR5tqwu3hj9q5E
WLdytScdPcRWtYUMWidCRSuwLQiQhCMPGO4RKMj+VgylOKwcDnO3bSg+bgBy
1fUX6G10X/F+rraHBJK6TAeDYNhQxJnnlI8Fgs6DLIK1us3bZVQtFIfOz1IP
oIXMRF9Cs2RvTlZe1+iF6neIKMA0TJ7LCpZo3UsNkywJcs2+BmIf0w420M9q
P0xUoFsyQNhUBSb19NMSEKcE9r8w+UcGyFYcEXWQji5m63D8hM3N3Hq/mb0J
FlcPE8sulBO3BXcS8ZG5N7UycAprds1Y640TkV0vcSE0EodJiY9AQHYWYrgy
ApMzf5hlF3U/YoUEHA1+AtZG7ud6q0XpWLgUCq0SFD3DQNmAUaQuiWTp3qqX
UjGoxTvAsYKYtkQJztc7BGmxoW+zlL2RgSJkvP4xJdQCXLHa9TY8VPnxNTXh
niAA10EmmOw06uheQ8cJmYeaiIleeB+yNrt1S/6c3JFSrTngJmeGIJyvS/T9
9ElwlSSnObm2aQiTxrGMHJOuZikKfGGIIgjDJNDTWVRsdE86Y6KO3gvzJeiH
BFE9ELPOqDvTb98+vbh6RtmkdIXd+Savp+1qQX/kHNqoEj2YnWKqO+qo7CwH
s4oAJLd40ccIJr2ksqJjErNiFrDDTAYGgopywUyo60Jzwd/fs8EtA/w63J6g
taMR1JjMpJCiRTchdu1u0fXStIjWNKkZQXzyd8k1UpSCqnBBjqM36O9HhyOR
ldbeYBRltETO5v3NC0dwvoQH2uV1QRIJ+6DrViaDGwbiwDA6U19XMQovyiix
IPGRWH4XGJznVpEgSRWdcfEHR3ww9XykvwALlnOylkrPkAtHytDItVtx1hg8
ahaLXZvAlmaUQ+cM4ujYt5Q3j5jemGXEOfTkXwjxU4O/6M1NNCFZTTPTpSFY
EQMIRknveAgvbL57QAnVbyPTIyXfjDO05Vhcgi4CZCunueQqy/0QHlY9cMit
zTgQuy+t/7Ap+kGZ47C50S6SnBJMFE2x+NtgklOVhtalMGIu847gb1caRsRf
zT9ktYB2CYEWD0MsJ+Q3nIh0OpL8P4HAd9tmS2C3OjCY6WJdWM4cJmWS5+yZ
I7MrGJ7GQEyT3Wyg1qa4uTtS3HARlrsF9D3wcJCzJn7iwtpRmRRqY2N0Kv5B
REM3ecAcW2eZaC7uMNmrttCC2COmfOiBSFuTtBkEIdumuSxjaSsJpw1UY1jt
nesaPCXDvL7hsjldNuPqukPQ8/CNd4851gDcOqxptGso7kDfz6JUECtEhysB
AoNnLhyQE4S5zMowoC/xF85A5U2XBlCDXVU4iDo6HpnhitaFu4lKalAfo3+r
5MsHwNgnuNskjDSgDhk5Najw1mTAsD87uOxk5fTOFuuYiZEvoK9Ost9xtwnD
VC7bkwVOsjS6Rqz8tJMEjq5HVXhi5fbEVflTIXf5UW8Im6dOSNSk7gYsH56d
j2CZOlX1hkqBYpqCECkyy5AipGlArHWh7dM+nGl2wapwvUMWvOxN+TMZltoR
Ed5Rzx8xxFCqprIxCE+aDmvIGKyhiiS/Rr0iRDi0tCQXFkoX01z+8Joc4/oM
b6lxfKdRBTw28b9hB3nt5f5nqUhVxe70i0cfPkzEBv/i+PiUc8YTnw7SlbHy
0NNClt41lbRIgEBuM+pd/hisS7ouh/wMBdDGxFwbQ3zH9SBE4deKABspNYLW
