<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-gakiwate-dnsop-proxy-dns-svcb-00" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title>HTTP Header Fields for Proxying DNS SVCB Information</title>
    <seriesInfo name="Internet-Draft" value="draft-gakiwate-dnsop-proxy-dns-svcb-00"/>
    <author fullname="Gautam Akiwate">
      <organization>Apple Inc</organization>
      <address>
        <email>gakiwate@apple.com</email>
      </address>
    </author>
    <author fullname="Tommy Pauly">
      <organization>Apple Inc</organization>
      <address>
        <email>tpauly@apple.com</email>
      </address>
    </author>
    <author fullname="Erik Nygren">
      <organization>Akamai Technologies</organization>
      <address>
        <email>erik+ietf@nygren.org</email>
      </address>
    </author>
    <date year="2026" month="July" day="04"/>
    <area>Operations and Management</area>
    <workgroup>Domain Name System Operations</workgroup>
    <abstract>
      <?line 42?>

<t>When HTTP clients use the CONNECT method or UDP proxying (CONNECT-UDP) to reach target servers
through a proxy, the proxy performs DNS resolution on behalf of the client. This
prevents the client from accessing Service Binding (SVCB and HTTPS) DNS records
that carry service configuration such as supported protocols and Encrypted
Client Hello keys. This document defines HTTP header fields that enable the
proxy to relay SVCB information to the client, and introduces a conditional
early closure mechanism that allows the client to coordinate with the proxy to
abort a connection when specific SVCB parameters are present, so that the
client can retry with a different connection strategy.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://gakiwate.github.io/draft-gakiwate-dnsop-proxy-dns-svcb/draft-gakiwate-dnsop-proxy-dns-svcb.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-gakiwate-dnsop-proxy-dns-svcb/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Domain Name System Operations Working Group mailing list (<eref target="mailto:dnsop@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/dnsop/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/dnsop/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/gakiwate/draft-gakiwate-dnsop-proxy-dns-svcb"/>.</t>
    </note>
  </front>
  <middle>
    <?line 54?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>The CONNECT method <xref target="RFC9110"/> and UDP proxying <xref target="RFC9298"/> via Extended CONNECT allow
HTTP clients to establish TCP or UDP flows to target servers through an HTTP
proxy. The client identifies the Proxy Target using authority-form (in <xref target="RFC9110"/>),
or a URI Template <xref target="RFC6570"/> for CONNECT-UDP.  The Proxy Target includes a
The CONNECT method <xref target="RFC9110"/> and UDP proxying ("connect-udp", defined in <xref target="RFC9298"/>) allow
HTTP clients to establish TCP or UDP flows to target servers through an HTTP
proxy. The client identifies the Proxy Target using authority-form (in <xref target="RFC9110"/>),
or a URI Template <xref target="RFC6570"/> for UDP proxying.  The Proxy Target includes a
server name or IP address and a port number. When the Proxy Target is a name, the
proxy resolves it to an IP address using A or AAAA queries.</t>
      <t>This arrangement prevents the client from accessing Service Binding (SVCB and
HTTPS) resource records <xref target="RFC9460"/> for the target. SVCB records carry
configuration that influences how connections should be formed, including
supported application protocols (ALPN), Encrypted Client Hello keys, and
alternative endpoints.</t>
      <t>This document defines two mechanisms that address this gap:</t>
      <ul spacing="normal">
        <li>
          <t>A pair of HTTP header fields that allow the client to request, and the proxy
to convey, SVCB parameters for the target (<xref target="requesting-and-receiving-svcb-information"/>).</t>
        </li>
        <li>
          <t>A conditional closure mechanism that allows the client to request that the
proxy abort the connection if certain conditions are met, returning the
data so the client can retry with a different strategy (<xref target="conditional-connection-closure"/>).</t>
        </li>
      </ul>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>The following terms are used throughout this document:</t>
      <ul spacing="normal">
        <li>
          <t><strong>ServiceMode RR</strong>: An SVCB or HTTPS resource record with a non-zero
SvcPriority value, as defined in <xref target="RFC9460"/>.</t>
        </li>
        <li>
          <t><strong>AliasMode RR</strong>: An SVCB or HTTPS resource record with SvcPriority 0,
as defined in <xref target="RFC9460"/>.</t>
        </li>
        <li>
          <t><strong>Highest-priority RR</strong>: The ServiceMode RR in a resolved RRset with the
lowest non-zero SvcPriority value.</t>
        </li>
        <li>
          <t><strong>Selected Endpoint</strong>: The SVCB or HTTPS resource record selected
by the client to use, as defined by the algorithm in <xref target="RFC9460"/> Section 3.</t>
        </li>
        <li>
          <t><strong>Selected TargetName</strong>: The TargetName of the Selected Endpoint.
When the TargetName of the resource record is ".",
the Selected TargetName is the owner name of the resource record.</t>
        </li>
        <li>
          <t><strong>Proxy Target</strong>: The target server name (or IP address), target port, and protocol
that the client has requested the proxy connect to,
as specified in the authority-form (for CONNECT)
or in a URI Template (for UDP proxying).</t>
        </li>
      </ul>
    </section>
    <section anchor="requesting-and-receiving-svcb-information">
      <name>Requesting and Receiving SVCB Information</name>
      <t>This section defines two HTTP header fields that allow a client to request SVCB
parameters from the proxy and receive the resolved data in the response.</t>
      <section anchor="the-proxy-dns-svcb-request-header-field">
        <name>The Proxy-DNS-SVCB-Request Header Field</name>
        <t>The "Proxy-DNS-SVCB-Request" header field is a Structured Field <xref target="RFC8941"/>
whose value <bcp14>MUST</bcp14> be an sf-token. A client includes this header field to
signal that it wants the proxy to resolve and return DNS resource records
of the indicated type for the target. The token value <bcp14>MUST</bcp14> be <tt>SVCB</tt>
or another SVCB-compatible record type (such as <tt>HTTPS</tt>):</t>
        <ul spacing="normal">
          <li>
            <t><tt>SVCB</tt>: the proxy is requested to resolve SVCB resource records.</t>
          </li>
          <li>
            <t><tt>HTTPS</tt>: the proxy is requested to resolve HTTPS resource records.</t>
          </li>
        </ul>
        <t>For SVCB records that are on a different name from the Proxy Target name,
the field <bcp14>MAY</bcp14> include a <tt>name</tt> parameter, whose value is an sf-string
specifying the DNS name to resolve. If the <tt>name</tt> parameter is omitted,
the proxy resolves the record(s) for the target's own origin.</t>
        <t>If the header field is absent, the client is not requesting DNS SVCB
resolution from the proxy.</t>
        <t>A proxy that receives a "Proxy-DNS-SVCB-Request" header field whose value is not
<tt>SVCB</tt>, <tt>HTTPS</tt>, or another SVCB-compatible RR type that it recognizes
<bcp14>MUST</bcp14> ignore the header field.</t>
        <sourcecode type="example"><![CDATA[
proxy-dns-svcb-request: HTTPS
]]></sourcecode>
        <sourcecode type="example"><![CDATA[
proxy-dns-svcb-request: SVCB;name="_dns.example.com"
]]></sourcecode>
        <t>A proxy <bcp14>MAY</bcp14> choose to ignore the "Proxy-DNS-SVCB-Request" header field
if it is not known to be related to the Proxy Target name.</t>
      </section>
      <section anchor="the-proxy-dns-svcb-response-header-field">
        <name>The Proxy-DNS-SVCB-Response Header Field</name>
        <t>The "Proxy-DNS-SVCB-Response" header field is a Structured Field <xref target="RFC8941"/>
that conveys the HTTPS resource records resolved by the proxy for the target
authority. The field value is an sf-list where each member is an sf-binary item
containing a single HTTPS resource record in DNS wire format as defined in
Section 3.2.1 of <xref target="RFC1035"/>. Each encoded record includes the owner name,
TYPE, CLASS, TTL, and RDATA. Owner names in the encoded records <bcp14>MUST NOT</bcp14> use
DNS name compression.</t>
        <t>The proxy <bcp14>SHOULD</bcp14> include every SVCB or HTTPS record encountered during
resolution, including any AliasMode records that were followed. This
gives the client visibility into the full resolution path, not just
the terminal records.</t>
        <sourcecode type="example"><![CDATA[
proxy-dns-svcb-response: :AAEGYW...:, :AAIHc3...:
]]></sourcecode>
        <t>Each sf-binary item encodes one complete DNS resource record. The owner name
identifies the name at which the record was resolved; the RDATA contains the
SvcPriority, TargetName, and SvcParams as defined in Section 2.2 of
<xref target="RFC9460"/>.</t>
        <section anchor="empty-and-absent-responses">
          <name>Empty and Absent Responses</name>
          <t>If the proxy was unable to resolve HTTPS records, or if resolution returned no
HTTPS records for the target, the proxy <bcp14>MUST</bcp14> include the header field with
an empty list. If the header field is absent from the response, the client
<bcp14>SHOULD</bcp14> treat the HTTPS record information as unknown.</t>
          <sourcecode type="example"><![CDATA[
proxy-dns-svcb-response:
]]></sourcecode>
        </section>
        <section anchor="signaling-dns-name-resolution">
          <name>Signaling DNS Name Resolution</name>
          <t>When returning a <tt>Proxy-DNS-SVCB-Response</tt> header field the proxy <bcp14>SHOULD</bcp14> also
return a <tt>Proxy-Status</tt> header field (<xref target="RFC9209"/>) to return a <tt>next-hop</tt> parameter
and also the <tt>next-hop-aliases</tt> parameter (<xref target="RFC9532"/>).
