<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.29 (Ruby 2.6.10) -->


<!DOCTYPE rfc  [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">

]>


<rfc ipr="trust200902" docName="draft-ietf-iotops-iot-dns-guidelines-04" category="bcp" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true">
  <front>
    <title abbrev="IoT-DNS-Guidelines">IoT DNS Security and Privacy Guidelines</title>

    <author initials="A." surname="Mishra" fullname="Abhishek Mishra">
      <organization>Inria</organization>
      <address>
        <email>abhishek.mishra@inria.fr</email>
      </address>
    </author>
    <author initials="A." surname="Losty" fullname="Andrew Losty">
      <organization>UCL</organization>
      <address>
        <email>andrew.losty.23@ucl.ac.uk</email>
      </address>
    </author>
    <author initials="A. M." surname="Mandalari" fullname="Anna Maria Mandalari">
      <organization>UCL</organization>
      <address>
        <email>a.mandalari@ucl.ac.uk</email>
      </address>
    </author>
    <author initials="J." surname="Mozley" fullname="Jim Mozley">
      <organization>Infoblox</organization>
      <address>
        <email>jmozley@infoblox.com</email>
      </address>
    </author>
    <author initials="M." surname="Cunche" fullname="Mathieu Cunche">
      <organization>INSA-Lyon &amp; Inria</organization>
      <address>
        <email>mathieu.cunche@inria.fr</email>
      </address>
    </author>

    <date year="2026" month="July" day="06"/>

    <area>ops</area>
    <workgroup>iotops</workgroup>
    

    <abstract>


<?line 50?>

<t>This document outlines guidance for Internet of Things (IoT) manufacturers regarding the implementation of DNS stub resolver software on devices, and for the management zones used for purposes such as device configuration and software upgrades. It aims to mitigate security threats, enhance privacy, and to address operational security challenges.</t>

<t>DNS resolution between devices and management zone servers depends upon DNS services within operator networks, and these services and operator networks can be impacted by device behavior. Hence this document also provides guidance to network operators that deploy IoT devices to mitigate the specific risks identified in this document and take advantage of improved DNS security mechanisms provided by manufacturers.</t>



    </abstract>

    <note title="About This Document" removeInRFC="true">
      <t>
        The latest revision of this draft can be found at <eref target="https://miishra.github.io/IoT-DNS-Guidelines/draft-mishra-iotops-iot-dns-guidelines-latest.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-iotops-iot-dns-guidelines/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/miishra/IoT-DNS-Guidelines"/>.</t>
    </note>


  </front>

  <middle>


<?line 56?>

<section anchor="introduction"><name>Introduction</name>

<t>Research into the DNS behavior of IoT devices <xref target="UCLandInriaPaper"/> shows widespread non-compliance with protocol standards, gaps in protocol support, and security vulnerabilities. This leads to unpredictable operational behavior and exposes devices to fingerprinting and denial-of-service attacks. This document provides DNS guidance across the IoT resolution path (device, resolver, and authoritative infrastructure), with primary emphasis on device behavior aimed at IoT manufacturers.</t>

<t>While the guidance in this document may apply to any device using DNS, this document considers IoT devices as a specific case where targeted recommendations are useful for the following reasons:</t>

<t><list style="symbols">
  <t>The recommendations address specific IoT-related security concerns not seen in the DNS behavior of general-purpose operating systems</t>
  <t>IoT devices have different resource characteristics from general-purpose devices, such as constrained power consumption, meaning incorrect software implementations can have an increased operational impact on device functionality</t>
  <t>IoT devices do not typically have end point security agents installed on them that are widely used on general purpose operating systems</t>
  <t>There are many DNS RFCs, and this document can be used to identify those related to specific security issues observed through research into IoT devices, with the aim of making it easier to address these vulnerabilities</t>
  <t>IoT devices may be deployed at scale on dedicated networks, and these recommendations will be useful to network security teams in mitigating vulnerabilities, especially where device behavior cannot be changed post-deployment</t>
  <t>Manufacturers may use standard software distributions aimed at IoT devices without considering DNS behavior and the guidelines here can be used as part of the criteria to evaluate these distributions</t>
  <t>IoT devices typically perform the same set of DNS queries on start-up, which makes them both more vulnerable because of this predictable behavior and also more prone to network fingerprinting</t>
</list></t>

<t>This document is primarily concerned with device-to-cloud communication <xref target="RFC7452"/>, but DNS may be used in other IoT device communication patterns. Hence recommendations apply to any deployment type where DNS is used, but decisions on implementation will be proportionate to the associated security risks and operational considerations. For example the implementation of {#configuring-resolvers} and <xref target="transaction-randomization"/> would be appropriate to any implementation, whereas <xref target="encrypted-standards"/> may not be proportionate in industrial automation environments where devices do not encrypt other types of traffic <xref target="RFC9150"/>.</t>

<t>DNS terminology in this document conforms to <xref target="RFC9499"/>. In this context, Stub Resolver refers to the IoT device, and Resolver refers to the DNS server used by the IoT device.</t>

</section>
<section anchor="conventions-and-definitions"><name>Conventions and Definitions</name>

<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>

<?line -18?>

</section>
<section anchor="stub-resolvers"><name>Guidance for IoT Device Manufacturers</name>

<t>The following guidance specifies expected behavior for IoT device stub resolvers to ensure secure, privacy-preserving, and operationally efficient DNS resolution.</t>

<section anchor="configuring-resolvers"><name>Configuration of DNS servers used by IoT Stub Resolvers</name>

<t>IoT devices have been observed to fall back to hard-coded IP addresses for DNS resolvers, such as well-known open resolvers, or ignore addresses assigned to them via automated configuration methods such as DHCP Option 6. This may result in an insecure communication channel, and the open resolvers used in these hard-coded configurations may be blocked by network policy, preventing the device from functioning correctly.</t>