2KJgSgK5Jsnz6vOVHF1LlghV+vxUblS20D4k3CYuNd9I4tJ1Yh836TVwola7
tuPr++w7iiZJ9TIujJl0quInIAOtNqEln7NPbBWMfUkl4JQJ5wveH3IpcJa/
uQYvkAPmZuirXUmXScjuPTo7O//wAReZLkY6nuJGhY09Qe5sijOCN+iuoyOw
mFzDkuhQXoB4b10qiJHt3dka+S+EOzBjITfUJKOEnpI9CivYbke6y2a764Ln
qu/UzV4R7xCnFNf+5UZBsJDb1jelKrAErE7Ss67k0VdgmZ9bFrIpa1DKN8JK
YLwnx2lT6nkEwh4zTF/J9x/hWlecLkDvudCPxXpl+2KBdZOe2S9o9PnWh8Aj
zMMXfIctCQzHdD6tUChi1ExyY+/cMqEWjZUAnYLMkV0bnVb+06enVTi9THLI
lJEBZxFI+qODU6hVSqzCYC0dsv7AGOkafUxjLV3hJweMbVuwLV5qyf6K7hPD
zM5En1+L1s91rKFmFwtCe2XlJM7ciMFEVGiumeT+JB5Km+wLMePwjLFs4gVq
2onuLrmVoz5lYz4C19IW5Lqc0IHS6t2UiypUOrcuGnf02mqOwtgsDgd3BoXs
Qu6eHcGwfjRC3xEvXqL0YBRf2EdO3aN8xrHq516exft7at8xaWjqX7jF71Zu
hBoOli4pNJvlkMHwHceHsewh6JVaOaeLdpShMrvhfEueN16HYWWkMQg+8/E2
zDC21Hx1FBmK+7TcS/aNHHxO+QOibJkvajxZCupoSUM16JRriaI8CyFjrJPu
jMdIhQh9j2qEyorw7RGHUXEBtCKM14Y1Tu7Khdc5AZbmAqS2eOc10yRWNCYK
gTq3qW+U1od64wKKNUrJkgoUTfAldWCb3mm7A7mqxSicnBr7OOK1C2mhzt91
R2PQkYQWVAvFsYUJkk4h4Nc4ROU6PCy653FFXxzaAabDs1LyKPrThbuGi32o
b+gi7iMaCpbDKNGqvi70SUewp3yZQsQrqVuO6RsVZqlSXNIA6vtY0Zjj9YrT
cLj41uGf9hE1e5GzXE6WyksKITpRnFyKPqHIQyYpcAVGOZtp0bsp3qTWvLy0
3Uo5a7wnQ658TG9uXxOvsqdE7nqMZCo8s8TK17I2QzaJDDsvJbEMksPmRbx1
SQ08uzthQ2ZYdroX3XyC06CG7w+OV0ysJKWRrr/UPpxeEG3q09h5sikCpsnS
8MzAw++8Uuk2YXv96hEZSGQzIAVKAWrPmcfwBgBDW6C7fcVJbIKtviQAfjkU
XStV2byeOVYNFG0wCx2VQ0cfF1/71s+iuZPzp5z+uqE7snG9aZB8xWNlyuPD
erMg/qj4jxmuVIbzF5qHgf34SOuZaKokSGYha+bueWzomASwGobky/VSBWlo
4qJSEH0VMIXgT2NXLMtsWuu2YF2v45RflbXkwg28BXnI3UNLqXm8zCi3oPN3
tiRywzuuG06ZBKfmpXwumJs8Z+RWvOZ4XwzYZZKWiftEEdmeXZ0Hg1gufr3V
WFkw1jpaVtW30gHprIMXJI6EVMCJeSB2piUU3A66lEWXmQaWAMCkTH0hjoKw
1t9TFn0kLy7TNGw1HlCbvARDIyeSZJk762gcv4V1wikGJJqAAvMtjND2AxwJ
pxbuOAu566O3dxATx6lgZblP8AAyy4jYdWGd0cSGMMEfxdeEU8ilasowRye4