These will allow the client to determine how the proxy's connection was made
and if it is compatible with a given Selected Endpoint.</t>
        </section>
      </section>
      <section anchor="processing-rules">
        <name>Processing Rules</name>
        <section anchor="client-behavior">
          <name>Client Behavior</name>
          <t>A client that wishes to receive SVCB/HTTPS information <bcp14>SHOULD</bcp14> include the
"Proxy-DNS-SVCB-Request" header field in its CONNECT or CONNECT-UDP request.</t>
          <t>Upon receiving a "Proxy-DNS-SVCB-Response" header field, the client parses each
sf-binary member as a complete DNS resource record and uses the resulting
records to inform connection establishment, following the algorithm defined
in <xref target="RFC9460"/> Section 3 to pick a Selected Endpoint.
If the header field contains an empty list or is
absent, the client treats the SVCB/HTTPS record information as unknown
meaning that SVCB resolution has failed, and the list of available endpoints is empty.</t>
          <t>Prior to using a connection established by the proxy as a Selected Endpoint,
the client <bcp14>MUST</bcp14> ensure that it is compatible.</t>
          <t>An established connection is compatible if the protocol (TCP or UDP) of
the Selected Endpoint matches what was used
to establish the connection (ie, via CONNECT or UDP proxying),
if the port of the Selected Endpoint matches that used for the Proxy Target,
<em>and</em> if at least one of the following applies:</t>
          <ul spacing="normal">
            <li>
              <t>The Selected TargetName matches the Proxy Target for the connection.</t>
            </li>
            <li>
              <t>An <tt>ipv4hint</tt> or <tt>ipv6hint</tt> SvcParam from the Selected Endpoint matches the <tt>next-hop</tt>
parameter returned from the <tt>Proxy-Status</tt> header field.</t>
            </li>
            <li>
              <t>The final name in the <tt>next-hop-aliases</tt> of the <tt>Proxy-Status</tt> header field
matches the Selected TargetName.  (ie, that the Selected TargetName shares
an owner name with the A or AAAA DNS records used to resolve the <tt>next-hop</tt>.)</t>
            </li>
          </ul>
          <t>If the proxy connection is compatible and connection establishment succeeded,
the client <bcp14>SHOULD</bcp14> continue to use it as the Selected Endpoint.</t>
          <t>If the Selected Endpoint is not compatible, the client <bcp14>MUST</bcp14> abandon this
CONNECT request and establish a new CONNECT/CONNECT-UDP where the client
provides the final Selected TargetName and port to the proxy as a new Proxy Target,
as described in <xref target="RFC9460"/> Section 3.2.</t>
          <t>Clients <bcp14>SHOULD</bcp14> obey the TTLs in the DNS RRs and request new ones
on subsequent requests if previously cached ones have expired in cache.</t>
        </section>
        <section anchor="proxy-behavior">
          <name>Proxy Behavior</name>
          <t>Support for the "Proxy-DNS-SVCB-Request" header field is <bcp14>OPTIONAL</bcp14>. A proxy that
does not support it <bcp14>MUST</bcp14> ignore the header and continue processing the request
normally. In that case, the response will not include the
"Proxy-DNS-SVCB-Response" header field.</t>
          <t>A proxy that supports the header field:</t>
          <ul spacing="normal">
            <li>
              <t><bcp14>SHOULD</bcp14> perform a SVCB or HTTPS RR resolution for either the Proxy Target
name or the value of the <tt>name</tt> attribute if specified.</t>
            </li>
            <li>
              <t><bcp14>SHOULD</bcp14> include the <tt>Proxy-DNS-SVCB-Response</tt> header field in its response.</t>
            </li>
            <li>
              <t><bcp14>SHOULD</bcp14> include the <tt>Proxy-Status</tt> header field with both the
<tt>next-hop</tt> parameter containing the IP address and <tt>next-hop-aliases</tt>
parameter containing any CNAMEs.</t>
            </li>
            <li>
              <t><bcp14>MUST</bcp14> include the header field with an empty list if resolution fails or
returns no SVCB/HTTPS records.</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="example">
        <name>Example</name>
        <t>The client sends a CONNECT request requesting SVCB information:</t>
        <sourcecode type="example"><![CDATA[
HEADERS
:method = CONNECT
:authority = www.example.com:443
proxy-dns-svcb-request: HTTPS
]]></sourcecode>
        <t>The proxy resolves HTTPS records for <tt>www.example.com</tt> and finds a ServiceMode
RR with <tt>h3</tt> ALPN and an ECH configuration. The proxy returns the HTTPS
resource record:</t>
        <sourcecode type="example"><![CDATA[
HEADERS
:status = 200
proxy-dns-svcb-response: :AAEGYW...:
proxy-status: proxy.example; next-hop="2001:db8:a::b"
]]></sourcecode>
        <t>where the proxy-dns-svcb-response contains the DNS RR:</t>
        <sourcecode type="example"><![CDATA[
www.example.com. 300 IN HTTPS 1 . alpn=h2,h3 ipv6hint="2001:db8:a::b" ech=...
]]></sourcecode>
        <t>The client may use the conveyed parameters to use CONNECT-UDP for any future
connections to <tt>www.example.com</tt>.</t>
        <t>It may also reuse the established connection with the HTTPS record containing
the ECH configuration since the Selected TargetName from the HTTPS record was
<tt>www.example.com</tt> and because its <tt>ipv6hint</tt> SvcParam includes <tt>2001:db8:a::b</tt>.</t>
      </section>
    </section>
    <section anchor="conditional-connection-closure">
      <name>Conditional Connection Closure</name>
      <section anchor="motivation">
        <name>Motivation</name>
        <t>A client may prefer a different connection strategy based on the SVCB
information for the target. For example, the client might prefer CONNECT-UDP
when the target supports <tt>h3</tt>, or use Encrypted Client Hello when the target
publishes ECH keys.</t>
        <t>Without coordination, the client learns this only after the proxy has
established the forwarded connection. Tearing that connection down and
retrying wastes potentially multiple round trips in the case of HTTP/1.1.
The mechanism in this section lets the client
signal conditions under which the proxy should abort before connecting and
return the SVCB data immediately.</t>
        <t>The mechanism in this section also enables a client using HTTP/2 or HTTP/3
to pipeline DATA frames with a TLS ClientHello with a reduced chance that
those will leak TLS SNI information to services supporting ECH.</t>
      </section>
      <section anchor="the-proxy-dns-svcb-request-cancel-on-header-field">
        <name>The Proxy-DNS-SVCB-Request-Cancel-On Header Field</name>
        <t>The "Proxy-DNS-SVCB-Request-Cancel-On" header field is a Structured Field
<xref target="RFC8941"/> whose value is an sf-list of sf-token items. Each token names a
condition that, if satisfied by the resolved SVCB data, should cause the proxy
to skip the request without establishing the forwarded connection.</t>
        <t>The set of tokens is open-ended, and any token that the client and proxy
mutually understand can be used; this document defines an initial set of tokens
that clients and proxies must support, but deployments are free to use
additional tokens registered through the process described in
<xref target="iana-considerations"/> or agreed upon out-of-band.</t>
        <sourcecode type="example"><![CDATA[
proxy-dns-svcb-request-cancel-on: h3-alpn, ech-defined
]]></sourcecode>
        <section anchor="initial-tokens">
          <name>Initial Tokens</name>
          <t>This document defines the following tokens. These are starting points covering
common cases; they do not constrain what other tokens may be defined or used.</t>
          <dl>
            <dt>h3-alpn:</dt>
            <dd>
              <t>The condition is satisfied if the ALPN SvcParamKey of the highest-priority RR
contains the "h3" protocol identifier. A client includes this token when it
prefers CONNECT-UDP for targets that support HTTP/3.</t>
            </dd>
            <dt>ech-defined:</dt>
            <dd>
              <t>The condition is satisfied if the ECH SvcParamKey is present in the
highest-priority RR. A client includes this token when it prefers to use
Encrypted Client Hello when connecting to the target.</t>
            </dd>
            <dt>https:</dt>
            <dd>
              <t>The condition is satisfied if any HTTPS RR is found.
