<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-toutain-core-sid-encoding-00" category="std" consensus="true" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="SID DNS Discovery">YANG SID Discovery Using the Domain Name System</title>
    <seriesInfo name="Internet-Draft" value="draft-toutain-core-sid-encoding-00"/>
    <author initials="S." surname="Salakrichenan" fullname="Sandoche Balakrichenan">
      <organization>Afnic</organization>
      <address>
        <postal>
          <street>7 avenue du 8 mai 1945</street>
          <city>Guyancourt</city>
          <code>78280</code>
          <country>France</country>
        </postal>
        <email>sandoche.balakrichenan@afnic.fr</email>
      </address>
    </author>
    <author initials="A." surname="Pelov" fullname="Alexander Pelov">
      <organization>IMT Atlantique</organization>
      <address>
        <postal>
          <street>2 rue de la Châtaigneraie</street>
          <city>Cesson-Sévigné</city>
          <code>35576</code>
          <country>France</country>
        </postal>
        <email>alexander.pelov@imt-atlantique.fr</email>
      </address>
    </author>
    <author initials="L." surname="Toutain" fullname="Laurent Toutain">
      <organization>IMT Atlantique</organization>
      <address>
        <postal>
          <street>2 rue de la Châtaigneraie</street>
          <city>Cesson-Sévigné</city>
          <code>35576</code>
          <country>France</country>
        </postal>
        <email>laurent.toutain@imt-atlantique.fr</email>
      </address>
    </author>
    <date year="2026" month="July" day="01"/>
    <area>Internet</area>
    <workgroup>CORE Working Group</workgroup>
    <keyword>YANG</keyword>
    <keyword>SID</keyword>
    <keyword>DNS</keyword>
    <keyword>CoRECONF</keyword>
    <keyword>IoT</keyword>
    <keyword>CBOR</keyword>
    <abstract>
      <?line 72?>

<t>CORECONF is an interface for managing YANG-modeled data using CBOR.
It replaces verbose YANG schema item identifiers with compact 64-bit
integers called Schema Item iDentifiers (SIDs).  Interpreting a SID
requires two resources: the YANG module definition and the SID dictionary
(the .sid file) that maps each integer to the corresponding YANG schema
item.  Pre-loading every possible YANG module and its SID dictionary is
not practical as the set of deployed modules grows; a dynamic discovery
mechanism is therefore needed.  This document specifies a DNS
reverse-lookup mechanism analogous to ip6.arpa that maps a SID to a DNS
name under the sid.yt. tree (where "yt" stands for YANG Tracker).
Resolving that name returns TXT records pointing to the authoritative
repository for the corresponding YANG module.</t>
    </abstract>
  </front>
  <middle>
    <?line 87?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>CORECONF <xref target="RFC9254"/> is an interface for managing YANG-modeled data using CBOR.
It replaces verbose YANG schema item identifiers with compact 64-bit integers
called Schema Item iDentifiers (SIDs) <xref target="RFC9595"/>.  Interpreting a SID
requires two resources: the YANG module definition, and the SID dictionary
(the .sid file) that maps each integer to its corresponding YANG schema item
(data node, identity, feature, or notification).  Pre-loading every possible
YANG module and its SID dictionary is not practical as the set of deployed
modules grows; a dynamic discovery mechanism is therefore needed.</t>
      <t>This document describes a reverse-lookup mechanism analogous to ip6.arpa
<xref target="RFC3596"/> that maps a SID to a DNS name under the <tt>sid.yt.</tt> tree.
Resolving that name returns TXT records carrying the YANG module name, URI
templates, or RDF base URLs pointing to the semantic description of the
module.</t>
      <section anchor="requirements-language">
        <name>Requirements Language</name>
        <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.
<?line -6?>
        </t>
      </section>
    </section>
    <section anchor="terminology">
      <name>Terminology</name>
      <dl>
        <dt>SID:</dt>
        <dd>
          <t>A non-negative 63-bit integer that uniquely identifies a YANG schema item
(module, data node, identity, feature) as defined in <xref target="RFC9595"/>.</t>
        </dd>
        <dt>SID name:</dt>
        <dd>
          <t>The owner name produced by encoding a SID as a sequence of DNS labels.
A SID name is formed by zero-padding the SID to 20 decimal digits,
reversing the digit order so that the least-significant digit becomes
the leftmost label, and joining the digits with dots.  The result is
exactly 20 single-digit labels and is independent of any specific
zone.  For example, SID 2550 produces the SID name
`0.5.5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0`.</t>
        </dd>
        <dt>fully qualified SID DNS name:</dt>
        <dd>
          <t>The fully qualified domain name (FQDN) used to query the DNS for
information about a given SID.  It is formed by appending the
applicable zone apex to the SID name.  For example, the SID name
`0.5.5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0` under the zone apex
`sid.yt.` yields the fully qualified SID DNS name
`0.5.5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.sid.yt.`.  The zone
apex may vary depending on the administrative structure, but the SID
name component remains constant for a given SID.</t>
        </dd>
        <dt>.sid file:</dt>
        <dd>
          <t>A JSON document that records the mapping between YANG schema items
(module, data nodes, identities, features, notifications, and RPCs)
and their assigned SID integers for a given YANG module.  The format
and assignment procedures are defined in <xref target="RFC9595"/>.</t>
        </dd>
        <dt>mega-range:</dt>
        <dd>
          <t>A contiguous block of SIDs of size 10^6 administered by a single
organization.  For example, the IANA YANG SID mega-range covers SIDs
0 to 999 999.</t>
        </dd>
        <dt>entry-point SID:</dt>
        <dd>
          <t>The lowest SID of a module, assigned to the module node itself.  It
serves as the canonical identifier for the module in the DNS.</t>
        </dd>
        <dt>zone operator:</dt>
        <dd>
          <t>The organization responsible for managing the DNS zone corresponding to
a given SID mega-range.</t>
        </dd>
        <dt>PEN (Private Enterprise Number):</dt>
        <dd>
          <t>A unique integer assigned by IANA to an organization for use in
network management protocols.  PENs were originally introduced for
identifying organizations in SNMP MIB modules and are maintained in
the IANA Private Enterprise Numbers registry <xref target="IANA-PEN"/>.  In this
document, PENs are used to derive deterministic SID sub-ranges for
organizations that wish to deploy YANG modules independently of any
SDO.</t>
        </dd>
        <dt>module repository:</dt>
        <dd>
          <t>An entity that supplies YANG module definitions to module users, as
defined in <xref target="RFC9595"/>.  A module repository may be an official
entity (e.g., IANA for IETF modules) or an unofficial entity (e.g.,
the YANG Catalog).  In this document, the URL of the module
repository entry for a given SID is carried in the `repository`
TXT key, allowing a client to retrieve the YANG module definition
after resolving the SID via DNS.  Not all module repositories act
as permanent records; those that do not MUST reference the module
owner as the stable source.</t>
        </dd>
        <dt>SID repository:</dt>
        <dd>
          <t>An entity that supplies SID assignments to SID users, usually in
the form of a .sid file, as defined in <xref target="RFC9595"/>.  A SID
repository is the authoritative source for the mapping between YANG