<t>DNS resolvers on devices <bcp14>MUST</bcp14> be configurable via network configuration protocols. Stub resolvers <bcp14>MUST NOT</bcp14> fall back to hard-coded resolvers.</t>

<t>Devices <bcp14>SHOULD</bcp14> use the following priority order for selecting a resolver. The first one that results in a valid DNS response <bcp14>SHOULD</bcp14> be selected.</t>

<t><list style="numbers" type="1">
  <t>Manual user configuration</t>
  <t>Device management software authorized for configuration purposes</t>
  <t>IPv6 Router Advertisement (RA) <xref target="RFC8106"/>, DHCPv6 <xref target="RFC8415"/> (if M=1 bit in RA), IPv4 DHCP <xref target="RFC2132"/>. When encrypted resolver options are present in DHCP and IPv6 Router Advertisements <xref target="RFC9463"/>, then they <bcp14>SHOULD</bcp14> be used.</t>
</list></t>

<t>If the selected resolver is a plain IP address (e.g. from option 3) this implies unencrypted DNS. In such cases Discovery of Designated Resolvers (DDR) <xref target="RFC9462"/> <bcp14>SHOULD</bcp14> be performed to upgrade to encrypted access, where available.</t>

</section>
<section anchor="transaction-randomization"><name>Source Port and Transaction ID Randomization</name>

<t>Some IoT devices have been observed to have insufficient or no randomization in the source ports of DNS queries or DNS transaction IDs making them vulnerable to spoofed responses. A combination of Source Port and Transaction ID is used, amongst other criteria, by the stub resolver when accepting a DNS response.</t>

<t>Device behavior <bcp14>SHOULD</bcp14> be consistent with Sections 4.5 and 9.2 of <xref target="RFC5452"/>. Stub resolvers sending DNS queries over UDP <bcp14>MUST</bcp14> use unpredictable DNS transaction IDs across the full 16-bit range and unpredictable source ports selected from as large a range of available ports as is practical. They <bcp14>SHOULD</bcp14> use multiple source ports when multiple DNS queries are outstanding.</t>

</section>
<section anchor="ttl-value-handling"><name>Handling of TTL Values</name>

<t>IoT devices have been observed making unexpectedly high numbers of DNS queries even when DNS record Time-To-Live values (TTLs) would mean this should be unnecessary. Devices have also been observed issuing DNS queries at fixed, highly predictable intervals for the same domain names, regardless of operational changes or TTL values.</t>

<t>Unnecessary queries may lead to a drain of power in resource-constrained IoT devices. Conversely, very high TTLs may impact device operations such as communicating with management servers, receiving software updates, or other changes, which may lead to security issues. Deterministic query behavior that ignores TTL values increases the risk of device fingerprinting by adversaries who can profile query timing to identify specific device models or firmware versions.</t>

<t>Manufacturers <bcp14>MUST</bcp14> configure the records in authoritative zones with TTL values appropriate to the use of the records by devices, ensuring the TTL is not too low so as to cause unnecessary queries for frequently used names, but not high enough to cause operational issues, such as when the IP address of an A record in a management zone changes.</t>

<t>IoT devices <bcp14>MUST</bcp14> cache DNS responses and <bcp14>SHOULD</bcp14> honor TTLs when caching. If for operational reasons this is not ideal, then minimum and maximum TTLs <bcp14>MAY</bcp14> be configurable on the device but <bcp14>MUST NOT</bcp14> be hardcoded values. Where device stub resolvers cannot be configured with minimum and maximum TTL values, this <bcp14>MAY</bcp14> be mitigated by setting these on the network resolver.</t>

<t>If certain device operational requirements necessitate periodic revalidation of critical domains (e.g. management servers), these repeated queries <bcp14>SHOULD</bcp14> use non-deterministic inter-query timing to avoid fixed intervals that could enable traffic fingerprinting.</t>

<t>In the event of resolution failure (e.g., no response from the resolver), devices <bcp14>SHOULD</bcp14> implement back-off strategies to limit unnecessary query traffic, also see <xref target="resolution-problems"/>.</t>

</section>
<section anchor="support-of-edns0"><name>Support of EDNS(0)</name>

<t>Devices have been observed having limited support for EDNS(0), causing them to revert to TCP for queries over 512 bytes, affecting the device's efficiency. Other research findings include increased processing overhead and devices failing to maintain their network connectivity when responses to DNS requests exceed 512 bytes.</t>

<t>IoT devices <bcp14>MUST</bcp14> support EDNS(0) and send a supported UDP packet size via OPT 41 <xref target="RFC6891"/>. To avoid fragmentation of UDP packets, which may be dropped by intervening networks, manufacturers <bcp14>MUST</bcp14> follow guidance in <xref target="RFC9715"/>, although device configuration <bcp14>MAY</bcp14> allow this to be configurable. Although the networks to which IoT devices connect may support larger packet sizes, the nature of these devices in being deployed on many network types, and DNS queries traversing networks controlled by different operators, means it is operationally more effective to use a smaller size that avoids fragmentation. In addition, IoT devices <bcp14>MUST</bcp14> support using both TCP and UDP for queries, and support switching to TCP when a TC bit is returned from the resolver <xref target="RFC1035"/>.</t>

</section>
<section anchor="resolution-problems"><name>Improve Device Behavior in Response to Resolution Problems</name>

<t>When resolving domain names, IoT devices may not receive a response from a resolver. As a result, surges in the number of queries and retries have been observed, or an increase in queries using an alternate protocol (more aggressively querying via IPv6 rather than IPv4).</t>