This indicates that the client must not establish an insecure HTTP connection.</t>
            </dd>
          </dl>
        </section>
        <section anchor="evaluation-rules">
          <name>Evaluation Rules</name>
          <t>The proxy evaluates each recognized token against the resolved SVCB/HTTPS RRset
as follows:</t>
          <ul spacing="normal">
            <li>
              <t>Evaluation is performed against only the highest-priority RR (the RR with the
lowest non-zero SvcPriority value).</t>
            </li>
            <li>
              <t>AliasMode records <bcp14>MUST</bcp14> be followed before evaluation.</t>
            </li>
            <li>
              <t>All recognized tokens are evaluated independently. The order in which tokens
appear does not indicate precedence.</t>
            </li>
            <li>
              <t>The "h3-alpn" token <bcp14>MUST NOT</bcp14> be evaluated when the client's request uses the
CONNECT-UDP method, since the client is already using a UDP-based tunnel.</t>
            </li>
            <li>
              <t>Unknown tokens <bcp14>MUST</bcp14> be silently ignored.</t>
            </li>
          </ul>
        </section>
        <section anchor="extensibility">
          <name>Extensibility</name>
          <t>New tokens can carry new evaluation semantics. For example, a token could
trigger closure if any RR in the RRset satisfies a condition, rather than only
the highest-priority RR. The evaluation rules above apply to the tokens defined
in this document; new tokens define their own.</t>
        </section>
      </section>
      <section anchor="the-proxy-dns-svcb-response-cancelled-on-header-field">
        <name>The Proxy-DNS-SVCB-Response-Cancelled-On Header Field</name>
        <t>The "Proxy-DNS-SVCB-Response-Cancelled-On" header field is a Structured Field
<xref target="RFC8941"/> whose value is an sf-list of sf-token items. The proxy includes
this header field when it cancels making the connect
request due to a satisfied condition.</t>
        <ul spacing="normal">
          <li>
            <t>The proxy <bcp14>MUST</bcp14> report all tokens whose conditions were satisfied.</t>
          </li>
          <li>
            <t>The proxy <bcp14>MUST NOT</bcp14> include tokens that were absent from the client's
"Proxy-DNS-SVCB-Request-Cancel-On" header field.</t>
          </li>
          <li>
            <t>The proxy <bcp14>MUST NOT</bcp14> include tokens whose conditions were not satisfied.</t>
          </li>
        </ul>
        <sourcecode type="example"><![CDATA[
proxy-dns-svcb-response-cancelled-on: h3-alpn
]]></sourcecode>
      </section>
      <section anchor="processing-rules-1">
        <name>Processing Rules</name>
        <section anchor="proxy-behavior-1">
          <name>Proxy Behavior</name>
          <t>A proxy that supports the "Proxy-DNS-SVCB-Request-Cancel-On" header field <bcp14>MUST</bcp14>
evaluate each recognized token against the resolved SVCB/HTTPS RRset prior to
establishing the forwarded connection.</t>
          <t>If one or more conditions are satisfied:</t>
          <ul spacing="normal">
            <li>
              <t>The proxy <bcp14>SHOULD NOT</bcp14> establish the forwarded connection.</t>
            </li>
            <li>
              <t>The proxy <bcp14>SHOULD</bcp14> cancel the request with HTTP status code 307 and include the
"Proxy-DNS-SVCB-Response-Cancelled-On" header field indicating the satisfied
tokens.</t>
            </li>
            <li>
              <t>The proxy <bcp14>MUST</bcp14> include the "Proxy-DNS-SVCB-Response" header field with the
resolved HTTPS records, so the client can retry using the conveyed information
without an additional DNS resolution.</t>
            </li>
          </ul>
          <t>[TODO: 307 (Temporary Redirect) is used as a placeholder to signal that the
request was not fulfilled. This may change based on discussions.
We may wish to specify that Location not be sent.  We may
also wish to consider moving Proxy-DNS-SVCB-Response-Cancelled-On into
Proxy-Status.
]</t>
          <t>A proxy that does not support the "Proxy-DNS-SVCB-Request-Cancel-On" header field
<bcp14>MUST</bcp14> ignore it and proceed normally.</t>
        </section>
        <section anchor="client-behavior-1">
          <name>Client Behavior</name>
          <t>Clients establishing an insecure HTTP connection to port 80 <bcp14>SHOULD</bcp14>
send <tt>https</tt> as a "Proxy-DNS-SVCB-Request-Cancel-On" value.</t>
          <t>Upon receiving a "Proxy-DNS-SVCB-Response-Cancelled-On" header field, the client
parses the accompanying "Proxy-DNS-SVCB-Response" and inspects the satisfied
tokens to determine its retry strategy:</t>
          <ul spacing="normal">
            <li>
              <t>If <tt>h3-alpn</tt> is present, the client <bcp14>SHOULD</bcp14> retry using CONNECT-UDP with ALPN
values from the highest-priority RR in the conveyed records.</t>
            </li>
            <li>
              <t>If <tt>ech-defined</tt> is present, the client <bcp14>SHOULD</bcp14> retry using Encrypted Client
Hello with the ECH keys from the highest-priority RR in the conveyed records.</t>
            </li>
            <li>
              <t>If <tt>https</tt> is present, the client <bcp14>MUST</bcp14> upgrade to an HTTPS request
as described in <xref target="RFC9460"/>.</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="example-1">
        <name>Example</name>
        <t>The client sends a CONNECT request and indicates that it strongly prefers
CONNECT-UDP if the target supports it by including the h3-alpn token:</t>
        <sourcecode type="example"><![CDATA[
HEADERS
:method = CONNECT
:authority = www.example.com
proxy-dns-svcb-request: HTTPS
proxy-dns-svcb-request-cancel-on: h3-alpn
]]></sourcecode>
        <t>The proxy resolves a single ServiceMode RR:</t>
        <sourcecode type="dns"><![CDATA[
www.example.com. 300 IN HTTPS 1 www.example.com alpn=h2,h3
]]></sourcecode>
        <t>The highest-priority RR contains <tt>h3</tt> in ALPN, so the condition is satisfied.
The proxy cancels the request and does not make the connection:</t>
        <sourcecode type="example"><![CDATA[
HEADERS
:status = 307
proxy-dns-svcb-response-cancelled-on: h3-alpn
proxy-dns-svcb-response: :AAEGYW...:
]]></sourcecode>
        <t>The client observes the satisfied condition and retries with CONNECT-UDP:</t>
        <sourcecode type="example"><![CDATA[
HEADERS
:method = CONNECT
:protocol = connect-udp
:scheme = https
:path = /.well-known/masque/udp/www.example.com/443/
:authority = proxy.example
capsule-protocol = ?1
]]></sourcecode>
        <t>The client need not request the HTTPS RR data again since it already has the
information it needs. The client signals this by omitting the
"Proxy-DNS-SVCB-Request" header field entirely.</t>
      </section>
    </section>
    <section anchor="combined-examples">
      <name>Combined Examples</name>
      <section anchor="successful-connect-with-svcb-parameters">
        <name>Successful CONNECT with SVCB Parameters</name>
        <t>The client requests SVCB information via CONNECT:</t>
        <sourcecode type="example"><![CDATA[
HEADERS
:method = CONNECT
:authority = svc.example.com:8000
proxy-dns-svcb-request: SVCB;name="_8000._foo.svc.example.com"
]]></sourcecode>
        <t>The proxy resolves the SVCB RR for svc.example.com and returns
it in a header:</t>
        <sourcecode type="example"><![CDATA[
HEADERS
:status = 200
proxy-dns-svcb-response: :AAEGYW...:
proxy-status: proxy.example; next-hop="2001:db8:a::b"
]]></sourcecode>
        <t>Within <tt>proxy-dns-svcb-response</tt> is the single DNS RR:</t>
        <sourcecode type="dns"><![CDATA[
_8000._foo.svc.example.com. 300 IN SVCB 1 svc.example.com port=8000 ech=...