schema items and their assigned SID integers for a given YANG
module.  In this document, the `repository` TXT key carried in a
DNS TXT record points to the SID repository entry for the
corresponding module, enabling a client to retrieve the .sid file
needed to decode a received SID.  The SID repository and the module
repository may be the same entity or different entities.</t>
        </dd>
        <dt>collapsed block record:</dt>
        <dd>
          <t>A DNS TXT record whose owner name contains 19 single-digit labels
instead of the usual 20, formed by omitting the units-digit label
from a SID name.  A collapsed block record applies to all ten SIDs
in the corresponding decade (i.e., all SIDs sharing the same
19 most-significant digits) and is used as a zone management
optimisation to publish a common `entry_point` value for a
contiguous block of SIDs belonging to the same YANG module without
requiring one TXT record per SID.</t>
        </dd>
        <dt>enrichment record:</dt>
        <dd>
          <t>A DNS TXT record that carries supplementary information about a YANG
module beyond what the authoritative repository provides.  Enrichment
records are additive and never replace or override repository
metadata.  Examples include pointers to SDF (Semantic Definition
Format) files, transformation rules, or RDF mappings that enable
integration with non-YANG ecosystems.  Unlike the mandatory
`status` and `repository` keys, enrichment records are optional
and their keys are not defined in this document.</t>
        </dd>
      </dl>
      <section anchor="rel-rfc9595">
        <name>Relationship to RFC 9595</name>
        <t><xref target="RFC9595"/> defines the YANG Schema Item iDentifier (SID) - a unique
integer assigned to each item in a YANG module - and specifies the
.sid file format that records the mapping between YANG schema items
and their assigned SID integers.  <xref target="RFC9595"/> also defines the SID
assignment and registration process by which module authors obtain
SID ranges from IANA or other registrars.  This process produces a
static artifact (the .sid file) that is created at module development
time and distributed alongside the YANG module.</t>
        <t>This document addresses a complementary and strictly runtime problem:
given a SID integer received in a CORECONF message, how does the
receiver dynamically discover which YANG module it belongs to and
where to obtain the corresponding .sid file?  It specifies a
DNS-based reverse-lookup mechanism for this purpose.</t>
        <t>This document does not define SID values, .sid file formats, or SID
assignment procedures; those remain entirely within the scope of
<xref target="RFC9595"/>.  Conversely, <xref target="RFC9595"/> does not define any discovery
mechanism; a receiver that relies solely on <xref target="RFC9595"/> must obtain
.sid files through manual configuration or out-of-band means.  This
document fills that gap.</t>
        <t>The dependency is strictly one-directional: SIDs MUST be assigned
and registered in accordance with <xref target="RFC9595"/> before they can be
published in the DNS zone defined by this document.</t>
      </section>
    </section>
    <section anchor="sid-encoding-in-the-dns">
      <name>SID Encoding in the DNS</name>
      <section anchor="decimal">
        <name>Decimal Representation and Zero-Padding</name>
        <t>A YANG SID is a non-negative integer in the range 0 to 2^64 - 1
(= 18 446 744 073 709 551 615).  Expressed in base 10, the maximum value
requires exactly 20 decimal digits.  Every SID MUST therefore be
zero-padded on the left to exactly 20 characters before any DNS
manipulation. The resulting 20-digit string is the basis for constructing 
the SID name (<xref target="terminology"/>).</t>
        <artwork><![CDATA[
SID 2550  -->  00000000000000002550   (20 digits)
SID 1     -->  00000000000000000001   (20 digits)
]]></artwork>
        <t>Decimal notation is deliberately chosen over hexadecimal.  SIDs are
assigned and communicated as plain decimal integers in the IANA registry
<xref target="IANA-YANG-SID"/>.  Keeping decimal notation ensures that a DNS name can
be verified by inspection against the registry without any base conversion.</t>
        <t>The 20-digit padding has a second benefit: it guarantees that every
SID name contains exactly the same number of single-digit labels (20
digit labels followed by the zone labels), which simplifies zone delegation
arithmetic as described in <xref target="delegation"/>.</t>
      </section>
      <section anchor="reversal">
        <name>Digit Reversal</name>
        <t>Following the same principle as ip6.arpa <xref target="RFC3596"/> for IPv6 addresses,
the 20 digits are reversed (least-significant digit first) and each digit
becomes one DNS label.  The labels are joined with dots to form the SID name.<br/>
The zone apex is then appended to produce the fully qualified SID DNS name.</t>
        <t>Example for SID 2550:</t>
        <artwork><![CDATA[
  canonical (20 digits):
    0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 5 5 0
    <-- most significant              least -->

  reversed (SID name):
    0 5 5 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

  fully qualified SID DNS name:
    0.5.5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.sid.yt.
]]></artwork>
        <t>The zone apex <tt>sid.yt.</tt> has been chosen to deploy a testbed rapidly.
The <tt>.yt</tt> ccTLD (Mayotte) was available and allowed quick experimentation.
A dedicated entry under <tt>arpa.</tt>, such as <tt>sid.arpa.</tt>, could be more
appropriate for a production deployment, following the precedent set by
<tt>ip6.arpa.</tt> for IPv6 reverse lookups.</t>
        <t>Without reversal, all SIDs in the same mega-range (e.g., 0 to 999 999)
would share a common suffix in DNS.  Reversal maps the administratively
meaningful high-order digits to the leftmost labels, where DNS delegation
cuts can be applied.</t>
        <t>The following Python snippet illustrates the encoding:</t>
        <sourcecode type="python"><![CDATA[
def sid_name(sid: int) -> str:
    digits = f"{sid:020d}"            # zero-pad to 20 decimal digits
    return ".".join(reversed(digits))

def sid_fqdn(sid: int, zone: str) -> str:
    return sid_name(sid) + f".{zone}."

]]></sourcecode>
      </section>
      <section anchor="delegation">
        <name>Zone Structure and Delegation</name>
        <t>The DNS tree under <tt>sid.yt.</tt> mirrors the administrative structure of SID
mega-range allocation:</t>
        <artwork><![CDATA[
sid.yt.
|
+-- [SDO mega-ranges]
|   +--          0 -    999 999   ietf.sid.yt.
|   +--  1 000 000 -  1 999 999   sdo2.sid.yt.
|   +--  ...
|
+-- [Registrar mega-ranges]
|   +-- 50 000 000 - 50 999 999   afnic.sid.yt.
|   +--  ...
|
+-- [PEN sub-ranges]
    +-- PEN < 100 000 (5 digits) :
    |       3 000 000 000  -  3 999 999 999   (10 000 SIDs per PEN)
    |
    +-- PEN < 1 000 000 (6 digits) :
            300 000 000 000  to  399 999 999 999   (100 000 SIDs per PEN)
]]></artwork>
        <t>The root zone <tt>sid.yt.</tt> is managed by a central authority (<xref target="terminology"/>) that delegates
sub-zones to the different mega-range administrators using NS records.  The
owner name of each NS record is the common reversed-digit suffix shared by
all SIDs in the corresponding mega-range.</t>
        <t>The number of fixed labels in the NS owner name equals the number
of most-significant digits that are identical across all SIDs in
the range when zero-padded to 20 digits.  For a mega-range of
size 10^6, this is always 14 fixed labels in the
fully qualified SID DNS name.  The root zone therefore delegates:</t>
        <sourcecode type="dns"><![CDATA[
; IETF mega-range (SIDs 0 - 999 999)
0.0.0.0.0.0.0.0.0.0.0.0.0.0.sid.yt.  IN NS  ns1.ietf.yt.