EFQiQFH6Osa8D2MdwQNzhwkThElvJOgGCtaTHUDFqZc3i7dYBPhPxV4ydbkC
QcnQxfwdvb+lHhsF+1/oD+zFBSahhezIP6V0BIQbgwSkTdzJ6jidBMchbvhh
6lKQSnamSr5yY55FQXF3bHkP9MWWRL0kIgyZJ6+L60avyz7EopwjVsF/xEo+
uXqlbqbiTpvyU7PQXu/1GqZE4/gO6E/YLh74yYGWSLOBL7ALYHYWoLrQ6oTD
EquZxY0SA1ojqX2qCMcbYeLNkAR96Z0dpM1MkiimGjqLYrmLLgjNdFWa/Hx2
Mjt1gS7TK0A+PRdm6lQbaC0MYV/9yagDaawo9/WbK9cPWA7vfx60eEsVDcmm
OHv7j6S/7PtDNqOVQflejgQ99smlnKXvF5mx/oB6mLaCPJsTd52A4vhgEVAV
1MnsxFZ/cjTZVDWTABytkP01CmQPsh7x31UtO1LXakM9vZ2x35JttJeIpsbM
A4AJMoMf+8P8MUpCwq/DG/YQbSfXdDZNZZWjKJs40k66F1yEFp3MRKREJ+Kk
WGW4JmMJkWMbHdrl+4thBYFxoEsTfoSfEDTg80cPHkmWHBElJcJdHsVzOkwf
silId2HSkWLjO0UB4gHQZGQQplhcT1/Kqcg/P84DvpihZHJyezA7PNpmS9E0
2K234jsZyWZwju6D9GW3E3kKUiMXZSPcrSyMSi9PQiVbi/vuCD+ibMcRoJqO
nnjWJwk50PVaY5ThpF7vAZywyNHibeuy7OEWU4r2yCCduZgP7TesjmUZbW59
ggEfJAKKVB3kLJQdeyDZ+E9fX14+e4L+bP6JwCQenJ+xxzta3BhEPsS33lwx
6TzUAMfTN4RA8ejs0RkmGMNX9PCfqaXTh8f40OR+cxgE59ufhsyBx5XKVhl2
ae6aDtW8c0xtr8epsdIa1+DZBYZ7W0Oz5PbBG5/QaPqWfX539YkUyEH02kRQ
mGeg+U8u7j7o4h2ayMS4ci4jKQbNFvthNLS4V0YVRmYV7t4k2ptXePU11XNQ
bh/dcueb0RpvkI6h8iQRyUQuSWFpxh6akOFAWyODG5CVC0NN8xopNoDaNGp7
BJwCR26f+jZlbC4ArpjbSeMxeZgcE8TsolTXJGPzIMQk1D7B5UpDYPEyZApU
d0UbNZvksAr0J7ZBYKn+gC0dGx3JcENp+8wac94Z5+yomcI+O0J2kRI0Y2ak
TWpSmTpdNTU6MALK7/jE4DVOIj5V5sCJY9UNAq62olpRdWxtkhS2B/rVGPFo
JsRn7GuFna5RoFKBOTmBwlgDSh4ntpKZMtYf+oBi1LU0nh44MmR4+QV83paN
Zy2ewEU0/u16NnF2qLYHOSLEV5uzFw8JDP1KR7L3yTDH7ggWN1x0agzv/nRJ
yVZkeEDE5nZjyaa+TCJvyueGs7LWZbnKfgfv/254ezSBvLS7gm+Cl2u6jXT4
iHBguS2ioWldIgZMqIPSJqzbmG4lrLGmX0SGOHYnvJj2KGJSomU4X4aNxeSs
vi0mAyf4ETHXxZnIwFxXd1Fi1INgi71WzbKMsfTmlF9OVSugnoOqEl3loyav
S03ewxd8wWaLhRi9s5ZWTIWzhl7bolKgA6zfXjbOzHO4JEpppRQ8SmEE5aZK
OTZaSHgh+dFgldBipjr7QUyTfo/rovY1rUlYDnNqOSIiUD8hWBWOb+Lz4jKB