]]></sourcecode>
        <t>The client selecting to use this ServiceMode RR
confirms that the Selected TargetName matches the Proxy Target used
(also <tt>svc.example.com</tt>) and that the ports match (8000)
so it is able to use the proxy connection
and send a TLS ClientHello using ECH and the SVCB record.</t>
      </section>
      <section anchor="multiple-rrs-with-different-priorities">
        <name>Multiple RRs with Different Priorities</name>
        <t>The client sends CONNECT requesting SVCB information with <tt>h3-alpn</tt> cancel-on:</t>
        <sourcecode type="example"><![CDATA[
HEADERS
:method = CONNECT
:authority = www.example.com:443
proxy-dns-svcb-request: HTTPS
proxy-dns-svcb-request-cancel-on: h3-alpn
]]></sourcecode>
        <t>The proxy resolves two RRs:</t>
        <sourcecode type="dns"><![CDATA[
www.example.com. 300 IN HTTPS 1 svc1.example.com. alpn=h2,h3 ech=...
www.example.com. 300 IN HTTPS 2 svc2.example.com. alpn=h2
]]></sourcecode>
        <t>The highest-priority RR (priority 1) contains <tt>h3</tt> in ALPN. The proxy cancels
making the connect request:</t>
        <sourcecode type="example"><![CDATA[
HEADERS
:status = 307
proxy-dns-svcb-response-cancelled-on: h3-alpn
proxy-dns-svcb-response: :AAEGYW...:, :AAIHc3...:
]]></sourcecode>
        <t>The client retries with CONNECT-UDP using the Selected TargetName
of the Selected Endpoint. The proxy re-resolves and connects
this new Proxy Target requested by the client:</t>
        <sourcecode type="example"><![CDATA[
HEADERS
:method = CONNECT
:protocol = connect-udp
:scheme = https
:path = /.well-known/masque/udp/svc1.example.com/443/
:authority = proxy.example
capsule-protocol = ?1
]]></sourcecode>
        <t>The proxy establishes the connection and responds:</t>
        <sourcecode type="example"><![CDATA[
HEADERS
:status = 200
proxy-status: proxy.example; next-hop="2001:db8:a::c"
]]></sourcecode>
        <t>Note that even if the proxy had been instructed to cancel making
the CONNECT request, it still would not have been usable by
the client as neither TargetName (<tt>svc1.example.com</tt> nor <tt>svc2.example.com</tt>)
matches the Proxy Target (<tt>www.example.com</tt>).</t>
      </section>
      <section anchor="aliasmode-and-cancel-on">
        <name>AliasMode and Cancel-On</name>
        <t>The client sends CONNECT requesting SVCB information with both cancel-on conditions:</t>
        <sourcecode type="example"><![CDATA[
HEADERS
:method = CONNECT
:authority = www.example.com:443
proxy-dns-svcb-request: HTTPS
proxy-dns-svcb-request-cancel-on: h3-alpn, ech-defined
]]></sourcecode>
        <t>The proxy resolves <tt>www.example.com</tt> and encounters an AliasMode RR:</t>
        <sourcecode type="dns"><![CDATA[
www.example.com. 300 IN HTTPS 0 cdn.example.
]]></sourcecode>
        <t>The proxy follows the alias and resolves <tt>cdn.example</tt>
which is an alias to <tt>cdn2.example.net</tt>:</t>
        <sourcecode type="dns"><![CDATA[
cdn.example.      900 IN CNAME cdn2.example.net.
cdn2.example.net. 300 IN HTTPS 1 . alpn=h2,h3 ech=...
]]></sourcecode>
        <t>Both <tt>h3-alpn</tt> and <tt>ech-defined</tt> conditions are satisfied. The proxy cancels
and returns both the AliasMode RR for <tt>www.example.com</tt>,
the CNAME for <tt>cdn.example</tt>, and the terminal
ServiceMode RR for <tt>cdn2.example.net</tt> in "Proxy-DNS-SVCB-Response":</t>
        <sourcecode type="example"><![CDATA[
HEADERS
:status = 307
proxy-dns-svcb-response-cancelled-on: h3-alpn, ech-defined
proxy-dns-svcb-response: :AAAGYW...:, :AAEGYW..., :AAEGYW...:
]]></sourcecode>
        <t>Where the "proxy-dns-svcb-response" contains all three RRs:</t>
        <sourcecode type="dns"><![CDATA[
www.example.com. 300 IN HTTPS 0 cdn.example.
cdn.example.      900 IN CNAME cdn2.example.net.
cdn2.example.net. 300 IN HTTPS 1 . alpn=h2,h3 ech=...
]]></sourcecode>
        <t>The client retries with CONNECT-UDP, using ECH with the keys from the response:</t>
        <sourcecode type="example"><![CDATA[
HEADERS
:method = CONNECT
:protocol = connect-udp
:scheme = https
:path = /.well-known/masque/udp/cdn2.example.net/443/
:authority = proxy.example
capsule-protocol = ?1
]]></sourcecode>
        <t>The proxy establishes the connection and responds:</t>
        <sourcecode type="example"><![CDATA[
HEADERS
:status = 200
proxy-status: proxy.example; next-hop="2001:db8:a::c"
]]></sourcecode>
        <t>Over this connection the client establishes its HTTP/3 HTTPS connection
to <tt>www.example.com</tt>.</t>
      </section>
      <section anchor="cancel-on-and-http-connections-to-insecure-port-80">
        <name>Cancel-On and HTTP connections to insecure port 80</name>
        <t>The client sends CONNECT requesting HTTPS RRs
information with only the cancel-on for <tt>https</tt>:</t>
        <sourcecode type="example"><![CDATA[
HEADERS
:method = CONNECT
:authority = www.example.com:80
proxy-dns-svcb-request: HTTPS
proxy-dns-svcb-request-cancel-on: https
]]></sourcecode>
        <t>The proxy resolves <tt>www.example.com</tt> and encounters
that it has a CNAME to a CDN which has an HTTPS RR:</t>
        <sourcecode type="dns"><![CDATA[
www.example.com. 3600 IN CNAME cdn.example.
cdn.example.      600 IN HTTPS 1 . alpn=h2 ech=...
]]></sourcecode>
        <t>Because the <tt>https</tt> condition is satisfied, the proxy cancels
and returns both DNS RRs in "Proxy-DNS-SVCB-Response":</t>
        <sourcecode type="example"><![CDATA[
HEADERS
:status = 307
proxy-dns-svcb-response-cancelled-on: https
proxy-dns-svcb-response: :AAAGYW...:, :AAEGYW...
]]></sourcecode>
        <t>The client retries the CONNECT but this time to port 443 for HTTPS,
using ECH with the keys from the response, and makes the connection
to the TargetName from the HTTPS record:</t>
        <sourcecode type="example"><![CDATA[
HEADERS
:method = CONNECT
:authority = cdn.example:443
]]></sourcecode>
        <t>The proxy establishes the connection and responds:</t>
        <sourcecode type="example"><![CDATA[
HEADERS
:status = 200
proxy-status: proxy.example; next-hop="2001:db8:a::c"
]]></sourcecode>
        <t>Over this connection the client establishes its HTTP/2 HTTPS connection
to <tt>www.example.com</tt> with ECH configuration from the HTTPS RR.</t>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <section anchor="client-trust-of-proxy">
        <name>Client Trust of Proxy</name>
        <t>As the client is relying on the proxy to resolve the SVCB and HTTPS
DNS records for it, the client is trusting the proxy as if it was a recursive
DNS resolver for the client. By omitting or modifying
SVCB/HTTPS RRs, the proxy could prevent the client from using ECH
thus exposing the TLS SNI to the proxy. The proxy could also omit
HTTPS RRs.</t>
      </section>
      <section anchor="proxies-not-supporting-proxy-dns-svcb-request-cancel-on">
        <name>Proxies Not Supporting Proxy-DNS-SVCB-Request-Cancel-On</name>
        <t>If a client assumes that a proxy supports Proxy-DNS-SVCB-Request-Cancel-On
(or assumes it supports a given attribute), the client might end up having
the proxy establish a connection where it would have preferred one
not be created. This would be of particular concern if the client
pipelined DATA frames with payload (eg, the ClientHello with
a cleartext TLS SNI) if it was assuming the proxy would cancel
in the case of ECH being present.</t>
        <t>Clients <bcp14>MUST NOT</bcp14> rely on "Proxy-DNS-SVCB-Request-Cancel-On" with <tt>ech-defined</tt>
for sending H/2 or H/3 DATA frames along with the CONNECT request unless
they have an out-of-band way of ensuring this is supported by the Proxy.</t>
      </section>
      <section anchor="reuse-of-http-connections-to-the-proxy">
        <name>Reuse of HTTP connections to the proxy</name>
        <t>While "Proxy-DNS-SVCB-Request-Cancel-On" allows the connection to an
HTTP/1.1 proxy to be reused for issuing a subsequent CONNECT or CONNECT-UDP
request, this does have risks for HTTP Request Smuggling and request
framing confusion. Clients <bcp14>SHOULD NOT</bcp14> reuse a connection to an HTTP/1.1
proxy after making the initial cancelled CONNECT request and instead
use a fresh connection to the proxy.</t>
      </section>
      <section anchor="lack-of-dnssec-signal">
        <name>Lack of DNSSEC signal</name>
        <t>The DNS RRs returned in "Proxy-DNS-SVCB-Response" do not contain
information about whether the proxy performed DNSSEC validation
of the DNS responses, nor does it contain enough information
for the client to perform DNSSEC validation itself.</t>
        <t>Clients with security or privacy needs relying on DNSSEC <bcp14>SHOULD NOT</bcp14> use
this mechanism and instead should use a separate secure connection
to a DNS resolver for obtaining HTTPS/SVCB RRs along with DNSSEC proofs.</t>
        <t>[TODO: Explore ways for the Proxy to signal DNSSEC information.