; first SDO mega-range (SIDs 1 000 000 - 1 999 999)
1.0.0.0.0.0.0.0.0.0.0.0.0.0.sid.yt.  IN NS  ns1.sdo2.yt.
]]></sourcecode>
        <t>Any organization that requests a mega-range from the root authority receives
the NS delegation for the corresponding 14-label suffix, and becomes
responsible for managing TXT records within its sub-zone.</t>
        <t>Some companies may wish to deploy YANG modules independently of any SDO.
The IANA Private Enterprise Number (PEN) registry <xref target="IANA-PEN"/>, originally
designed to identify organizations in SNMP MIB modules, provides a
pre-existing namespace for this purpose.  Each PEN holder receives a deterministic 
SID sub-range whose boundaries are derived from the decimal digits of the PEN value,
as shown in the table above.</t>
        <t>However, PEN assignments were made on a first-come-first-served basis with
no structural grouping, so there is no administrative hierarchy that maps
naturally to a DNS delegation tree.  Furthermore, the current registry
provides no mechanism to verify that a claimant is the legitimate owner of
a given PEN.  A dedicated governance entity responsible for managing
PEN-based SID allocations and authenticating ownership SHOULD therefore be
established before this mechanism is deployed at scale.</t>
        <t>The two PEN sub-ranges are delegated from <tt>sid.yt.</tt> to this governance
entity as follows:</t>
        <sourcecode type="dns"><![CDATA[
; PEN < 100 000  (SIDs 3 000 000 000 - 3 999 999 999)
3.0.0.0.0.0.0.0.0.0.0.sid.yt.  IN NS  ns1.pen-reg.yt.

; PEN < 1 000 000  (SIDs 300 000 000 000 - 399 999 999 999)
3.0.0.0.0.0.0.0.0.sid.yt.      IN NS  ns1.pen-reg.yt.
]]></sourcecode>
        <t>One can also imagine that some registrars deliver SID ranges directly to
their customers, in addition to the PEN mechanism.  As an illustrative example, 
Afnic is assumed to have been allocated the 50 million mega-range (SIDs
50 000 000 to 50 999 999).  The corresponding delegation from <tt>sid.yt.</tt> is:</t>
        <sourcecode type="dns"><![CDATA[
; Afnic mega-range (SIDs 50 000 000 - 50 999 999)
5.0.0.0.0.0.0.0.0.0.0.0.0.sid.yt.  IN NS  ns1.afnic.yt.
]]></sourcecode>
        <t>Afnic then sub-delegates portions of this range to its member organizations
and manages the associated TXT records on their behalf.</t>
      </section>
      <section anchor="txt">
        <name>TXT Records</name>
        <t>A fundamental property of YANG SIDs is that once a SID has been validated
and published, its meaning MUST NOT change.  An allocated SID can only be
deprecated, never reassigned or redefined.  DNS records that publish SID
information MUST reflect this immutability: a TXT record set for a given
owner name is written once and never modified, except to mark the SID as
deprecated.</t>
        <t>As a consequence, only a minimal set of information is stored in the DNS.
Detailed metadata — module name, namespace URI, SID file, contact
information — are held in the module repository and SID repository
(<xref target="terminology"/>) and MUST NOT be duplicated in the DNS as duplicated data
would become inconsistent over time.  The role of the DNS is solely to 
provide a stable, immutable pointer to the authoritative repository.</t>
        <t>Nevertheless, the DNS MAY carry information that enriches the data model
beyond what the authoritative repository provides.  For instance, a TXT
record may point to an SDF (Semantic Definition Format) file that augments
the YANG data model and enables better integration with non-YANG
ecosystems.  Similarly, TXT records may carry pointers to transformation
rules or mappings that allow a YANG object to be converted into another
data model representation.  Such enrichment records <xref target="terminology"/> are additive: they
never replace or override the information held in the authoritative
repository.</t>
        <t>TXT records carry key=value pairs (one pair per TXT RR).  The following
example shows the records for the entry-point SID 2550:</t>
        <sourcecode type="dns"><![CDATA[
; Zone: ietf.yt

0.5.5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN TXT "status=active"
0.5.5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN TXT
    "repository=https://yang-catalog.example.org/sid/2550"
]]></sourcecode>
        <t>When a SID is deprecated, only the <tt>status</tt> value changes; no other field
is ever modified.  The <tt>repository</tt> URL SHOULD then point to information
about the successor, if one exists.</t>
        <t>The defined TXT keys are:</t>
        <t>| Key          | Status | Description |
|:-------------|:-------|:------------|
| status       | MUST   | <tt>active</tt> or <tt>deprecated</tt> |
| repository   | MUST   | URL of the official repository entry for this SID |
| entry_point  | MUST   | Entry-point SID of the module (decimal integer); used to link a non-entry-point SID back to its module |
| urn          | MAY    | Namespace URI of the YANG module (e.g., <tt>urn:ietf:params:xml:ns:yang:ietf-schc</tt>) |
* <tt>entry_point</tt> MUST be present for all SIDs except the
entry-point SID itself, which identifies the module root.</t>
        <section anchor="entry-point">
          <name>entry_point</name>
          <t>The <tt>entry_point</tt> key identifies the lowest SID of the YANG module to which
a given SID belongs.  It is present in every TXT record set except when the queried SID
is itself the entry-point SID (i.e., the SID assigned to the module
node itself).</t>
          <t>When the queried SID equals the <tt>entry_point</tt> value, the record describes
the module root and the <tt>repository</tt> key points directly to the module's
authoritative entry.  When the queried SID differs from the <tt>entry_point</tt>
value, the client MUST follow up with a query on the entry-point SID to
obtain the module-level information.</t>
          <sourcecode type="dns"><![CDATA[
; Zone: ietf.yt

; SID 2550 - entry-point of ietf-schc (no entry_point key: this IS the module root)
0.5.5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN TXT "status=active"
0.5.5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN TXT
    "repository=https://yang-catalog.example.org/sid/2550"

; SIDs 2550-2559: complete block, collapsed record {{terminology}} by dropping the first (units) label.