YSCJNeoaiaMiLBnRThZVkXPdBum3u7rinFaxIZiouY6UXEhBCTfYd7stiftE
m60ptdF6oru1OmG+xKyaUNVgLcWKQkouqP8Rk4KLXshB3QnykwhxEXhOhQ+e
DUwVUmk3yy58CM+EdQpleTYnGyXq3YKFVAjMOhI3MQLR/lwkmBqHhDr2Y1f5
aTDrOcXM/4hKW0hBxjfeFfspIUVNgTiWLKoQGw5PIBkuebkhYUFeM4xeY5Xk
VoLfPB8comR3hSCoX+BaEbJoKxX8fV+elleXnJKrFr+JKgTEVdbMLfRvyjAo
tRnJhPG4sydS2fKU/UE9pc1YDZegqm8xAVqwndHqmhg3EmoRraiNd6p63TrB
LXTcGKWxiBhaLjlU2YNG9km5JHRLYhIzTLc7j4jaEjUgdiJpKp+fP0RfHWWX
bJobji8Z7PEe9LPvVWRKH4SaHKA8r65eZkq58bAdTawDRXK0UIqZ6B/mF2lG
gsEmT3ClI6haVP5evJWK++ijF1jqmCvL2edI0cOrgKlEe1BCmt4PzNewlP2k
ydD+OgDU53OC4Q0YqqFh7c06p4zLlI10W+9COt/YPASViqPVCOk9ivUtKTaT
fiBE/54kuIe8ZgqFOIFIHs/MDFECHV0YsYEXd/1xZYNxRZfeXTuWIlIR7vJ+
dJ0UtC18OSFq4nujbe53ZlCK5lyPEWpiFBeDiy/lsoAIcRnyeDX2O6hoQOh5
DHxyg+hc2w6R/CUMzF4RTTyzPUe1IS1FcaHYCl6dcDk4WDToASwk35ESWdvi
Om+XlVxnQEaBvUIBLRNyBbrRsNJwv4KdSSw8xW1NL7CK0SIFfrClEFg9kMBk
JBso1GyvJUC/di1mZApATZMnmAijWOfpW2MlW3Qj9pKzW23VVp/MZNTukAt9
sUaJwaHMDgxweI+yfA1z0OsBgKAFimd00lyLQWl2dGxIrR9ZScUAsFi2IhMY
9Cm/OzErRPHaXV0T0ZigCpdPejQjdpWJtVHdHrWLXcp94XmFuxcczxhxK1eo
Msr3eoQk8wt1Nos4fTcXMKE+Z/rTUCyV3ShBaLKgYCkx1jgFH8t62dyO3DJR
hARVT3kDpEeFkHpMAQ50xdhpegUCUMxNyWYm4xbbkKRvmpqB0LjcYPTsKDQ4
EpxSgBAez3Qp3Mrv5n+Bb/UisE+lJZKOcskKmZLY9FXj8fwLXvv59A2e19ea
U/L+3s05nuAPGufcCH7NOfs+mFHGMEK0XTE8uASWorDzjjHj8cxRljxbjRg7
yVsNYCtWNyFDzAZDJYMjpLs0YA3Xqpn5WOLMrUypzEKUqiRJFTkDc8Wcr2kn
GzResKTIFMBybxvMnt/k7d6m8mqthctD3sNmXnKdNulpry+uzs8ySdA+oaRe
tXPt88/Zi+kwJ6vNr+lqHfqSXs6tCvv2m2dfwx84+VpaePT5oxNSADBBPqCb
3eb7eDMGjs4XJkMo4s8ka62LSpl8nVQPBGMyOzs/+5eXF5qLfP7o88/R9NSn
AkLi8iUaZogl2KyM0kzWlZZ5U44cnIItcFQ4C6sOQXGtHdS5sKFbhHnijACi
kyqPRmgKJltqJQluoqtK3FpBlg3MB4xO0KNxdCMIjjoS45Ny5roDrEFAKdAp
vvjQqpbFYG5Cyr4zF5dcY9xQtAn2mwQzkBJoo282Kf4Es5Gtshi94YOw4TOL