Options include:
1) Proxy returns the DNS "AD" flag as part of "Proxy-DNS-SVCB-Response
2) Client adds a "dnssec" attribute to "Proxy-DNS-SVCB-Request"
   which prompts the proxy to include ALL records needed by the client
   to validate DNSSEC proofs as part of the "Proxy-DNS-SVCB-Response" header
   field (which could be quite large).
]</t>
      </section>
      <section anchor="privacy-of-client-preferences">
        <name>Privacy of Client Preferences</name>
        <t>The "Proxy-DNS-SVCB-Request" header field reveals that the client is interested
in SVCB information for the target. The "Proxy-DNS-SVCB-Request-Cancel-On" header
field further reveals the client's connection strategy preferences.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="http-header-field-registrations">
        <name>HTTP Header Field Registrations</name>
        <t>This document registers the following HTTP header fields in the "Hypertext
Transfer Protocol (HTTP) Field Name Registry" defined in Section 16.3.1 of
<xref target="RFC9110"/>:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Field Name</th>
              <th align="left">Status</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">Proxy-DNS-SVCB-Request</td>
              <td align="left">permanent</td>
            </tr>
            <tr>
              <td align="left">Proxy-DNS-SVCB-Response</td>
              <td align="left">permanent</td>
            </tr>
            <tr>
              <td align="left">Proxy-DNS-SVCB-Request-Cancel-On</td>
              <td align="left">permanent</td>
            </tr>
            <tr>
              <td align="left">Proxy-DNS-SVCB-Response-Cancelled-On</td>
              <td align="left">permanent</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="proxy-dns-svcb-request-cancel-on-token-registry">
        <name>Proxy-DNS-SVCB-Request-Cancel-On Token Registry</name>
        <t>This document establishes a new "Proxy-DNS-SVCB-Request-Cancel-On Tokens"
registry. The registration policy is Specification Required (<xref target="RFC8126"/>).</t>
        <t>Initial entries:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Token</th>
              <th align="left">Description</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">h3-alpn</td>
              <td align="left">ALPN contains "h3" in highest-priority RR</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">ech-defined</td>
              <td align="left">ECH SvcParamKey present in highest-priority RR</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">https</td>
              <td align="left">HTTPS DNS RR is present indicating HSTS-like behavior</td>
              <td align="left">This document</td>
            </tr>
          </tbody>
        </table>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-normative-references">
      <name>Normative References</name>
      <reference anchor="RFC9110">
        <front>
          <title>HTTP Semantics</title>
          <author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
          <author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
          <author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
          <date month="June" year="2022"/>
          <abstract>
            <t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes.</t>
            <t>This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230.</t>
          </abstract>
        </front>
        <seriesInfo name="STD" value="97"/>
        <seriesInfo name="RFC" value="9110"/>
        <seriesInfo name="DOI" value="10.17487/RFC9110"/>
      </reference>
      <reference anchor="RFC9298">
        <front>
          <title>Proxying UDP in HTTP</title>
          <author fullname="D. Schinazi" initials="D." surname="Schinazi"/>
          <date month="August" year="2022"/>
          <abstract>
            <t>This document describes how to proxy UDP in HTTP, similar to how the HTTP CONNECT method allows proxying TCP in HTTP. More specifically, this document defines a protocol that allows an HTTP client to create a tunnel for UDP communications through an HTTP server that acts as a proxy.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="9298"/>
        <seriesInfo name="DOI" value="10.17487/RFC9298"/>
      </reference>
      <reference anchor="RFC6570">
        <front>
          <title>URI Template</title>
          <author fullname="J. Gregorio" initials="J." surname="Gregorio"/>
          <author fullname="R. Fielding" initials="R." surname="Fielding"/>
          <author fullname="M. Hadley" initials="M." surname="Hadley"/>
          <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
          <author fullname="D. Orchard" initials="D." surname="Orchard"/>
          <date month="March" year="2012"/>
          <abstract>
            <t>A URI Template is a compact sequence of characters for describing a range of Uniform Resource Identifiers through variable expansion. This specification defines the URI Template syntax and the process for expanding a URI Template into a URI reference, along with guidelines for the use of URI Templates on the Internet. [STANDARDS-TRACK]</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="6570"/>
        <seriesInfo name="DOI" value="10.17487/RFC6570"/>
      </reference>
      <reference anchor="RFC9460">
        <front>
          <title>Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records)</title>
          <author fullname="B. Schwartz" initials="B." surname="Schwartz"/>
          <author fullname="M. Bishop" initials="M." surname="Bishop"/>