<t>Device software <bcp14>MUST</bcp14> implement DNS resolution algorithms that bound the number and rate of queries sent from the device stub resolver to its configured resolvers. This will be implementation specific, but manufacturers should consider implementing the recommendations for resolvers detailed in <xref target="RFC9520"/> section 3.2 which recommends the caching of resolution failures for at least 1 second.</t>

<t>If supported by the stub-resolver implementation on device operating systems the use of serve-stale <xref target="RFC8767"/> on the IoT device may mitigate the impact of failed resolution, such as when authoritative servers are unavailable. This will reduce the impact of surges in DNS traffic if the network resolver is unreachable and it may allow the device to maintain ongoing communication with endpoints for which previously valid DNS data remain usable.</t>

</section>
<section anchor="encrypted-standards"><name>Compliance with Encrypted DNS Standards</name>

<t>The majority of IoT devices use unencrypted DNS over port 53, which means this traffic can be captured and is open to interception and manipulation. Encrypted DNS protocols are not mandated for compliance with DNS standards, but the use of encrypted DNS may be mandated by some regulators and advised by competent authorities <xref target="ENISAGuidanceForNIS2"/> in deployment guidelines. Encrypted DNS support is widely deployed and it is possible for IoT devices to discover DNS resolver support for this as described in <xref target="configuring-resolvers"/>.</t>

<t>IoT devices <bcp14>SHOULD</bcp14> support at least one encrypted DNS transport, such as DNS over TLS (DoT) <xref target="RFC7858"/>, DNS over QUIC (DoQ) <xref target="RFC9250"/>, or DNS over HTTPS (DoH) <xref target="RFC8484"/>, when doing so is feasible and does not impair device operation because of power, memory, computational, or other deployment constraints. This enhances privacy by preventing passive observation of DNS queries, improves security by mitigating adversary-in-the-middle (AiTM) attacks, and enables compatibility with resolvers that require encrypted transport. To mitigate against fingerprinting of IoT devices, DNS queries <bcp14>MAY</bcp14> be padded as detailed in <xref target="RFC7830"/> and <xref target="RFC8467"/>.</t>

</section>
<section anchor="stub-resolver-dnssec"><name>Use of DNSSEC</name>

<t>IoT devices can be induced to contact an adversary server or make large volumes of DNS queries via spoofed responses to queries. It would be difficult for manufacturers to mitigate this by implementing checks of data received via DNS queries, such as validating IP addresses in the A/AAAA record RDATA as this does not reliably prevent malicious redirection. In addition, any validation of this type does not address the problem of AiTM attacks targeting DNS query responses.</t>

<t>DNSSEC can be implemented by manufacturers to mitigate AiTM attacks on DNS query responses. Note that manufacturers <bcp14>MUST</bcp14> have signed public zones used for device management and services so that validation can take place. This improves security when devices do not perform local validation, as many network operators deploy validating resolvers.</t>

<t>Manufacturers <bcp14>MAY</bcp14> improve device security by utilizing DNSSEC validation <xref target="RFC9364"/> on the stub resolver. When supported, devices typically follow one of two models for validation (see <xref target="stub-resolver-validation"/>) by setting a combination of the DO and CD bits in DNS queries:</t>

<t><list style="symbols">
  <t>Stub-resolver checking for validation - the stub resolver checks for the Authenticated Data (AD) bit in the response, which is suitable for constrained devices but requires explicit trust in the upstream resolver performing correct DNSSEC validation</t>
  <t>Stub-resolver performing full validation - local cryptographic checks of DNSSEC related records, providing stronger assurance</t>
</list></t>

<t>Both models improve security over unvalidated queries, but manufacturers should weigh the security considerations, such as trust assumptions, against the operational feasibility when determining which approach to adopt. Manufacturers should consider the type of network the device is likely to be deployed on, such as a home network vs. other environments, in determining the likelihood of DNSSEC validation being available on the network and thus deciding if the device should rely on a validating resolver or be independently capable of performing DNSSEC validation.</t>

<t>The deployment options are summarised below, with two constituting the typical deployment scenarios:</t>

<texttable title="Stub-resolver deployment options" anchor="stub-resolver-validation">
      <ttcol align='center'>DO Bit</ttcol>
      <ttcol align='center'>CD Bit</ttcol>
      <ttcol align='center'>Resolver Validated?</ttcol>
      <ttcol align='center'>DNSSEC RRs Returned?</ttcol>
      <ttcol align='left'>Notes</ttcol>
      <c>Y</c>
      <c>Y</c>
      <c>N</c>
      <c>Y</c>
      <c>Resolver does not validate. DNSSEC data returned. Stub-resolver performing full validation deployment.</c>
      <c>Y</c>
      <c>N</c>
      <c>Y</c>
      <c>Y</c>
      <c>Resolver validates. DNSSEC data returned. Stub-resolver can use AD bit to check validation.</c>
      <c>N</c>
      <c>Y</c>
      <c>N</c>
      <c>N</c>
      <c>Resolver does not validate. No DNSSEC data returned. Do not use.</c>
      <c>N</c>
      <c>N</c>
      <c>Y</c>
      <c>N</c>
      <c>Resolver validates. No DNSSEC data. Stub-resolver checking for validation deployment.</c>
</texttable>

<section anchor="stub-resolver-checking-for-validation"><name>Stub-resolver Checking for Validation</name>

<t>Where a manufacturer does utilize DNSSEC validation on the device the minimum implementation will be a stub resolver checking the AD bit to see if the answer has been validated. Relying solely on the AD bit assumes that the upstream resolver is trustworthy and uncompromised.</t>

<t>Manufacturers may implement a testing mechanism to determine if the network resolver supports DNSSEC enabling the device to utilize validation when available in a network that supports it, or falls back to unvalidated queries. Any such test of the resolver will only validate that it supports DNSSEC, given that the resolver is performing the validation it must be explicitly trusted.</t>