; The 19-label name covers all ten SIDs in the decade.
5.5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN TXT "entry_point=2550"

; SID 2560: individual record (units digit = 0, tens digit = 6)
0.6.5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN TXT "entry_point=2550"
]]></sourcecode>
        </section>
      </section>
      <section anchor="procedure">
        <name>Resolution Procedure</name>
        <t>A gateway receiving a CORECONF message containing a SID resolves it as
follows:</t>
        <ol spacing="normal" type="1"><li>
            <t>Compute the SID name for the received SID (<xref target="decimal"/>.</t>
          </li>
          <li>
            <t>Reverse the digits and join them with dots (<xref target="reversal"/>).</t>
          </li>
          <li>
            <t>Append the appropriate zone apex <tt>sid.yt.</tt> to obtain the fully qualified
SID DNS name, or use a cached NS referral for the appropriate
sub-zone if available.</t>
          </li>
          <li>
            <t>Query the DNS for TXT records at the fully qualified SID DNS name.
The response MUST be handled as follows:  </t>
            <ul spacing="normal">
              <li>
                <t>If the response is NXDOMAIN, the SID is not registered in the
DNS.  The resolution MUST be considered failed and the client
SHOULD fall back to out-of-band means to obtain the .sid file.</t>
              </li>
              <li>
                <t>If the response contains neither a <tt>repository</tt> key nor an
<tt>entry_point</tt> key, the record is malformed.  The resolution
MUST be considered failed.</t>
              </li>
              <li>
                <t>If the response contains both a <tt>repository</tt> key and an
<tt>entry_point</tt> key, the <tt>repository</tt> key takes precedence and
the client proceeds to step 5.</t>
              </li>
              <li>
                <t>If the response contains a <tt>repository</tt> key only, proceed
to step 5.</t>
              </li>
              <li>
                <t>If the response contains an <tt>entry_point</tt> key only, compute
the fully qualified SID DNS name for the entry-point SID value
using steps 1-2 and issue a new TXT query for it.  The
entry_point indirection MUST NOT be followed more than once;
if the response to this second query does not contain a
<tt>repository</tt> key, the resolution MUST be considered failed.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>Dereference the <tt>repository</tt> URI to retrieve the module
repository or SID repository entry (<xref target="terminology"/>) for the
corresponding YANG module, and obtain the .sid file needed
to decode the received SID.</t>
          </li>
        </ol>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>DNS responses for SID records SHOULD be protected using DNSSEC <xref target="RFC4033"/>
to prevent an attacker from redirecting a gateway to a malicious module
description URI.</t>
      <t>The URI obtained from the <tt>repository</tt> TXT key MUST be retrieved
over HTTPS.  Clients MUST validate the server TLS certificate
before processing any returned document.</t>
      <t>Zone operators SHOULD sign SID DNS records using DNSSEC <xref target="RFC4033"/>
to prevent an attacker from redirecting a client to a malicious
<tt>repository</tt> URI.  Clients SHOULD validate DNSSEC signatures before
processing TXT record responses.</t>
      <t>The immutability of SID assignments provides an additional security
property: a TXT record set for a given owner name is written once
and never replaced, except to mark the SID as <tt>deprecated</tt>.  This
limits the attack surface for record substitution attacks, as no
legitimate update operation ever silently replaces an existing
record with different content.</t>
      <t>The security of the entire SID DNS infrastructure depends on the
integrity of the <tt>sid.yt.</tt> root zone.  The central authority MUST
therefore apply the same security controls required of any DNS
registry operator, including strict access controls on NS
delegations and DNSSEC signing of the root zone.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document requests no action from IANA at this time.</t>
      <t>Future versions may request registration of the <tt>sid.yt.</tt> DNS tree and