bvLv4AS/ubx6+UOs64QTu/XT8w38r95WFI5PvCeBA8CKefmRElQZt2KvsjG+
DDURjioDUEFadKEsWkcoGFdJ11iSIfUn6wLMHPTJOImwLroUntRSLjIIzFFU
CtBCNoLZ9g5BNojrWsFJ4ivQAL2Z2RfPkheRS3FrIsdCeZ28xWEg+k5LbV8q
tb2/p4TH12ANyYySLZH+USb5de9eAzuaQMOGnrI+PXHloPhsNLzNDESb8fsa
1zEe+42gKQePjsetQOxJbOTgq91mOy3rKbw5fQ47eOCEWT18ACYfpTtZlFYi
FuKzI6MU8KYBoDLNkxmZAnhhBZskRnHZtRab6D0zTnXb4xn93/1Hk+zk9HPz
y/kXs9OHZ/TryTnv5OnDhzPz//cfBJhSqcXqG/d3rJ3E/oQZq2Pv2w7UN8LH
Fd78/h5O6vxsynSMTgxRwvoqJuVyel+Ym8h6a5f68Zy4J0hHpLURu7Kz9SA8
jD7q1zcIPdO6C4URF9j8VIAgOJBOIyiTk3j4BPUwgA7gorE0Z5E20ZRkKqpr
BSknQgSAIAvCwes1F4FxxZrzs9mD2RnVL10FDAq0m2AVJGZAkpGIQQdHaqOM
nYr9w/B74TtCb81rudaHYe70bi6C5YvQeXuLAeB0wRVOYOzaC1l0Lvb8iYDX
r4VPOJtxpce0arAWJiG4LBDcBAEgQ+ousliZ7Gc+nHfQzXntY5Re+WFgd5Ln
qZTBvKTntObFcTxr24rqCTxGUTxYyh7oWQjeG2S5eP8cvvOt1vsSHw6IBDq5
AyG+z48xYEvgrOjIDMftZyra4PIv0L1QrU8soUMqBEaFqTqK9aMYOGjIgk7k
2IEdg9z6gbtyn9u8ErWiaX3gdMcPTxXFJg5p2TMi2fVa+6K19wm6cJ9gfNlH
2NSCkOr9rlIPEHkLtVL8y5EaDW+VhVgtF6eYz2Eb7rg3xrlLQug3qhOlK49B
UY7gScLqpaSbsLB1CsXQSw4TzLKovYvie29Z+/MzFo/xyFKJXjBhNU8jobtF
XkuJfNSJJ66XiM83NyRETL6wEAfmUQhpnmEmO9Ht4PzFq5A14hdjgSR0u/1W
AlkSAuHDn+I86g6HS8RyLyNQaCrpUG9csAiR0RpZMtaSpPoJKxLQoK/a5l0h
fOsb9RPem9NTWOULk2mLPp2WfNdaUswY9mDfYiREsJTraV1cK/gs8290pq1D
t5KtTFoRUhBlnGfGJwq7Nzej0gQfx76g20KQJXExkuWyyNAI1404+prRntlt
wjxfwgkkzN7wjMu/EOyADTxui4x9iTxRfYCTnLYrWncOFSRJIxOqjSA332Pn
pmBSe9xtZh3K6vpGOW7zz+KxiBDP+DmKX6rIrtCoWjd44SA8VjBe1ESvGbSe
nCe1OeXkMNzbNNB4nYBokz10FYkXRZ+eGIEkL+MeIiPIlrAYUzb17GV++3hl
JPASvKCOsKJXu3ohJYradlOPGBU0VCdirV6KhMouS3ShM/G3GP305U24vav1
NmTvEIcNV4CtLwJiDOdFUq6ARvmveB1u0bZYVAc/YWXpkQmjr/rQq2UEdzG8
fSLsWeZtBFEfs9XbcKVZ0IDxrmEk1O6SqNPwSHABRRxOvGjGm0SD3hVmfFu7
RBRZU3FKfyqvA+yqMNK6p3MYLkfb4oQF7bcMCGWmhfKKPLVYL2oXj8pacYEQ