<t>In order to check that a DNS query has been validated a stub resolver <bcp14>MUST</bcp14> check the Authenticated Data (AD) bit <xref target="RFC4035"/> in responses to determine whether data was validated by the resolver it is using. When checking for the AD bit stub resolvers <bcp14>MUST</bcp14> treat DNSSEC validation failures as fatal. Responses that fail validation <bcp14>MUST NOT</bcp14> be used for name resolution.</t>

</section>
<section anchor="stub-resolver-performing-full-validation"><name>Stub-resolver Performing Full Validation</name>

<t>A device stub resolver can perform validation itself in cases where the network resolver does not validate queries or the device does not trust the network resolver to do so.</t>

<t>Considerations for device manufacturers in implementing full validation include:</t>

<t><list style="symbols">
  <t>Devices performing local validation gain end-to-end trust but at higher computational cost</t>
  <t>Devices should cache results including validation outcomes to reduce repeated computation</t>
  <t>Devices need to be shipped with a root trust anchor and have a mechanism to securely update this</t>
</list></t>

<t>IoT devices that perform local DNSSEC validation <bcp14>MUST</bcp14> conform to the applicable DNSSEC validation requirements in <xref target="RFC4035"/>. Manufacturers <bcp14>MAY</bcp14> implement this functionality in a validating stub resolver, a local validating resolver, or another suitable local resolver component.</t>

<t>Devices performing local DNSSEC validation <bcp14>MUST</bcp14> maintain authenticated DNS trust anchors and <bcp14>MUST</bcp14> provide a secure mechanism for provisioning and updating them. Manufacturers <bcp14>SHOULD</bcp14> support automated trust-anchor updates as described in <xref target="RFC5011"/> and <bcp14>SHOULD</bcp14> account for changes to DNSSEC cryptographic algorithms.</t>

</section>
</section>
</section>
<section anchor="guidance-for-manufacturer-authoritative-dns-zones"><name>Guidance for Manufacturer Authoritative DNS Zones</name>

<t>Manufacturers use public authoritative DNS zones for purposes such as device configuration, control and upgrades.</t>

<section anchor="zone-signing"><name>Zone Signing</name>

<t>Zones supporting the management and data collection of devices <bcp14>MUST</bcp14> be DNSSEC signed in order to support the behavior described in <xref target="stub-resolver-dnssec"/> and <xref target="resolvers-supporting-dnssec"/>. The zones used for these purposes <bcp14>SHOULD</bcp14> be publicly listed for network operators to use in securing their networks as described in <xref target="blocking-malicious-traffic"/>.</t>

</section>
<section anchor="ttl-values"><name>TTL Values</name>

<t>As stated in <xref target="ttl-value-handling"/> manufacturers <bcp14>MUST</bcp14> configure TTL values for management zone records that are appropriate for device operations, considering a balance between avoiding excessive query traffic, maintaining continuous operation in the event the resolver is unreachable, and accommodating potential changes in RDATA such as management IP addresses.</t>

</section>
</section>
<section anchor="guidance-for-network-operators"><name>Guidance for Network Operators</name>

<t>Most IoT devices do not have specific security software agents installed on them, as is typically the case with general-purpose operating systems, and supply chain vulnerabilities may mean that these devices are compromised before reaching the consumer. Network operators can use DNS resolvers to mitigate these risks, although this will vary depending on policy. These networks may be public, without restrictions on DNS usage, or may be private networks that could be dedicated to IoT devices where operators implement more security controls to mitigate these risks.</t>

<t>Manufacturers should be aware of network operator DNS deployment options as devices will use these resolvers, even though this infrastructure is not under manufacturer's control.</t>

<t>As some aspects of DNS security rely on the resolution process between stub resolver, resolver, and authoritative servers, as well as DNS record types (notably DNSSEC). It is also necessary for network operators to implement DNS in such a way as to support some of the recommendations in <xref target="stub-resolvers"/>.</t>

<section anchor="resolvers-supporting-dnssec"><name>Resolvers Supporting DNSSEC</name>

<t>In order to support improving device DNS security as described in <xref target="stub-resolver-dnssec"/> resolvers <bcp14>SHOULD</bcp14> be configured to validate DNS responses using DNSSEC.</t>

</section>
<section anchor="blocking-malicious-traffic"><name>Blocking of Unmanaged or Malicious DNS Traffic</name>

<t>Private network operators may block DNS traffic to any resolvers other than those managed by the operator, so that traffic is not bypassing any DNS security controls such as response policy zones or DNS traffic logging. This is more likely to be the case on enterprise or other private networks rather than service providers that don't want to limit customers using alternate resolvers.</t>

<t>Where operators maintain networks dedicated to IoT devices, they <bcp14>MAY</bcp14> restrict DNS resolution to domain names that are necessary for normal device operation in order to reduce the impact of a device compromise.</t>

<t>Manufacturers <bcp14>SHOULD</bcp14> provide operators with accurate and current information about the domain names, domain-name patterns, and external services required for device operation. When providing details of the domains used by a device for network security, manufacturers <bcp14>SHOULD</bcp14> include all such domains, including those outside their direct control, such as content delivery networks or cloud services.</t>

<t>Manufacturer Usage Descriptions (MUDs) can provide information about domain names used in device operations and can support the deployment of DNS-based security controls.</t>

<t>Manufacturers <bcp14>SHOULD</bcp14> update this information when device dependencies change so that device operations are not impacted.</t>

</section>
<section anchor="availability"><name>Availability</name>

<t>Providers <bcp14>SHOULD</bcp14> optimize resolver configurations to mitigate the security and operational risks identified in this document, provided that such optimizations do not adversely affect the operation of other DNS clients.</t>