of the TXT key names defined in <xref target="txt"/>.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC3596">
          <front>
            <title>DNS Extensions to Support IP Version 6</title>
            <author fullname="S. Thomson" initials="S." surname="Thomson"/>
            <author fullname="C. Huitema" initials="C." surname="Huitema"/>
            <author fullname="V. Ksinant" initials="V." surname="Ksinant"/>
            <author fullname="M. Souissi" initials="M." surname="Souissi"/>
            <date month="October" year="2003"/>
            <abstract>
              <t>This document defines the changes that need to be made to the Domain Name System (DNS) to support hosts running IP version 6 (IPv6). The changes include a resource record type to store an IPv6 address, a domain to support lookups based on an IPv6 address, and updated definitions of existing query types that return Internet addresses as part of additional section processing. The extensions are designed to be compatible with existing applications and, in particular, DNS implementations themselves. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="88"/>
          <seriesInfo name="RFC" value="3596"/>
          <seriesInfo name="DOI" value="10.17487/RFC3596"/>
        </reference>
        <reference anchor="RFC4033">
          <front>
            <title>DNS Security Introduction and Requirements</title>
            <author fullname="R. Arends" initials="R." surname="Arends"/>
            <author fullname="R. Austein" initials="R." surname="Austein"/>
            <author fullname="M. Larson" initials="M." surname="Larson"/>
            <author fullname="D. Massey" initials="D." surname="Massey"/>
            <author fullname="S. Rose" initials="S." surname="Rose"/>
            <date month="March" year="2005"/>
            <abstract>
              <t>The Domain Name System Security Extensions (DNSSEC) add data origin authentication and data integrity to the Domain Name System. This document introduces these extensions and describes their capabilities and limitations. This document also discusses the services that the DNS security extensions do and do not provide. Last, this document describes the interrelationships between the documents that collectively describe DNSSEC. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4033"/>
          <seriesInfo name="DOI" value="10.17487/RFC4033"/>
        </reference>
        <reference anchor="RFC9254">
          <front>
            <title>Encoding of Data Modeled with YANG in the Concise Binary Object Representation (CBOR)</title>
            <author fullname="M. Veillette" initials="M." role="editor" surname="Veillette"/>
            <author fullname="I. Petrov" initials="I." role="editor" surname="Petrov"/>
            <author fullname="A. Pelov" initials="A." surname="Pelov"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <date month="July" year="2022"/>
            <abstract>
              <t>YANG (RFC 7950) is a data modeling language used to model configuration data, state data, parameters and results of Remote Procedure Call (RPC) operations or actions, and notifications.</t>
              <t>This document defines encoding rules for YANG in the Concise Binary Object Representation (CBOR) (RFC 8949).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9254"/>
          <seriesInfo name="DOI" value="10.17487/RFC9254"/>
        </reference>
        <reference anchor="RFC9595">
          <front>
            <title>YANG Schema Item iDentifier (YANG SID)</title>
            <author fullname="M. Veillette" initials="M." role="editor" surname="Veillette"/>
            <author fullname="A. Pelov" initials="A." role="editor" surname="Pelov"/>
            <author fullname="I. Petrov" initials="I." role="editor" surname="Petrov"/>
            <author fullname="C. Bormann" initials="C." surname="Bormann"/>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <date month="July" year="2024"/>
            <abstract>
              <t>YANG Schema Item iDentifiers (YANG SIDs) are globally unique 63-bit unsigned integers used to identify YANG items. SIDs provide a more compact method for identifying those YANG items that can be used efficiently, notably in constrained environments (RFC 7228). This document defines the semantics, registration processes, and assignment processes for YANG SIDs for IETF-managed YANG modules. To enable the implementation of these processes, this document also defines a file format used to persist and publish assigned YANG SIDs.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9595"/>