          <author fullname="E. Nygren" initials="E." surname="Nygren"/>
          <date month="November" year="2023"/>
          <abstract>
            <t>This document specifies the "SVCB" ("Service Binding") and "HTTPS" DNS resource record (RR) types to facilitate the lookup of information needed to make connections to network services, such as for HTTP origins. SVCB records allow a service to be provided from multiple alternative endpoints, each with associated parameters (such as transport protocol configuration), and are extensible to support future uses (such as keys for encrypting the TLS ClientHello). They also enable aliasing of apex domains, which is not possible with CNAME. The HTTPS RR is a variation of SVCB for use with HTTP (see RFC 9110, "HTTP Semantics"). By providing more information to the client before it attempts to establish a connection, these records offer potential benefits to both performance and privacy.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="9460"/>
        <seriesInfo name="DOI" value="10.17487/RFC9460"/>
      </reference>
      <reference anchor="RFC2119">
        <front>
          <title>Key words for use in RFCs to Indicate Requirement Levels</title>
          <author fullname="S. Bradner" initials="S." surname="Bradner"/>
          <date month="March" year="1997"/>
          <abstract>
            <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="2119"/>
        <seriesInfo name="DOI" value="10.17487/RFC2119"/>
      </reference>
      <reference anchor="RFC8174">
        <front>
          <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
          <author fullname="B. Leiba" initials="B." surname="Leiba"/>
          <date month="May" year="2017"/>
          <abstract>
            <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="8174"/>
        <seriesInfo name="DOI" value="10.17487/RFC8174"/>
      </reference>
      <reference anchor="RFC8941">
        <front>
          <title>Structured Field Values for HTTP</title>
          <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
          <author fullname="P-H. Kamp" surname="P-H. Kamp"/>
          <date month="February" year="2021"/>
          <abstract>
            <t>This document describes a set of data types and associated algorithms that are intended to make it easier and safer to define and handle HTTP header and trailer fields, known as "Structured Fields", "Structured Headers", or "Structured Trailers". It is intended for use by specifications of new HTTP fields that wish to use a common syntax that is more restrictive than traditional HTTP field values.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="8941"/>
        <seriesInfo name="DOI" value="10.17487/RFC8941"/>
      </reference>
      <reference anchor="RFC1035">
        <front>
          <title>Domain names - implementation and specification</title>
          <author fullname="P. Mockapetris" initials="P." surname="Mockapetris"/>
          <date month="November" year="1987"/>
          <abstract>
            <t>This RFC is the revised specification of the protocol and format used in the implementation of the Domain Name System. It obsoletes RFC-883. This memo documents the details of the domain name client - server communication.</t>
          </abstract>
        </front>
        <seriesInfo name="STD" value="13"/>
        <seriesInfo name="RFC" value="1035"/>
        <seriesInfo name="DOI" value="10.17487/RFC1035"/>
      </reference>
      <reference anchor="RFC9209">
        <front>
          <title>The Proxy-Status HTTP Response Header Field</title>
          <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
          <author fullname="P. Sikora" initials="P." surname="Sikora"/>
          <date month="June" year="2022"/>
          <abstract>
            <t>This document defines the Proxy-Status HTTP response field to convey the details of an intermediary's response handling, including generated errors.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="9209"/>
        <seriesInfo name="DOI" value="10.17487/RFC9209"/>
      </reference>
      <reference anchor="RFC9532">
        <front>
          <title>HTTP Proxy-Status Parameter for Next-Hop Aliases</title>
          <author fullname="T. Pauly" initials="T." surname="Pauly"/>
          <date month="January" year="2024"/>
          <abstract>
            <t>This document defines the next-hop-aliases HTTP Proxy-Status Parameter. This parameter carries the list of aliases and canonical names an intermediary received during DNS resolution as part of establishing a connection to the next hop.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="9532"/>
        <seriesInfo name="DOI" value="10.17487/RFC9532"/>
      </reference>
      <reference anchor="RFC8126">
        <front>
          <title>Guidelines for Writing an IANA Considerations Section in RFCs</title>
          <author fullname="M. Cotton" initials="M." surname="Cotton"/>
          <author fullname="B. Leiba" initials="B." surname="Leiba"/>
          <author fullname="T. Narten" initials="T." surname="Narten"/>
          <date month="June" year="2017"/>
          <abstract>
            <t>Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t>
            <t>To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t>
            <t>This is the third edition of this document; it obsoletes RFC 5226.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="26"/>
        <seriesInfo name="RFC" value="8126"/>
        <seriesInfo name="DOI" value="10.17487/RFC8126"/>
      </reference>
    </references>
    <?line 796?>