<t>Network operators <bcp14>SHOULD</bcp14> optimize DNS resolver configurations through the use of serve-stale mechanisms, as specified in <xref target="RFC8767"/>. This is particularly recommended in environments dedicated to supporting IoT devices, in order to minimize operational disruption during DNS resolution failures. Furthermore, network operators <bcp14>MUST</bcp14> provide dual-stack DNS resolvers for IoT devices configured with both IPv4 and IPv6 connectivity, rather than limiting resolver support to IPv4 only.</t>

<t>DNS queries are most commonly transported over UDP, and compromised devices have been used in DoS attacks by sending queries with forged source addresses. Therefore, network operators <bcp14>MUST</bcp14> implement <xref target="RFC2827"/> network ingress filtering. Network operators <bcp14>SHOULD</bcp14> implement DNS Response Rate Limiting (RRL) on resolvers to mitigate high query volumes from devices causing DoS attacks against DNS infrastructure.</t>

</section>
</section>
<section anchor="security-considerations"><name>Security Considerations</name>

<t>IoT devices are often deployed at scale, operate under resource constraints, and typically lack host-based security controls. Consequently, weaknesses in DNS behavior can increase exposure to spoofing, on-path attacks, amplification, and fingerprinting. The recommendations in this document improve the security properties of DNS resolution by promoting correct protocol behavior, reducing unnecessary or anomalous query traffic, and supporting the use of authenticated and integrity-protected data (e.g., DNSSEC) and encrypted transport. The effectiveness of these measures depends on coordinated deployment across stub resolvers, recursive resolvers, and authoritative servers. Partial deployment may reduce the benefits of some mechanisms.</t>

<t>Residual risks remain, including device compromise outside the DNS layer, misconfiguration, or reliance on untrusted upstream resolvers. In addition, the use of encrypted DNS may limit network-based inspection and policy enforcement. This document does not introduce new protocols or mechanisms; it reduces the attack surface and improves the predictability and resilience of DNS interactions in IoT environments.</t>

</section>
<section anchor="iana-considerations"><name>IANA Considerations</name>

<t>This document has no IANA actions.</t>

</section>


  </middle>

  <back>


<references title='References' anchor="sec-combined-references">

    <references title='Normative References' anchor="sec-normative-references">



<reference anchor="RFC2119">
  <front>
    <title>Key words for use in RFCs to Indicate Requirement Levels</title>
    <author fullname="S. Bradner" initials="S." surname="Bradner"/>
    <date month="March" year="1997"/>
    <abstract>
      <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="2119"/>
  <seriesInfo name="DOI" value="10.17487/RFC2119"/>
</reference>
<reference anchor="RFC8174">
  <front>
    <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
    <author fullname="B. Leiba" initials="B." surname="Leiba"/>
    <date month="May" year="2017"/>
    <abstract>
      <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="8174"/>
  <seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>
<reference anchor="RFC5452">
  <front>
    <title>Measures for Making DNS More Resilient against Forged Answers</title>
    <author fullname="A. Hubert" initials="A." surname="Hubert"/>
    <author fullname="R. van Mook" initials="R." surname="van Mook"/>
    <date month="January" year="2009"/>
    <abstract>
      <t>The current Internet climate poses serious threats to the Domain Name System. In the interim period before the DNS protocol can be secured more fully, measures can already be taken to harden the DNS to make 'spoofing' a recursing nameserver many orders of magnitude harder.</t>
      <t>Even a cryptographically secured DNS benefits from having the ability to discard bogus responses quickly, as this potentially saves large amounts of computation.</t>
      <t>By describing certain behavior that has previously not been standardized, this document sets out how to make the DNS more resilient against accepting incorrect responses. This document updates RFC 2181. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="5452"/>
  <seriesInfo name="DOI" value="10.17487/RFC5452"/>
</reference>
<reference anchor="RFC6891">
  <front>
    <title>Extension Mechanisms for DNS (EDNS(0))</title>
    <author fullname="J. Damas" initials="J." surname="Damas"/>
    <author fullname="M. Graff" initials="M." surname="Graff"/>
    <author fullname="P. Vixie" initials="P." surname="Vixie"/>
    <date month="April" year="2013"/>
    <abstract>
      <t>The Domain Name System's wire protocol includes a number of fixed fields whose range has been or soon will be exhausted and does not allow requestors to advertise their capabilities to responders. This document describes backward-compatible mechanisms for allowing the protocol to grow.</t>
      <t>This document updates the Extension Mechanisms for DNS (EDNS(0)) specification (and obsoletes RFC 2671) based on feedback from deployment experience in several implementations. It also obsoletes RFC 2673 ("Binary Labels in the Domain Name System") and adds considerations on the use of extended labels in the DNS.</t>
    </abstract>
  </front>
  <seriesInfo name="STD" value="75"/>
  <seriesInfo name="RFC" value="6891"/>
  <seriesInfo name="DOI" value="10.17487/RFC6891"/>
</reference>
<reference anchor="RFC9715">
  <front>
    <title>IP Fragmentation Avoidance in DNS over UDP</title>
    <author fullname="K. Fujiwara" initials="K." surname="Fujiwara"/>
    <author fullname="P. Vixie" initials="P." surname="Vixie"/>
    <date month="January" year="2025"/>
    <abstract>
      <t>The widely deployed Extension Mechanisms for DNS (EDNS(0)) feature in the DNS enables a DNS receiver to indicate its received UDP message size capacity, which supports the sending of large UDP responses by a DNS server. Large DNS/UDP messages are more likely to be fragmented, and IP fragmentation has exposed weaknesses in application protocols. It is possible to avoid IP fragmentation in DNS by limiting the response size where possible and signaling the need to upgrade from UDP to TCP transport where necessary. This document describes techniques to avoid IP fragmentation in DNS.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9715"/>
  <seriesInfo name="DOI" value="10.17487/RFC9715"/>
</reference>
<reference anchor="RFC1035">
  <front>
    <title>Domain names - implementation and specification</title>
    <author fullname="P. Mockapetris" initials="P." surname="Mockapetris"/>
    <date month="November" year="1987"/>
    <abstract>
      <t>This RFC is the revised specification of the protocol and format used in the implementation of the Domain Name System. It obsoletes RFC-883. This memo documents the details of the domain name client - server communication.</t>
    </abstract>
  </front>
  <seriesInfo name="STD" value="13"/>
  <seriesInfo name="RFC" value="1035"/>
  <seriesInfo name="DOI" value="10.17487/RFC1035"/>
</reference>
<reference anchor="RFC2827">
  <front>
    <title>Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing</title>
    <author fullname="P. Ferguson" initials="P." surname="Ferguson"/>
    <author fullname="D. Senie" initials="D." surname="Senie"/>
    <date month="May" year="2000"/>
    <abstract>
      <t>This paper discusses a simple, effective, and straightforward method for using ingress traffic filtering to prohibit DoS (Denial of Service) attacks which use forged IP addresses to be propagated from 'behind' an Internet Service Provider's (ISP) aggregation point. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="38"/>
  <seriesInfo name="RFC" value="2827"/>
  <seriesInfo name="DOI" value="10.17487/RFC2827"/>
</reference>