BwcTCONte16gzFWREi+qGo8BSyiW1EuaCOqMrPwjNiX/Kd29zpQV9NzicpNh
vliXxQ2nqmjgXZxyyAThtI3Xvb5EjyNmVIDZ/5JWKagrkl3xJb1oEAz6+Cim
7PXKVkKEimWdboV9jfnLCd0MZ/Ri5epm7JVQBEkgN9JiWu86kXGSUyfcj9sj
kUSS0+Yyml0RLu3MlbE7BT8mryhtQvA/k0ITaok0adt4VUQvCWbxB6kb/a5s
EcsOochvUL9TZ6PkTd715+zwu7ev/ZHebpne6SisDgOXAfxaY0K8HJKUkFwr
wAlaqDtu6Mzi5Xn6OReNYUl6F0IrB7+bkeOwziubYHugAgUHSJmcpGkNBkmn
gMBAQxrQYD/INcbBHEx8OvniFIxa+P/7p2c9FMQ607GEQ6s8VbQ7h0VH9ILt
YiJcBg8NpzGUoDkVqqma3HZn9KjA7CWPIArMqsC0saB95Z07uL29HV8oomF4
ICIksisw4b94NHt4Mjs5Pp6dnXIKHBwDywKStBJiuGTTKXmLDcOqOO1ovf/M
jwicWOMWnlBroj2ItI0amWBaCvsFdZz2MYIAxs3r31SJVx7IhivwpnqSRChq
aFDHKuMJNtw76M8N9OGmv1NRiDMuB7kmoyBj92zoOFw2Mt7IZ74vq934wHqj
D+QY1DLKDw0jckFxXBdZtKq/kox2UWc+JvOSFoKkiyhCIysZxCCJP9DWzbIM
MByDuRYTJZL9RZbnPsryBuwOzKANBRBgek8sROF3hGDPXlhBszdgJJZzMB57
ToZjE3M1uZSa4CL6t2syBLlYj54U2X7CIA7VZgkePc5UcCU5YHQApRY2omhH
y3AVw6nsGgv7MiObJBWTfXQeHNldKI8ZoTwSSFWIpvMgg2fJ5JgwRnpAyb/7
rt5Y6Y17fyR3x8RLf/vwl/Yi2n5QTm//HU705EtQCWQrFeaCcIjya4pKcgoe
o3fmzqiVHEsKsAO9sdu7s2jx7oziHvYdAiP7K/DLo54HMW0oL4XT9RQ2aGRf
3QB2iW2nj4cj7xqjorPIWJ0d61j2/RihgRhxKQ6UxZGhNAe6uOJkbNyfgEG5
c9zy3d8ybgufMs2MYpqNKqY4FLH3x3bY8fFMQLpIAWW2J5Mio13gvMTEIv7K
XsFPjfJqnYCQfCySRBpjTKVx0HvZiidljiHW3Me0N0wrZLPbwgUQ/yPX4y26
NrGwDd5g0DrqIwSPr4LTbVtS3QK5aRHbjomfkdoxwW3Bt/BIZIaj3Gzh4ADE
xrF+JVKBaJ3Jj+/lLnOX3mXeJWUHFBSNZjJhOqOE4fo6Ups4lXb8YvQuSokF
uj5qXLBeui/b7pLmwdC0BAH6Ql9rWs55RqGhmxWxYkzqWQrr4ynbQN2NfEME
llhQT7xdZYy/y/UYwF8JL07RIiXWclM2BBdpbvGuOVObFDR7dbGqwMoOGOuO
herLWKzs+sJPbowne0CL/83pC3VMWoiu9ZuOC7cjUFfEVzkyIWp2woRWqBAr
ZL46UaWR8zMWp8mjlY0zpdRkDr3NQeFUnnNlkd6+hdGHwNPeXhL5H4FiEcyT
I83UtYsid06yxzGewaTSHvMxFhYbk3NtKbCOmp+aEREPwlRDsI7GvkYO6oMl
F0r3nVz9UfPFg/oG6TFS8kb3itV931ZQwuRoOUkuVbfmq6tvBaTH6FP9w0zT