<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>TODO acknowledge.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA91d+3bbxpn/f55ilv6jkpekLMl1HaZuK8tKrbO27JXkzclp
eyoQGJKoQYDFRTIbp8+yz7JPtt9tBjMgKFNJN9vTnDaRSGAu3+X3XWc0Go1U
ndaZmejB6+vr9/q1iRJT6m9SkyWVnhWlfl8Wn9ZpPtevLq701X+dvtTnOXy+
jOq0yAcqjmozL8r1RFd1olRSxHm0hOGSMprVo3n0Mb2DJ0ZJXhWr0QrHwp9H
1W08HT15oqpmukyrCoaq1yt47fzs+hutH+koqwpYU5onZmXgX3k9GOqBSdK6
KNMow1/OT17Cf2CFg/PL628GKm+WU1NOVALzTVRc5JXJq6aa6LpsjLqd6GMV
lSaCUd+tTEnLr3SUJ/ptlEdzs8Q51F1RfpyXRbOCx14VyyjN9QXsR1+tq9os
dfvmQH00a3g6mahbkzcwo9Y7vqg173XwLUyGlP09voefw2sZfE7E+l1q6tm4
KOf4RVTGC/hiUderanJwgM/hR+mtGdvHDvCDg2lZ3FXmgEY4wDfnab1opvCu
ZcXBDpzBFzP4sqq9Se0bYx5ynBa7DLXLM+NFvcwGSkVNvSiAg3oE82s9a7KM
hen38E201Cc8Bn0JO47y9G9E04k+Wa0yA4IZ03dG6Ggn/V2EX4/jYjnYHPu6
WC7X+n3UZOudB65X+Pi9w56V6Ud9sZ6XJu8b9mMEQ+lrEy/yIivmqamCCQy8
/e/I2d/lNATLgcpZ725B2lRqtZB+G4/HSo1GIx1Nq7qM4lqpbxcm16TUcZaC
cFe6qYyuF0afvru4ODu91ksD9E5QhT68eq9XVtH35PsRfLqv60KD1sQLXUfl
3NS6MuWtKStVL0Bq5wsd8YtDGpl+1CDruLaKIKM0VZE1uG0N/5uaRZTNdDGj
x3lhY329SCu1Ks0tLbP9Rs/KYqmjODYAEbCyK5g7jY1+CbhAKyU8Qh3GfV7t
y4QxqCUuMKp1HJXlmtaM7wEozNJ5w5qoqwZ2FVXw39WqKGuT4PLrIi4yxoWz
PC7XK/hcnfJqXpssKzTofcVL1oB2DeKGTswszU3F5F4whs4YQ2kZJo+mGRFf
MYmIqlm0ZkRNW0TFb1oCDGkhaV6XRdIAFYDasAdAQXgyypSJymwNjxZVUxpg
Z7wAGauWPGcEi70LqAlDxwXQJs1BKfQdqLHHtLpQ0RTIwFPkJqbV3KEQVSsT
p7M05sWuohIkvAYZAFjCt01FK60Knhc3KRPGUQ7brIEDNFmkk3Q2MyV91c6B
AgtGZC0SvEyTJDNKPQK1433jU0pdb0ru99//2+U3p18dHj754QeiVCDH8u3R
V8/h29s00mefarQliRuGSKQCHQEaAewBt9Jqoa9P31vtmDExi44aaKcGrGvM
XhQPR/UUrReQzzAvyJ7qax6lIbFm3Evr9QjFQO+B7fB3tj9UsIhIf7g8B8RY
rhCZ5YFnv/wVbh3ttKe0Y03zBzOleZw1CUrQwwm5NxBujZpkBTaXpR3lMqDx
/r8UPX0KfIGgvHaNwI/bO3+voyQBtWAYAYBEtWL3ZKwJljcWnqJq4wBDDyQI
Om9hipR0F0jiDc1bPcEJT+Af/dcGjIapxqgoOFpZRjl7NfqnIKsSZMW1NCU8
IfBqKfr0mSUYDs7MHDNQ2CcJg1WIvYQUAHtZY3LEtUVx50ECYPKiaLIEzAUO
vTTJUOgNa1MtXqMBTmMescXuvZM37y/2hy1+6w38JlxVUQYolpMJBYROVgUA
rSPgBrbXd0ULsYLrlhk1vjGPVmCJR8CTVZSWaOO2mQPSkw4ylwY4WAniO1hG
ZxFRO781YGK7+BuSXe99/72MAmQawTgjYIFJb/E3crg9OwNqMKa1evbkQZZE
ZmoxX4shYStCD7cYn850bMoa3WI3IdsP2MoQjURT5ih4PBL48BEbFDflPbbE
GhAkgLedUTv/SHZGuwbLcooEzdsQ4BXymBfFhgaERN+R9A7efri6xngD/6sv
3tHPl2f/+eH88uwV/nz1+uTNG/eDkieuXr/78OZV+1P75um7t2/PLl7xy/Cp
Dj5Sg7cn3w1YCgbv3l+fv7s4eTNAqK0DqUTSARdAQUBoTQkqTgpRKYCkuEyn
DM8vT9//z38fPhVlPTo8/AqUlX95fvirp/ALGniercjBl+BfgexrBcoF/gWO
AvwH8q/SGqKyIXlMoK45CHZpgJqP/4CU+dNE/3oarw6f/kY+wA0HH1qaBR8S
zTY/2XiZidjzUc80jprB5x1Kh+s9+S743dLd+/DXv80ABfTo8Plvf6NYRmYF
6gUJrUFvF1kCLnZibVjR1CHTCB0ePxasfVskRl9ePn4M4UDOqg3qTHDbRVsr
8jlI8t9MWYCGXN3G78uUrJy+jQBGiTGblpnweUzznmRpVD14Vn+iJ0OMRb8w
zet0vgBggBhP3uLZkGLhzkm0rJFL4IMKMMx6pRiBFncIMHbTm1seCzkzUHKD
/jpDuJvt3s1V8hpMNF13sA24GJBTHoiyOc6+WHY3DhtjmDvuLImtOyYC7KLa
T2wQtLH+MSzJeQmbz3c3AgI2GA+QM8Fo3ospYzforPNSeofixft+iV114KTx
EHuBpwPmVp5B08yAYi0yrSyqfRovgLhiQIxn7azFAB6IpEnowbJGPOj4dp7r
u68wzGapCny7va4/x0bg0tlKWu6ltZUbWS7xCCphsu8Q3G/hox57iYMr34aj
I9ZSAFfCVts4FpF6kEkUIsCHK8xvwTbUo0etbzqC+HeEE4xkb0E+j1Fr0P/k
INgF+6NXdQnBF5jNhAewluOrp4c//KDuFkVlWBE1AT7YIrDR1WxUFx9NPkbf
Qjx26yoTGgbzQNRZpXP0PdgjBACIrKfqRcpEA6ENegous+C7pEqkGl1YTEsm
lGfb8E1JnnGFnbXfIDluKDTIC3ihJFaBE7FcgRRg+C4KR6Pu2ezBDcHLzT6B
O48x8ZafBoLe7kU85HAHqIAy3i5j9AIbOrDfFGXogrNMgn0q8sBzIk12EhhE
JBSMKPyYOQU20jIShrjBr29aX3SofXFA6SFJAM+MPHbS4rX4d8Q8mrndy1if
M/O6A+NYxTKtYeu8mk5oxOqAu9yr9ju8/kWFmAeYkM7THMgiU2wI+pQTGB4+
wacgA7r1pl32W3n5rFB1YYITK7NIbtFiVKTddK5DQViAYnkaWqGgdPc26QSD
SpJpFQmpMs/Tv5lKkYiDmhWl2aAALPvvf/+7Np8iQEuJPNsUvVBgwrKGT+72
OC7ua2Tli8Gf4duxPM/JUhrF0grlKl4UuHUQB2+ROxFNQWCROn59zJHf7BZj
ek30pVe278NORtedwJMffTh6cnaS4joW4n5lbvFffBAmWijnyhlFRjdeREcV
sxTMwR367JrSuUuD+Yj2+2maRxBcpbVZYqyOoRpZRo35gWzL+tAgoWbcpSVH
6ggzvn+oWs/oaHyIfgdT4fDJ8S/BYdRnuBSTxwWm5dyYzlz4TstQXX/3/myo
T9+cXF0N9fX1G3YzLl+dXJ+M9Tv3YGXNZDhupW1Ygv6dciCEKoQuDKxyzFxm
Gkt8YTHPgOez3vApacE4T4NRGJrphhCvRQkvcwHLXevWCw/A+c6UNqIwiWTE
56lFOIGl27RKp2mGDjD4iSzYWHLwk+wAB4shacNfmqomyMTwJEUb21qIe3WY
ZXqiJycnZ7//7tvxeDwZ4i/nr+Nj/IUVmFgXCo5QHGA3Z7pmAOF9tprltOWt
6iT1iDFIlUUaLzyMB++gVYmv6QtivxaJpbeVFygMPT+YxQW/RONSdQIZK6hH
4yMQUxXGNYAUj/TZclWzg3ZCFkNb7a+caWHJwUU2kvHftNbEAkJywC6PcezZ
wGLyQgXPdrTdr7QwsIuEbtg2jKUUaLehhSMAODPbbwNbi2aFwLeKSjSiLo14
84EW+EUMIgCh8Y6yxiKFVL4id9CaXIpfLh2RpKrVpovAE9kCyTcdR7Or11hh
VuJNulGu6qhuqs6rezbJ/eQrTHITS+1ruflUjxbFyvNYFCV9M8leuSdGESq+
qXzfxo78y+MjykyBUlRYmAGN7ksRJoY12VC61O0I3By/YgO0X8LqaRnOOnp+
guQSEFzyvuCTzCKQw6aGL5sMJRx5I3nUl2YR3YJ+oRG3qyMMS6uFqZhAHMEg
Rw5YSnzx6EAr6uyOYUkO+6lc9SIse1h3DbbwYUUKZQO6Pg+sz3AHPiCwCdhF
xlK1MCdmM+JS3HaEI5xoKuehVk1Ws2EQ0C+EIj7vXKVkSQ6pl2AKsg+CWmpr
FgJHX6XxR/RCNhncBwEOPwO4IJCqVI+DTBjAe/N4fC8SqKWJJMUb1W38I+iH
GYFZlGaY6rcZcF7CTEe32O+Asuuy9CjTtE5gNmE9p22Y2X0U7XpQxMAN4nCI
IXskcMUekrJ1qgNVQo8/nMLPeAdKlzr7QCkRvdeWwvbR3PQmgkCP6xg16o60
K6IKfqKCklonz76XAmRjrdNTkSDzMVR2KZil35aCcjPTvimpaY2Q70gP1WPg
1WPcHTyWmQj5lbv0Uiu/VKgxFcTIjyURuJmlaqfseOt25nabYxgGKH+Trm6f
LmC5N7hN/O0Z/2ZtfGvP7tuhB9I3WMVw8OwsshvmHjMxlq3NyNMiB0bc0B4T
IAS6ZzjqBmpX2EOwsWZuu9xaH1GrBUT92FsCeu3l/1ztv60feq0TksVuXZeQ
RuP9jr+zVepRkbfBG7ZfxMYkNq4XpRPTgHiU5o2RbCyqXlT1c7IN7DeZLHFh
u6QAxEjBoymssuDyirJaY5N1uIFW1yKdmzurWQe+5eG4ynOVgDC3qY1hWCT6
2ENpUiqXFV1swqlCXSN/1SvubMlAHwFBTqX6LtQspoaxD4ImFx0hwy8vK8mq
8X5xUlDgSlF7DMA+fJy7PEiFio7F5LRoKmw8AdNoEnoB8BuLqJ9WacmLo+/Y
mXgk+2jdhiuu4DrN3jknaQszmFxsUy0qKQwzWkrDKC5bch4ikixcq9bLYStN
03KbVZZBNH0uleo4sq6w9VjZS8M57/di+tyMbqZIVl1tmGXKKQoPpakKrVYQ
g15e+mYUKWpSyg91cRRAwHYo4FecHiiCrFtU1yBdTU32yqXex+0i/FBjR8db
XLY2ZX3fYL3+N4HVtHB1oT6nW3spCxyv04OxCcEB0Pv5DgjRTy9O3p5RMvbL
8VXHYQpDOnRoIBguYTK2JSilmw5TJU73mQRJlIQQjALPK0E46CKTl5rstpBN
wpDr9dnJq7PLKzWRXp8Xdiw1cXkj+PDu7s7P0k2ePj3eJRnY5ktcSnYzeL3p
DH5DTAFYTNgLc1VBBdJMVL1ZHN9o7OPgFppcn52+Dtv3OIVgp2biuphUdbzx
bSSpSN5g90dPnuyUB5GH+L2JJH5l2K+1lbIXAxjvcJJMn0+iyWQqGc/WSGyZ