    </references>

    <references title='Informative References' anchor="sec-informative-references">

<reference anchor="UCLandInriaPaper" target="https://discovery.ucl.ac.uk/id/eprint/10223583/">
  <front>
    <title>From Lookup to Lockdown DNS Guidelines for Securing IoT Ecosystems</title>
    <author >
      <organization></organization>
    </author>
    <date year="n.d."/>
  </front>
</reference>
<reference anchor="ENISAGuidanceForNIS2" target="https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance">
  <front>
    <title>NIS2 Technical Implementation Guidance</title>
    <author >
      <organization></organization>
    </author>
    <date year="n.d."/>
  </front>
</reference>


<reference anchor="RFC7452">
  <front>
    <title>Architectural Considerations in Smart Object Networking</title>
    <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
    <author fullname="J. Arkko" initials="J." surname="Arkko"/>
    <author fullname="D. Thaler" initials="D." surname="Thaler"/>
    <author fullname="D. McPherson" initials="D." surname="McPherson"/>
    <date month="March" year="2015"/>
    <abstract>
      <t>The term "Internet of Things" (IoT) denotes a trend where a large number of embedded devices employ communication services offered by Internet protocols. Many of these devices, often called "smart objects", are not directly operated by humans but exist as components in buildings or vehicles, or are spread out in the environment. Following the theme "Everything that can be connected will be connected", engineers and researchers designing smart object networks need to decide how to achieve this in practice.</t>
      <t>This document offers guidance to engineers designing Internet- connected smart objects.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="7452"/>
  <seriesInfo name="DOI" value="10.17487/RFC7452"/>
</reference>
<reference anchor="RFC9150">
  <front>
    <title>TLS 1.3 Authentication and Integrity-Only Cipher Suites</title>
    <author fullname="N. Cam-Winget" initials="N." surname="Cam-Winget"/>
    <author fullname="J. Visoky" initials="J." surname="Visoky"/>
    <date month="April" year="2022"/>
    <abstract>
      <t>This document defines the use of cipher suites for TLS 1.3 based on Hashed Message Authentication Code (HMAC). Using these cipher suites provides server and, optionally, mutual authentication and data authenticity, but not data confidentiality. Cipher suites with these properties are not of general applicability, but there are use cases, specifically in Internet of Things (IoT) and constrained environments, that do not require confidentiality of exchanged messages while still requiring integrity protection, server authentication, and optional client authentication. This document gives examples of such use cases, with the caveat that prior to using these integrity-only cipher suites, a threat model for the situation at hand is needed, and a threat analysis must be performed within that model to determine whether the use of integrity-only cipher suites is appropriate. The approach described in this document is not endorsed by the IETF and does not have IETF consensus, but it is presented here to enable interoperable implementation of a reduced-security mechanism that provides authentication and message integrity without supporting confidentiality.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9150"/>
  <seriesInfo name="DOI" value="10.17487/RFC9150"/>
</reference>
<reference anchor="RFC9499">
  <front>
    <title>DNS Terminology</title>
    <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
    <author fullname="K. Fujiwara" initials="K." surname="Fujiwara"/>
    <date month="March" year="2024"/>
    <abstract>
      <t>The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document.</t>
      <t>This document updates RFC 2308 by clarifying the definitions of "forwarder" and "QNAME". It obsoletes RFC 8499 by adding multiple terms and clarifications. Comprehensive lists of changed and new definitions can be found in Appendices A and B.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="219"/>
  <seriesInfo name="RFC" value="9499"/>
  <seriesInfo name="DOI" value="10.17487/RFC9499"/>
</reference>
<reference anchor="RFC8106">
  <front>
    <title>IPv6 Router Advertisement Options for DNS Configuration</title>
    <author fullname="J. Jeong" initials="J." surname="Jeong"/>
    <author fullname="S. Park" initials="S." surname="Park"/>
    <author fullname="L. Beloeil" initials="L." surname="Beloeil"/>
    <author fullname="S. Madanapalli" initials="S." surname="Madanapalli"/>
    <date month="March" year="2017"/>
    <abstract>
      <t>This document specifies IPv6 Router Advertisement (RA) options (called "DNS RA options") to allow IPv6 routers to advertise a list of DNS Recursive Server Addresses and a DNS Search List to IPv6 hosts.</t>
      <t>This document, which obsoletes RFC 6106, defines a higher default value of the lifetime of the DNS RA options to reduce the likelihood of expiry of the options on links with a relatively high rate of packet loss.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8106"/>
  <seriesInfo name="DOI" value="10.17487/RFC8106"/>
</reference>
<reference anchor="RFC8415">
  <front>
    <title>Dynamic Host Configuration Protocol for IPv6 (DHCPv6)</title>
    <author fullname="T. Mrugalski" initials="T." surname="Mrugalski"/>
    <author fullname="M. Siodelski" initials="M." surname="Siodelski"/>
    <author fullname="B. Volz" initials="B." surname="Volz"/>
    <author fullname="A. Yourtchenko" initials="A." surname="Yourtchenko"/>
    <author fullname="M. Richardson" initials="M." surname="Richardson"/>