          <seriesInfo name="DOI" value="10.17487/RFC9595"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC6570">
          <front>
            <title>URI Template</title>
            <author fullname="J. Gregorio" initials="J." surname="Gregorio"/>
            <author fullname="R. Fielding" initials="R." surname="Fielding"/>
            <author fullname="M. Hadley" initials="M." surname="Hadley"/>
            <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
            <author fullname="D. Orchard" initials="D." surname="Orchard"/>
            <date month="March" year="2012"/>
            <abstract>
              <t>A URI Template is a compact sequence of characters for describing a range of Uniform Resource Identifiers through variable expansion. This specification defines the URI Template syntax and the process for expanding a URI Template into a URI reference, along with guidelines for the use of URI Templates on the Internet. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6570"/>
          <seriesInfo name="DOI" value="10.17487/RFC6570"/>
        </reference>
        <reference anchor="IANA-YANG-SID" target="https://www.iana.org/assignments/yang-sid/yang-sid.xhtml">
          <front>
            <title>YANG SID Mega-Range Registry</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="IANA-PEN" target="https://www.iana.org/assignments/enterprise-numbers">
          <front>
            <title>Private Enterprise Numbers</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
      </references>
    </references>
    <?line 566?>

<section numbered="false" anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>This work is supported by the SCHC chair from Afnic and IMT Atlantique.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA9Vc23Ibx5m+76fopS6WTAiEpETKouMkNCnF3EiUQlLlxOvE
HAANcqLBDDw9QwqWldqH2AfY2ru8xuZN9kn2+w/d0wOClJSkKrVS2cJh+vQf
v//QGAwGpsmbwu3btd8fnPzanh0f2aPcj6trVy/sa5+Xl7a5cvaommV5aU+y
mbNnC9+42ZrJRqPaXWMkDzo56waumUk1LvHsvp3U2bQZNFXbYPxgXNVu4PPJ
wJXjaoLJB1tbZpw17rKqF/vWNxOTz+t929Stb3a2tp5s7Zisdtm+PS4bV5eu
MTdV/eayrtr5vj18efrUfo33tMtf02fmjVvggcm+sXZg6UT8Ahvkf7FJ/vew
On16+PLkGb85rs7lwy9fnhrjm6ycfJcVVYnNL5w3fpbVzXfft1Xj/L4tK2Pm
OU3fVGN5wFpf1U3tpj6+X8y6tyZrm6uqlh3lJT49G9qzrMje1Pn4ypVZiW+s
FWqdYfEKn9ovbz1Q1Zf79mBa5mN+68CPAhTTAcNROuBXGT03nNb8qMfmXLNv
H9vs2pWts5PWfmYx3m4/ebTLj4zzBuT/dbvIwJe2buTDakJy8fiznc+21vST
tmyIUc9qPOi6Ix0M7StXVNfJUQ4K9xabc3XyDZ/h+MW5PWiKrGzy71uXHiYL
Q4ZzGvKrfNYMsvjk8nF2bE1ncbbI7OHVX/8bAnZZujrLXXKktUPnfVUOzv76
l2t8/de/rKVHe7i7+3jvA0d7PrTnIr3J4Z5nbe3KpvfNBw5XyJChqsI/9XCm
rOpZ1uTXjsTy9Nnhw90ne/ry0dbDh/ryyc7uo/By98nuvjF5OV0aubf7eIte
Hh+cHAxI4QZQtn1eVQ1LtCsv3GU2OM3KS2dP3WWOoy7kuay+pDNfNc3c7//s
Zzc3N8M8K7MhKPqzzHscbQbK+Z9BOi/JesQXw7dXzazgSTotoz8D5QY2xZ9M
YGL27TQrvAt7ffX0pLfNV3V+jafsUzI08zr3zp60s5Gr/adt0sXxgzIZ//H7
M4PBwGYjkCcbN8aQkSNbZXNvsxIyiemn2dhZcAJKXGaXZP2Y8jMwvnATmi2z
LdtuMmpDc9zY2s0LjPIW9nlU4XDMFg97MctsDntu8wm2nk9z7Nje5M0VpGY2
xxbs3qPBKG8MrXxJX46zglY5k7HHPPaoG7sOXvuNoRWTPa9dQxvJ2AjX7vs2
r7GL5qbCljxszZjMKrkY3hCO0BYk+NO8zJu8KnHmCX9NEjTJx/RZBsFZp8+G
kAE7zQu3gUeyBuSYe+uy8ZXVzcJK82D4Haw2r8pJIJYe3dDRsddX8EtFlfHX
jn3fvAJTR0V/X7SZvPFLmwFroFGNnRPHcpDHZp6X9a6x1RSnmRfVAiSTWbyF
/7rxn4MmkwXsST7GXOo5zcyNr7Iy9zPiN+aAI4HPtKVzEzfBRs+v8DlMfkvS
Zv3cjYnsEA12bjXt3dNRqjft3HaTQU6K6rJqPVEkn+8Ns3qeJURj9tB3Mg9Z
Oduy9eZzQNUWzdCScbLrN7Qru7Zo1ix7S8+iyGQ6BwXeuHpjaE7B3OJa4AMW
4QkhCm1denv+u3O8Bk8wdF6BVfyYcEr0JG/YxuA8YEPeABzwGnewUsg6FM2Z
5ZNJAS16QPJX4xvmUqJH796paXv//p+tU0FMvfkondKtwxS/f/+P0q/Nv1/B
SCHuVDCmg1ln8pWg5abSpFls2qnLIBD4CFSH/uCsgIJYfuNehTQfpZD2YxTS
fFgh7f0KaUxfISfOj+t8xAr5acpomLnkiCGXdymmXVLMC9XMC1bNj9e6cVbX
i4DtU3rSiE37+vTYgG2QboBeZs/p0TM7yiDir0+f31ZaD0bjg7Eef86GG3TG
dyYq54MHcPssnuwogaHKyza7dERCZwHc7Q3vbe3F67PztU3515685NenT3/7
+vj06RG9Pvvq4Pnz+MLoE2dfvXz9/Kh71Y08fPnixdOTIxmMT23vI7P24uD3
a6IGay9fnR+/PDl4vgb5xu5TziIMoeOOnJgL0jsobOZNYPmExnx5+Op//mv7
ETT1X8DNne3tJ+CmvPls+zGZHFhPVbqqLBb6FoRamGw+d1lNs8AYgEVzWMEC
5Ifs+qvqprQkfEPz818WeensYO+XvzCG7Ny5q2d5WUGkFsYw+gL6hvyXgxKI
i+yo3XuYmhsRjrYk4IktRCNF0nZLda1dFxZu2vuUeIO2yWZFCJGaKt6VIGds
jbiN02AbLJ5zttEYNFrYEBWq1Ge0IQ+ZweeO5Ik0oMhGrvBD7OvAhmlJNQmY