KchiCD53Vt4h5FgfP3mizy+E5od6DGHCKn+xOBoujrV1iLrL0SZevMCOUcdB
EbZltHZNopybxKbItlYlxti3fDPKSK/1rMFUp/J7eODpDcajseZ5KEIujZ1u
ixftHJUgwGj1lVyHDdnAnGVstjpFzp0LBgX/WvUL6tTEETshVa+X6RKWNwGd
b0itsdfENdictjs7lV6b7x99oWWFoOFtUae3Uow88dkF5niGZu3+1ko9jSqy
1C5iU36Q1i2RYf1IqBA4TMt0vqjtlJ4UqDtbrraFYmvRUI8p14X029KQ1XlZ
rRoWhIoYS+22Sn0LgoANFa6BlVKr3tog+mAIwIIRtrJEs1qsIIMERJjKlzKO
UMq7qEwCmQNggaFcoOpRM8HqAjaOUR8SPgEyU8M6V0WN6Uv0GfQSA31sGi+L
BuPYMl05lwvdCNsXdnA4PqSMj9dtZbt8bKU5M0HTni2Veh1UMAVssk2T8lal
e447saZmhj6Q3QdXu23my4qDlJeXS5OkIDHZWlLh29dG+st9zVVb6OYQnPZ3
ZH2Ug2NF+YiVoRYaytfOSkrUSy7q+s2ViIRIBH8MrmQTI29gCTHH4KDvhXW+
gOMf6dWri/NuC7V0fLvmblwVSNP4C/Xy0SnOlI3e5btXztt3dqkCKb8K1F80
tWkPW0mn1HoltRL+hMsckXKSQMQZktsGNKioY0LyHa6C5Pg8tALCsObkBtlU
fUxXvjNMvEDFc6pjXaxe3WFKYSMPepa4VkrVFCuTj6j3eigGfS076XaGSOMI
LGYJFoU0imQcZkfPPcIjBBSffq3r3jZNeIJa+UBPgmVIxU0CIzsNFhyWTeUQ
a6jB/YWxVlmxXvKTWJcpjY1EFbiVFs1lf6WZA8eo+mO7l4WkGFwEMRtwP43y
CGG+gvBQjgSBIKAVncMsiW4wdQkEHxWzEYamO9VnRzHLIJ4tWRyP0AcYopUf
2VShS6+fC22umSjbel2D7A3vkxwuEBckCHCDdUqycXFxa6juBTZzWeQEdBXV
Z9YwuMTgOVqjNOdsFtewhYJoyICtthrD5gJ3LnuZKG5DasUdgcgJumS0yF20
Rvk/YGYJbhabDWngkAe+1mBxPGiTc64YVW5tYmHhJcuV1tT6ijax2nCN2KRV
QZwnoAjb8zi02xbRIPo7hGfk/IWYGFhKz3Z324bbhEi6vtdge/ZEkhfiPQDX
6MTYFzeEIOBi2BQjhQbFXfPZGtvFU21ABOkripSXmUGlB8uEDhUfP/AhScp3
CLNsIKSk0QYQhr+TdH/bOpEIhaI5ikq9iacHdgMVluErUZqKAndvQuQTx+/Y
pCuDkZeyRUD1HtU2Lx/UD8kd3Rv1ZdvgZKvL1iMwbn38Xraxb0Y/SxwEMHcc
M5NeA5jBUM+d+CAMK1pL97DLzFh2opCBTceuf5z1mpWPtHwgxHZl+qk/t/MS
WQp+4XqiXJUFZvXVj8PdoRcLtM09UVaCpV67igE8P2IXuW5AcDJc2ofctpMQ
JSwVqzSj7UtuKbHFYTxbZKvzSl2YO/si2iw+hobZtZboYJ6WEeBMXHUc7kjo
EKONVuBAzueYo5B4QRSH22dZSNDOWc0KjogNNVgYzgVh/hfkTW2RN2amt7iy
Ib9uWmDf3WqVrZ2W8668GlRgh7+mXQYP4Wt4HoKKwfe33IgvlZlkVxes573/
YzesRQ2LpWqzr9FCKttltHAfrd8k0KSs+Cac5Y48cHQMxCNx3oQkg6UhI4JN
+UJmXr4XFVAziRtuvDkGapdLa/EgbRdKtxfAKhzo1wNd4N1m7l8+pXPbLezS
RSBeEEqB5whZ32dLTbubm96emX2o/4/7VRbAfoph0SupcKpdnfDzGdfhSr2U
2M8/cuPIOgnFqz1R0Skw9s/S8yozYCN+YJssyTbsENLHT34lR1vb5HmfeO2g
3mxYLEHc3ujkFPmtm0LoZ3R3bOnz7LDjU6ejZ9t5pabyVJ9zal60CgPaEAve
8KKL8PA0MPWPf7h+9+rdhGi3h83tRYkdCZcQssMa6n2ELqrcUf1olUWxWRRZ
Qm629ruscRuOPRHb51mTzVKksBxtRpcc4+65aXNHSVrFDTXKAVG/NfTMHclI
IdUCUZs3hRzKw5HRZtIpb82vKMoc2PdsJASCSq0aOxkGbH5TfsVgrP74p47q
btSEfoQKB42zqQtOsWypXZFoS2uMLcEFKnuPn0o9G7jO509EmxTm/vUNedM3
zNQd1i8nY3ZvgblHuYLuL+mHwU+imCqqOeXAtisQKzhKhiBoq5zW6PhNTVwm
Qo2xaUvCJ8CyG4HyGy/gCZJ/Aj++vgXlWVReDA9B2Yg+3rGLPufbpuusunrt
+bgaL2x7yIq60RQsxkt32fAO850/aXUiL1vWRRLdrOZllBg5VGxhjIufcsBr
S535R1SqWAqCYC6lM5tFPs9sAtuV3olfEu12k8nw2tR6XRZSRTIY6/8hla8v
VL12TsBsrY+5lurwOJwsHkb+YpWn871X82kn7ZMcl/Og8hqwFnWiNVy9kfrY
24L1Zn37jux1WAturqseCa59sfQG5uyBDt1OhbpubauY0um1DhB5m5bTRXiI
njXSk8jdBcslkV5YGuClCbDdeGGWBj4l9YTnIDCD3w7Gd7C/EUWaB8uoApoe
wPMHHQ4fPH16fBBKbVB6VHG0qsCnHXnT//ZwgwY5Gy5XPfaKYCAdVAIgh1Ri
ZrR4EigvuPsmqBqlPGAV3M7Afoakl0Bb6eyOPdi9W58HJt9KLkFg9Ww5paSg
QA557fqqoZsLwGlxcMOHVTHF/d4VLIPNuyaWjStXvH65H4cgIIZB7fz5k75y
cs/RGHxw/OdZUYw7Qwy2ooer2ADHMMPYedE7JFeptObTkEzef4oiONbxYE03
W+a5sYdVBSKDIjhC43aSOZQk6hxuEAZtyAt8e2v5m48ES0aTKyOwmhCl+R6L
cumlJR/UzEgdnHvkAt90VnizL52vMi4bPRpJ7+HC9xW8xU2o9nBBUL/xUJe6
v8l/3KyuiTcCvoZttPXOCoqBf2urmNghRqr1ytWXJemYmqrH/nesf19/iuvw
EJ+uNZ0/U+PKTzfhePQXKPMAkw0zHYYPeI0aViDvH+QIBznqHeR+s7/nfjnc
7/cB/KyWGHm1mbKyTP1/Muk9Z5ACeO833V743aOoaush/KC9aNQ6b21Lq+T9
uo2a3lnd4GKBn92H6IrcT3UipFTiWiiqjqcnpgc5l1QPMDYPsiOx2JGLopau
fLzbyOuvp04PrHEYirUp78vdzJKcYrmmRHgHrIYcmGBvwR3Vx9FVosZWGq2p
CHWna79fGdMn0nDpwf/eTZf4N5gwIMg/CjFfbTUVexvdSPuCzm2NB0nugv+f
AsfUX+kQ0MsY/tOBck9huweh+zu53ElNSvL7F6LsDOVPdJzk7vvu/FL/4ywJ
Dm+VQlblvXujuGTGBQd+GFvm4JFWRHJT33hL86fW9M9XvDZqWdXdV8dq45N7
GwYDx+hlEVhpaqMNMh/bssp9xsTzSl0rb0D//j5RPhrAm6MHfPq1B4XsAVfV
uWDGvhLSE43e1qTVP962hfJ6n6E78Q2dWL3hZlD7resjHWwZbeCd58Iy0QL7
Vx7ir3SE/OcUux1M+tBzYV3uLMybtQdLf2aj2935v5TRfXdLteQ0OHDqGUN/
mZjN5UYXYboXnGzpDMY0uuu/s7e6BtcC0qlJyZ9Lsnw3o+eqaWrD8rk2jNb6
EW5wHvUfY/6eb08H7Gz9SPx+rLlTNu+6oDoC6y1VnU9fXUjvBn2VO1LdCxbP
Ovp/H1Y826L6HXNj2m5Em8Puz0j6B+C32hd7uunnwnrizkPBfSvi+c7p1F4j
V6d8ZQ4JPsAKiSlRdah2BkQ2mpin7SKJkgaPLzXK/ziN8MSCnMF/IYA72g3g
mDObZxU6RL685I41PNHXEPFOg2ZRhkleznXZcI8KSbhSJ8FtIXRtVEY1OtmF
lEfDg53hHdrKPweKApZu3IxU46w2pnYnFvmqgTuClxKXXqW3RrkiNhLWHeSV
a79feulhalVI+JIoFTZABPpOcZlcaOuvi6jotADgDsTBfFoVLvi3jeL+ScvA
U+WWeUzM4aKUm35sm0eoWRjiTn3V9pR/qR5LrRhRGyxWzdIWwSLbrG/LW18c
C6/cs0OkXl3MXubgju/t95zawFxgs8Jw1ka/Hc3buPiba94cCVMUzKW6ko98
Kqntx3gTgGsbuLPX9oJQrrBHOG6yiA7YxaZ0YbqtKMuRgGTzTMAqWmcFhPF7
Zs576R4PUEhUAzOAPlve7vtCiHQKhfROet6RnKpzIgPVcmqoo5mLpt4hWte3
hNqEqrRDFZ5TnH64pChZb/h65ddyOgKcI3/rUVbgoRKL4N1KapNnpkJTbtbM
kCjoFId9U88zXVnAW0+p+769MFkSUrR+lutLOoFl7yru+FqOdhh0pNlO/RP+
ZcFBc0OUK3vupQUiuqjL3S+QAtPk0qn28HH/ZR/K5Wyk/dCeQS7T6mPlTKO9
5FFfLZv5PLN3PdpiN9IdP0NEbugGKN05Os18RxpFG/tx53jkvm4+ceTlTe1B
BOcrbCmOV7WJEsWTzED+Fp2pWsAinr2J4o/IMmDD1dmplNzYmlq3x11dcJ//
47XmY7AYuMbRFDuSAAXqRXCKqm1jltlvoyxNuJNJcqmC+Xw10pDyXsSe1M0E
IkrHJPw2qNA4kJ8jJ543JkLTa7KZp6KkMpU1mDDSqkxvo3jNBUrfDMpgHnex
1Z1kqD3r5HHFHpVh5lQGT0PWRksMEpr8SG+Yu2JqDxaTPTmQyl2g6rIkoG8x
q7w+r7NPqwwbj0Ctq871G21Dl7zsUXKs3q1Yg6XNbaIO9+U9/6AsrnVw8mqg
Z1k0RwuOeI1itU1e1NG+dTyihFo98C/VACUG3sFxWNm2Ki/+hROONGCry1X3
lk/blIfXP1sHJKcLIsI8Og4Dj4s4mJB8/j526e7DweSWJ15abA3YX5sUBs/Q
Gd7n9jJ2A1iuYHghxXsyinSL/UMuWEUPhuvk4eEGOvmAh4mwgIBWaiNd23ef
6c59bYpnnzUl6XW7Cq+vvu/86KrdJZXlz08uTvoc040/IgUAjKej3DPheSN7
dKp74qjnWl0x2IPXa8AFtPrquozyCk+ivne36uB7+zKxXB1Gs68HfVe9HT4b
H9OlhMr/8xAQY3z2h/isucdQf1afR6MR/R+e6Kc4PA3LW0Y57q73MTnq/cXn
uucRdxw4bJQMX7J+7L3z0MEwR7cuw/wAiO8o+aLoyVGzgSplTBbZ0pMLCGmz
NKbjTFfyt2bkoA4MRjeK7NlL64+e8R3+9hwbLKrkm4U+y9I/61fUvUYgCL9d
Wsn1GShMtN1jn/nwmMua0nkwkJS+aurnzt/+wXE8Rw++757S8o5o7Tog5RPg
G45C2KqHp71c1/Prq+urUZZ+NPTHlbD5tGdE+ss6U/AbUHlPYkxbgojM6Yij
+n7Cf5zEJC8GM4ADM/gB+A42SEfuSTNW/wvYfbwaLW4AAA==

-->

</rfc>