    <author fullname="S. Jiang" initials="S." surname="Jiang"/>
    <author fullname="T. Lemon" initials="T." surname="Lemon"/>
    <author fullname="T. Winters" initials="T." surname="Winters"/>
    <date month="November" year="2018"/>
    <abstract>
      <t>This document describes the Dynamic Host Configuration Protocol for IPv6 (DHCPv6): an extensible mechanism for configuring nodes with network configuration parameters, IP addresses, and prefixes. Parameters can be provided statelessly, or in combination with stateful assignment of one or more IPv6 addresses and/or IPv6 prefixes. DHCPv6 can operate either in place of or in addition to stateless address autoconfiguration (SLAAC).</t>
      <t>This document updates the text from RFC 3315 (the original DHCPv6 specification) and incorporates prefix delegation (RFC 3633), stateless DHCPv6 (RFC 3736), an option to specify an upper bound for how long a client should wait before refreshing information (RFC 4242), a mechanism for throttling DHCPv6 clients when DHCPv6 service is not available (RFC 7083), and relay agent handling of unknown messages (RFC 7283). In addition, this document clarifies the interactions between models of operation (RFC 7550). As such, this document obsoletes RFC 3315, RFC 3633, RFC 3736, RFC 4242, RFC 7083, RFC 7283, and RFC 7550.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8415"/>
  <seriesInfo name="DOI" value="10.17487/RFC8415"/>
</reference>
<reference anchor="RFC2132">
  <front>
    <title>DHCP Options and BOOTP Vendor Extensions</title>
    <author fullname="S. Alexander" initials="S." surname="Alexander"/>
    <author fullname="R. Droms" initials="R." surname="Droms"/>
    <date month="March" year="1997"/>
    <abstract>
      <t>This document specifies the current set of DHCP options. Future options will be specified in separate RFCs. The current list of valid options is also available in ftp://ftp.isi.edu/in-notes/iana/assignments. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="2132"/>
  <seriesInfo name="DOI" value="10.17487/RFC2132"/>
</reference>
<reference anchor="RFC9463">
  <front>
    <title>DHCP and Router Advertisement Options for the Discovery of Network-designated Resolvers (DNR)</title>
    <author fullname="M. Boucadair" initials="M." role="editor" surname="Boucadair"/>
    <author fullname="T. Reddy.K" initials="T." role="editor" surname="Reddy.K"/>
    <author fullname="D. Wing" initials="D." surname="Wing"/>
    <author fullname="N. Cook" initials="N." surname="Cook"/>
    <author fullname="T. Jensen" initials="T." surname="Jensen"/>
    <date month="November" year="2023"/>
    <abstract>
      <t>This document specifies new DHCP and IPv6 Router Advertisement options to discover encrypted DNS resolvers (e.g., DNS over HTTPS, DNS over TLS, and DNS over QUIC). Particularly, it allows a host to learn an Authentication Domain Name together with a list of IP addresses and a set of service parameters to reach such encrypted DNS resolvers.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9463"/>
  <seriesInfo name="DOI" value="10.17487/RFC9463"/>
</reference>
<reference anchor="RFC9462">
  <front>
    <title>Discovery of Designated Resolvers</title>
    <author fullname="T. Pauly" initials="T." surname="Pauly"/>
    <author fullname="E. Kinnear" initials="E." surname="Kinnear"/>
    <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
    <author fullname="P. McManus" initials="P." surname="McManus"/>
    <author fullname="T. Jensen" initials="T." surname="Jensen"/>
    <date month="November" year="2023"/>
    <abstract>
      <t>This document defines Discovery of Designated Resolvers (DDR), a set of mechanisms for DNS clients to use DNS records to discover a resolver's encrypted DNS configuration. An Encrypted DNS Resolver discovered in this manner is referred to as a "Designated Resolver". These mechanisms can be used to move from unencrypted DNS to encrypted DNS when only the IP address of a resolver is known. These mechanisms are designed to be limited to cases where Unencrypted DNS Resolvers and their Designated Resolvers are operated by the same entity or cooperating entities. It can also be used to discover support for encrypted DNS protocols when the name of an Encrypted DNS Resolver is known.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9462"/>
  <seriesInfo name="DOI" value="10.17487/RFC9462"/>
</reference>
<reference anchor="RFC9520">
  <front>
    <title>Negative Caching of DNS Resolution Failures</title>
    <author fullname="D. Wessels" initials="D." surname="Wessels"/>
    <author fullname="W. Carroll" initials="W." surname="Carroll"/>
    <author fullname="M. Thomas" initials="M." surname="Thomas"/>
    <date month="December" year="2023"/>
    <abstract>
      <t>In the DNS, resolvers employ caching to reduce both latency for end users and load on authoritative name servers. The process of resolution may result in one of three types of responses: (1) a response containing the requested data, (2) a response indicating the requested data does not exist, or (3) a non-response due to a resolution failure in which the resolver does not receive any useful information regarding the data's existence. This document concerns itself only with the third type.</t>
      <t>RFC 2308 specifies requirements for DNS negative caching. There, caching of TYPE 2 responses is mandatory and caching of TYPE 3 responses is optional. This document updates RFC 2308 to require negative caching for DNS resolution failures.</t>
      <t>RFC 4035 allows DNSSEC validation failure caching. This document updates RFC 4035 to require caching for DNSSEC validation failures.</t>