0o3TK9gsYr6mu+CteZq+GnyBmL1FWT9oMNHw5U6kYNrxG3qZFWwHqH8bTrJG
M5GBc297CDXhOhRektZt0Bt3rZD/wFopEyfJZ5bqKsqL8TscrcSnnODOi4Sa
kvaLm+uLaz5ttNJFVWJghS7N+1pI34LfIEibnkZc2cYkbJ2cHh/DZuBmciTl
i+Pj4xjaezQ7mWIIGWZ3vcuByLsivfKFL9dc52wU5Z0upXAgvZ5ybhIHMcQB
LFSI1dixn0KhJkhJv7tG4DXg/RRryokGJEMlO3hLFFj+nFTT00GFeYcjqcGs
s0enJ1okOqjCDwE6zijAwkwDp5zijkd2bAFqjWutl/hC+et2cQJqS86Xlqjn
NickpgjhupmBerPZNMGO9wF+J15cwdPWm9fdIRDbUajSlohESfrCG9PtC9oF
mHVE5M6aOc1hyZmamHcl2zzIGkAIUpTsvJcIhh8yVlL4G6rw2OBOJB4dNCW9
nFi63VwqhEnbLitWINjRqN4NFvl0VMljR2hFYd0mffmCq83g7uyUp6k3bVrZ
xnoFR1xxJjP3oht4DnH+IYtFmvEaWQ++G1CLyNnvYLdKhFFkG0eOdByoXElG
F0f1b1UgQ1TrNJ9I4q7KT3Njmk1WEZtIa0v40os8o8KDIkTFMYym3W1yLo+O
o0MWNVIfOkE0pgXnbmpIFJdVyxZEZxZX3KxPJPjqhus3HBlVWG6C0KFcjj4G
M21R1aO7DGjFxSMXL4WhFfs+1ggjvU8yRR3wDLY/goRhakQFakZzS/hbjUzR
qHih8FZrunZKU8dj/flD3HRipWfnx4SJ7ul9ruCSqmJEDTMZ03nWLzvGhHXy
zKw4eSXeRxaB1YTzE/2Mz1LQkXR27HZgmC7iazE9kgHRm3q6RXZpB+ko62tP
Ev2ObmiKprAXia/Diw9RMR25jphnjrNkXKLg9uGrS6jWu2uyiOkr0BFKWaA8
JnXHIyXhvYLFwWS9613T3Su4jxs44fLYBEcGfYRjEDQ+2quSuLJP6h/5fppQ
D4pXE41BIkkdG2nggjokIXt18Yd9CPdWYmBVB6HpJqF6oV/mOgStKVdOfatc
disXVGvUjnjRi4vXFwM+dGWFdPQ06hGibAX8Lg+AtW46nRIsL7Z5sUCfJOiE
rNK494/ZT1Qsf3+wAk2rOBDcSQ4xsgPgXfYUaOh7iotf1HD4b7MfgCK7BVDD
u4YTxpA+9uisLipCzwLLHjh2VCTDtXE9NgV0UV7rRVHnDx8+RBL4c+PX7k9t
DttSFXtQkLodhgKegAKzLqnqWVzaWLhNwrrIN6hmoV4hPAZvuMLrTUOCLqGl
0J0XjAWWoCtzk3+mMs2vC+iVnaJv813lLvN8jjOSJsUElzu4OFKfNsa+cF1B
roUkLZYq/tjJDYv6NerZXwGBwMF6DeY3zq/rUGy/BHKpf25g80FgdeUkewEt
uz/lCDTl38GC/KloVsCFdr5DW/jPcChflrAVN/mEhpw9hz+D6gu/gdgugZE0
m/muvZ6473MsAsv+abfJW2j3WVu+y17vr1usBvkz3qAJ3wMNg6mFzpDi50n2
za6kNhvchmKLaUiXXYsXlsIXZb0pyuwq73Z76PopHp6rNTTQYmvwcwNWgy4t
ehK+b5rlHpiRkzBbifYK3gHISFt1ByxiJ4T7/wD69PnFdNYAAA==

-->

</rfc>