yiw/uLoazLPJJAi4atDOFjY4zmcwB5P8ElZjE5OIkoYn+XPIO+mXr4RO9Hnh
Mt8MCOSxkSJF5ydH0KcZx3zy1LSZVb6RPQqT/wRV6c2ujmBSNZ7dOSmob4uG
QASChbewWOAJ9kqbKtxAFpJTi7nzoC8smCuJB0SWrFwEJEDB4Q+IXTH1M6gt
poMWg19Egp3d3a1Abh8JQ/TDoG8vtoa7+Lsz3Lr/77cX4Oe0LbDJ79usILmZ
2JABSHm8/MxEUgjMr/Vnvz062YA/xefgDDgMS8t5BkwCTmJDMdQgDDhC0ARZ
uIQsl7QYeb+mz3XSnjKwHOPxvgCrCMERQfDevQ32Kpx7mUp/O00SmxxX4xnU
QOOJRe6KidD9PvJ9yrrDOLuKEq3NZ8dZZ9nCXpMzFFkhylSlYKwJ7AXFX2Ic
8AIgiR3xqG0CEYzEuoxYMGtJcIcYSL6+JNzXMFpKmWJMxAtig/7t7OVJZ0FZ
m4IHolXg4Oa0rZFrbhzmWLY9fqXx8dH65PRa7Q9epRDCi/advjr0G0QQwTg5
9suhmtI8hjTpSVJIKVQVQdRpuliPdAmGixZn73Cn9ZtR4FtT4CtkAQGb/LIl
ADAqqvEb0mECePSvz39wdnvrj3uRSzD6IuBqEQynGoAkfuCTrpJhiiu7uLtb
3jKmYbREtN0ifXjy5An9h206yhEM2LdbdSN0+qK6cZ4/YVtjA0MiJVWpAoIA
iwiSuWLKWkr5MFdfE42E6zCfVcmgrEPHEd3rJHkZrAH2xQpVzR3ElSJo9SAJ
CaxATwnXehA+mBSeoo9Rm4oY2klvQias+erpiV2/MyWwIXwUDxq9aiQImMUc
INRW9ndKu4PVs5wzKiH3Vf1GtuuCSDXVuCrIN2APcBYUayEgwnEyMhq5BjVY
Ru2kEJHRXLoUeQl7dvLilX1x/GWMPFmCa1I9TJSpuKr74j3fnQYBlSVpA+kO
GRSNQxgqYZag6puyd1oomHhYR7I1E6CmWuQacJHI7tuRUN3rgfqHYKNxk/sr
mYRwe6qhPV8I8og3xCxnRy9J80ScujCSGVdaAS8yuW/JU2Cm1QESg3T9FIep
GZDRWVdrO8GSW6uyLR45loYpTFSeUdJKN7HuhpfDTaE+icfx0/Nn4XQbhL0x
qi3DuP4o5Rzv/BAGEhhwo+NIwg96CtBdQblOz/An7pHVf9mmk4+lYCGXk9LY
by+6Qd9eYA4KLADfNwm2VjcC38agKJl8ikIbjAbr745BSRGnkAuOWEP4Ip74
Oue4B2c6QTxHuHiZuAxbx2ydEZhAuDJ1VuxnPsdMFJkzpycVR4UcVyCMg2YR
ruzRQ4BpiBYbhg8SRSuK/ThREvQak4JEB/pI5af1reqy8o8cjBjX6EA378HT
Cn377JPotJ8/0a131nWFwyX7nLjcT3aVGB+d5Wq56wtMEJdUrDJMQma6C1El
xPQpYFspqoL1+pY9OChXgn33imOkNhtjCujFylAGnQP4scM5J4o4z29vJORO
VumT6jwLEgEpFRRsepJPWfgaG2AMhMvA6heI+Ml/MCgQQoinWSLODct0EkQR
omBstv1kVdzAcBpIIpsEA8AiiChjM0HQ1SxvmqB88G2NTyfBHNO6mmlopuiZ
sMyqXQv6dsw/UtpGrIlsZEUaDyTPQPL1fOiGbEcED/mrrA4b8oKNcUAKsW7H
YrCVGh2xy+HYkd1+511Jv+dNPsu9OGNsbt5CROBcMsK5M3z27QUL13csf5DW
66xoRYEyFrQ7kBsIVJWXaUqE2JKaO4r6EMWwjFAWRPC468k82Ck42pVUypt1
hmylGLDNETXyYnv4mJwAWxE99bQVO16A+BAlDXH7hiORY0CSa4AMQiRP47b4
GILkyctTsM3jiAUlhdQhOUryTqCzxhTJrLQP12QE6mleAa/kzMdFiweZ+mRt
yHAePbPrZyHDdJR6jWd8xg1WYdhVBDSl785dt0WSvVLbp4iCbYNjcYRdq2UA
B+aUN2G+4XieK9108tdlkb9RX4EzZnoGxHcgWOshKHTyJUsHK+fJDC3xUkhW
cZaMgUBncmkEf0t+KrH+PatKxoKTaYVgpKt8TnSCf7DkIOy7B7UrBvV0zO7C
mMR16Jy+c8arM86ccN6wA0iNgFxzC+RiRUkE88gypI5UugZ8qK48QXY6WlsN
qP6WgPAD3gmcSk+bFb7qHZm8ZhLA0WyKakUCOKLznqzhzRW4FtPMrBwI0EZc
7mUvoJiVbCJjNxJ0yg/HGWsf6jVh2ph8yajPgMQ5q0FwKgisTLcT+KoR35I9
azrcdA1jM2cthDETnZvQijnCd3qUTJEnfVuCXLey1VBbGGHPiT+K8zv7wdzD
jJyMqtuSF8L2oTSzfSPeP0tJ3zlLloVYbZlhfpjfTXtV3WBhFQV9uA75doZD
IeeupE/FiVNtfCwJqiZGilB4IyxZ4VMiMX/JyaKkVGZgRweUzZ7cnaMXcEG8
a2uo9G3a8Vk6NRW0Ss4CKr8s6WKFloSvyx4EkCoJFgYFNSVmyR7p0UCZOaVA
TR8HHlYl778A+u6p+dLmKEO4osb4eQdy6qCN7LYBw2kDVQ932lnrm6AC8YjE
0LpqL6/IMBKogI+cwkeqRpFWtM2gmoLgkKmZg4lWtTCRlpinUMN8mc2HUhEI
Yd2YsW0URvhMwBLsWsznvvhfxvQUYalVMJ1qc/6EhHJMhob6H8TQpycbSVGH
0vCUn8B7o8igi3tiHiHY5dFihV1mOXga8tjdUDbZR5p+PnVzsJ1ULZa4v6Gk
9StNWr97oIlqWO8kkUPVyn5ePyifriNJHk7r7Pxx7xGs8LZZ/8Juf2YfPdqz
jx89sluPH9rHW0/s7u623dve3WDnO2cjwAflGs/21qaa47f5rJ2JWHe1xSRH
3c+n02RcM+NuD+JIVy8DRWNe3k1CJpIy5uxJuikhmlS1I+evXCHhJQpCvvJ5
W2jWq8ucE8V2thSrkpwQ4cXe4ziSJJakJeU56VuTJnrt+rt3TVdCef9+A4z8
85//bGLO3A4Gv7B2a+mPfGXXiQwCQHnEtjR4rBqBP9tLI2gdE8QCCisCQUIF
RRxRyov0cEzmoWQcZa9AKyU76M3CD8BgojskYSIs21KOTUpUFkgMvA3MiqGc
Sg17r5DcMZrcCa08bGZ+49xcYXp/o670nP5k1U0qlNAhA23EfiXBPSJEShZY
5P2SYhWBnTGppPiYuc1SOBbbRswWgxB5HGo7V1ogGhOQHbkSetnsk6+4bCFD
OGXYGReQYxGqi5aC2EXALh07koe9XX0B40zvg2lFGY9gCjT1L99tbKob8zn8
qjgetR4Fay8ALIKbBsCQcYC3vTriu3fdc5xDZvPBa5+yywIXCOfJS5iJZ1VI
vsTDzKEJ43xO8MV3PR9pmZnTTa+u9zogsMmqEQWUsaj6yIldv6sMNs1r30j8
xZiQPzVaHOMoJ1buNI4O9SxMTxUyTB6rYmQPOCGyVKkxocAh5Q3R8FLrPgJI
FV99sMYCemrIwSQIir4vem+TFHWiq9K7tfWBvzt2F3+3+NmfUzsK1QNTivX+
MEHJWJhYiiQ6h1PHNWnOnQ+tTXPcX5jjyT6ttCQWqk/6ruuANHBESF0tVJej
zRDz+4akuc7m+aRYDHmSC4y7sOPx+fMju/4iW1RNA7B7Q4p8neUF59s4R62K
BZeDKNu9RWicz4LDHMIpguNq3yQZJPW3CxLx4cUmomGIIWblrYYPx1VbkKEA
U8hiziEu0BHKdktSax7bhfQUksOa9lRrToCJK6/UTDJamIugWqBHVCjlpRVc
Sfmdr9W+BZ1N0hwB45HSJsUaTQynVZoNc8NnoMSI65IWvp1O87c0j+RKo4ng
FpLbJb+CMGBGdWnIi73KL68GUvNWrdccRr+e7cmiEegmeUqs2Lil/h8GTZr2
majB7gj3aoHDY59w4HNQDXCv5b1oWBbq/qKAds5PG+As6jz7jmR3HS/2yXMh
KP0FOXkRZt3vF3a69o6e2NrZmrxfSzXsQWwHWNkCwLNIh4xdG64NyRitB0Vc
V83fMHEv0+8nZdzLJusEta3X/W3phOnmN+xPscnhOxrxfrgmloat+jekV2eh
BsvSfxSpy1AwOgIhK9GfO/FU5qM2zvK6pij1vhqvZqySmiTrmlRN1QAG1f/R
/BQW7N/Pjl4mYun/YH7EEemb+GfL8hsVUrzKXTONFiQ+vk2IiP/jN93jflLt
3H58OIxbOA0h9eqN7G4lM+NNN7M0wt83NVX6uhrUH5h/9AV9/nNAYZl2fTdm
GYXFP+rRH8aV6T862MO4vGxhfVu+Y1WnFB9m3pA5lheL86zvLS0X/jxMFuMF
IdT2YbJeXHPVoiJzjJwrBIds0TvxgUeVXKmWm8dkWal3TjODi9tIWesqIqF0
WQKEpFmjCelS3anAdbJJ4ipdlRBqTQUJRDBJehsyy7giPhPwvdq/oLAhBhBz
yEaSzmKWLe1SvSAt/BJxOhSIaTCDghUdjE0kW3Pka2UzMsxg2B0ZaoXJUEIp
2nJj4riuvE99gekiOWoOs2nYpCYsRFvP2G0llK2mJjYQbEp0SkFjcZMtvN1+
tOo89/byhA6lKC1dQBeZrkZ7UnrzuRYvEx/GhyK1jB7sI0CHtccnRGdb+u0h
2xLSXkzPQNP2DZKukRqX7W617U9cjU1RxD0H5aJfv9ckyfctwI3v054zgU2g
Vqc0mmDxRoWns+d39DRvPxowh1SOpZMldJrd2eqQtndq4ohELmgklS8rbefB
cZzn+tSnFtalrH7+wWYBu072ZnXHwGbSzkDNkzGdHDoZPtzGsBmLEjYzAGQD
95YaCkAFElo/z2LNM0ngWfuUbAiZ2quqmHQpS+Jjvy/B9BoTtNw2quBvM6k3
s/zXnO6MbO8Di1Boo+U4f7JpYh+nGhKpLmcjhPUU4H0FwAszxr0TveIxt4DM
qD5GsbPowICkYSAvub1morkOYr0pq+jwsSG+LQfibEpLI83G/dHLGOEqd/Cw
4ystZhN2NGXGc1CMHFqQE/nlpmOYobamaQlVS+Jo3Na11Ds0qRDZhVW7HCum
5AzBIuQPxkWWU50nmHcslDf4pAnFTti3UHsGlbgA2QUCl5QfKTnBp7XWu5SF
2ns0AcyV+giAtEGmpciy4VYyqtLR0lxl0c7iXlbLcZeAZApjGpFcado3Hm+A
UJMAzH7wNNSm3wcgKltiW1W6ki7vSibvjmr0qFnIRvTtcR/FqKnsY5ZBH7Fs
mIcfbSxhHgbgcbDOyygmLLeEWQbLgGXVknE5+nPHkmyiX5acbpJaD2TlMi+1
3cNXM5cUYzildi0l1lC9kUQyS7eRstIYgQnGUZsG5Yy5riml4qDNkbEkfnJ/
JIQzpEWxEc/wZU32v963M7FxV9m1k4hZhc5JAwFA6wzT0FLLns0k6BYzdPB2
Q73zcim9cy994cn7oiHbu+VH78DSG2b3k/yoAO/OkfJinLAhWY/gwc6rWhSP
7SWIJXvRayUzJ0gsdQic2hegqqGO99U4Z1KmTlBSzGDpyF1lxVRuINADp/rA
uwfN24Yz7FOy7JxeKMizAC837PFC5t2LQYJMVWRdpPAVcx8w7zld4JOiQ6wb
bOoJOM624TID5bcJaVrqHepkgCYkKeY7AbAqE6oQ8FebsZ4eU7wVvdMqxFA6
Z7oqKjYZmhoozksbAULjUwGZV3A4m7UwX3nB90mztLmAshtJr08Kx8nNANpQ
U4fQIxb94Z8ZRG5CDcZuzrn9WVa/ibk8vi8RjgaWHEjpsQxd/ptCAQAreCby
pnpjJz0GV4OquleZGZoj12Q53aEKfQX2f//jP/vXWjpw8Pr0WHripdWKE8Lj
pkcsGk22+MoVcaHbjX109H5PkLkdJNFDkf8jun/NrelNv7ZEKeDuCzqBJnsE
+lFvBPky33DXP1fs8gShFy5ADposjzU8cCC4X0qWM+jYDIwvYqvFyvt3ybHA
qxNiMZ4BAPObcaUXB7+X60Q9HmmTBV9IFy1llvBtOvO3tJ5QqJNz3zkJCUuq
UUklICtdy9Jwe1fDSK9dRCFHe8kYy8RKebdNSWdznwgpetNwne2ObhHT6xY5
y2HMs5qqsqlFoo0KqdL+ln7XiuGuFctgJW1Y4YRoaLKoRn9iFebrSFInEWFi
AnAXgkkOUvfKjbQ/yo6u6EtZktxeaw9fIlyYu5t7iISpCKSKc9etToJBy9fS
qAnmC2m7mmc5XX6kwJNeciKDLfhp8H0xxWjU7zLE9lpakllDlLXU356k/NUj
fsPZPI03jfnITDl5PdrUmrQCfUFXDq/d2icO5yzPWkeZL8JFc77rPpbe3qEe
ki+d00V4OsKaeNivr7qWDAac0X+wRSUCaLNSaGoTT+Q/J1AunStTuqJiMLxn
zJXUSW/TBfcSd2i47PQvkQAjjWec2m7H1ABTIbrJp1wQ4ojNx1K/VNS1NZRB
MDjzo/2NW3S5rx/tGe8fL46Se4Y/mh/3B+mf+Lb/OZ6zQoA4HxtlenEhTLsg
gb7oaHdBk6cGqTco6aeO3dl3NKnm0hJMsyXthb3Zni5JZ69T264vFW83Po+d
9UVevtG+gGUJH2XjNxFKyUS0BcpNJ1QlC84vTlL/GDaQtuFoReICE+yTmuzP
szqb+f23s2K/9Pskqvz5wI+vxhcbWOzbn9i0ofIiNmqoRRKIEZJfATRcueXL
KHqjJBRVkyuLqV+uKm2Oe9Aj87sHyWyaRO/vivqRl+bsX3tZpgSIyjsxaa+8
tijFy2nhjNTTw30RS/BKj8tZPlqArsFpBo6UUI680nRpo2yHqlZdxTHJVRzq
afh6xTpp/rJPEklaJIa0u9tslmge26B7JoJoql3cSZiV7O9fvel7fl4f1Fu5
Uckk+y7f0tuuSbarzd4saeIfbDsXd53pVUNtP1kmK6LApJ1MdjkoqN8utWvD
e3zG591Ny0FvesKwQTPsOixuKqAg1b5YieOzZYHe+P/jh+T0no8/wP+e7GtX
YeOkXXozaRdXoVqGHKOFnSACm4dyq2R817kdfUNbCLAOqfD2E82TalMHX21L
u80D+pDu8qH5NDImDPoiPR+Ot7dF9b9JDnDastHno8gmtSXiC0tNVK7s3u8R
J/f+zi3EqiHf9G/ZAb4KjYQwdLGpkONaCrFvspCClqsQy52ZoRumu3Ytt3Ao
A9xQvNallbaH9hD8bBvX682IACu9L0G1otDE9n5odoZalHZaFpLuEr0gTZ/N
kg4QjI2tLdSO9XBoD7jNQ8BkUrhf1ZTQbwpdKm+QfKcVDu7MpBt5CEOzMSXx
OJqGqaHUaThZsiRNEJLqBGZi38LQPBra3y7fZO4FABrv3N+aYuOtcMpduugx
gdYmhfRzdSzBwz+xx1Mlv46AHTn53dHLFwfHJ52P0J/E6PdENlfye1LaN6Dr
BsEKK3PcOeExU4mxg8EXUytTKByckgYG4HGr9XOJObGLdHjHUWKrVulyhqjZ
bSdT8h052cQtt97zYFzhLOTGy63jygR3nvmDOxxV7GBubY8zyvdv79aYJnvj
fGw1kRSLzJA4ONZ1N2GagqVzu/vBPa7YHkUHm2EuXePj5ytXACmZcSyWotv1
fVJ/Z4wmrac8h5SJaWPebg929LaPb0l1S3fDiibenSbLGy0j89jU2ZLh1vbh
XlYmNvPNJIefSXbrc5khXyJByMRr96EsHNuulUB8Z4jYvkT0IJQf1jRwYHeI
cKd/XXEpFDu+dbEt3kdLAxLtdLsVotxOWHU36+7+uSX9DZMVuqxX6YxIkt6m
W/YPQ/ntkjM3brlKeqgn1xyvkaSmENvHLr1gSNXWcBxRNWAmJhX5wLizp4fS
5Ug/Zff+veHGQFCGL3zABjf8G1UCJEFpEQb2fsFfcq0LlgIxHV31UmqmP24D
omvsyqHSSO9Sd+A05VC48Ri4HFg1MZzG++r8/BVZ30NWa+1lD0llCZ+pwgdX
8vzMjl2tv3LgjJab9HYJH6FcaPMR/+BG7Ev/Jr1CH8lHQUNUw0DafwAZu9uW
CRXNstAmJ9b9xDPr6rQ/+XEHrayZ5KhJLBXlRFmSZrW136lXUO2Kx12Fh1PN
IosmlADuz4jbuzPi5tY1uPsy4r2MQ7gbUeQz6RhxSmqAju43ysKO2pFv8kZs
iDwmvxdUViapnbZzpqrwn9u2aWceqsql/fgzZiBHKKSH3KpgstjEQ3ZNJOqc
xVKVt4pRKqQgShRCpjrrGs+kmyDUZeRCWTq6A3Cx3SQUuG41IpGKmK4MS22H
SRd33Bdtt64Kr1cu3SS0Mchv5WlzQtCLTb1+KG6GrpvQnRG6txXnwd4xsiux
CYRNxJXrxdOuDURbL+jX6KhhYtnK9a8Uxb4Sqs2PuxIeD820ZMNJf2OetUxU
7ZCX3LKO719pu0Xd2D5ImEK/DRaKKyT9a+dUI+MGdPpxPcJ1dJiD8ZuyuoF/
kou13rzbb0vpf3KT93ou/m2LXG6mVpyg1jb5s8OvDin7mKv1kOIgUbL/86lD
838Yi3TQoFgAAA==

-->

</rfc>