      <t>RFC 4697 prohibits aggressive requerying for NS records at a failed zone's parent zone. This document updates RFC 4697 to expand this requirement to all query types and to all ancestor zones.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9520"/>
  <seriesInfo name="DOI" value="10.17487/RFC9520"/>
</reference>
<reference anchor="RFC8767">
  <front>
    <title>Serving Stale Data to Improve DNS Resiliency</title>
    <author fullname="D. Lawrence" initials="D." surname="Lawrence"/>
    <author fullname="W. Kumari" initials="W." surname="Kumari"/>
    <author fullname="P. Sood" initials="P." surname="Sood"/>
    <date month="March" year="2020"/>
    <abstract>
      <t>This document defines a method (serve-stale) for recursive resolvers to use stale DNS data to avoid outages when authoritative nameservers cannot be reached to refresh expired data. One of the motivations for serve-stale is to make the DNS more resilient to DoS attacks and thereby make them less attractive as an attack vector. This document updates the definitions of TTL from RFCs 1034 and 1035 so that data can be kept in the cache beyond the TTL expiry; it also updates RFC 2181 by interpreting values with the high-order bit set as being positive, rather than 0, and suggests a cap of 7 days.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8767"/>
  <seriesInfo name="DOI" value="10.17487/RFC8767"/>
</reference>
<reference anchor="RFC7858">
  <front>
    <title>Specification for DNS over Transport Layer Security (TLS)</title>
    <author fullname="Z. Hu" initials="Z." surname="Hu"/>
    <author fullname="L. Zhu" initials="L." surname="Zhu"/>
    <author fullname="J. Heidemann" initials="J." surname="Heidemann"/>
    <author fullname="A. Mankin" initials="A." surname="Mankin"/>
    <author fullname="D. Wessels" initials="D." surname="Wessels"/>
    <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
    <date month="May" year="2016"/>
    <abstract>
      <t>This document describes the use of Transport Layer Security (TLS) to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626. In addition, this document specifies two usage profiles for DNS over TLS and provides advice on performance considerations to minimize overhead from using TCP and TLS with DNS.</t>
      <t>This document focuses on securing stub-to-recursive traffic, as per the charter of the DPRIVE Working Group. It does not prevent future applications of the protocol to recursive-to-authoritative traffic.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="7858"/>
  <seriesInfo name="DOI" value="10.17487/RFC7858"/>
</reference>
<reference anchor="RFC9250">
  <front>
    <title>DNS over Dedicated QUIC Connections</title>
    <author fullname="C. Huitema" initials="C." surname="Huitema"/>
    <author fullname="S. Dickinson" initials="S." surname="Dickinson"/>
    <author fullname="A. Mankin" initials="A." surname="Mankin"/>
    <date month="May" year="2022"/>
    <abstract>
      <t>This document describes the use of QUIC to provide transport confidentiality for DNS. The encryption provided by QUIC has similar properties to those provided by TLS, while QUIC transport eliminates the head-of-line blocking issues inherent with TCP and provides more efficient packet-loss recovery than UDP. DNS over QUIC (DoQ) has privacy properties similar to DNS over TLS (DoT) specified in RFC 7858, and latency characteristics similar to classic DNS over UDP. This specification describes the use of DoQ as a general-purpose transport for DNS and includes the use of DoQ for stub to recursive, recursive to authoritative, and zone transfer scenarios.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9250"/>
  <seriesInfo name="DOI" value="10.17487/RFC9250"/>
</reference>
<reference anchor="RFC8484">
  <front>
    <title>DNS Queries over HTTPS (DoH)</title>
    <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
    <author fullname="P. McManus" initials="P." surname="McManus"/>
    <date month="October" year="2018"/>
    <abstract>
      <t>This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS. Each DNS query-response pair is mapped into an HTTP exchange.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8484"/>
  <seriesInfo name="DOI" value="10.17487/RFC8484"/>
</reference>
<reference anchor="RFC7830">
  <front>
    <title>The EDNS(0) Padding Option</title>
    <author fullname="A. Mayrhofer" initials="A." surname="Mayrhofer"/>
    <date month="May" year="2016"/>
    <abstract>
      <t>This document specifies the EDNS(0) "Padding" option, which allows DNS clients and servers to pad request and response messages by a variable number of octets.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="7830"/>
  <seriesInfo name="DOI" value="10.17487/RFC7830"/>
</reference>
<reference anchor="RFC8467">
  <front>
    <title>Padding Policies for Extension Mechanisms for DNS (EDNS(0))</title>
    <author fullname="A. Mayrhofer" initials="A." surname="Mayrhofer"/>
    <date month="October" year="2018"/>
    <abstract>
      <t>RFC 7830 specifies the "Padding" option for Extension Mechanisms for DNS (EDNS(0)) but does not specify the actual padding length for specific applications. This memo lists the possible options ("padding policies"), discusses the implications of each option, and provides a recommended (experimental) option.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8467"/>
  <seriesInfo name="DOI" value="10.17487/RFC8467"/>
</reference>
<reference anchor="RFC9364">
  <front>
    <title>DNS Security Extensions (DNSSEC)</title>
    <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
    <date month="February" year="2023"/>
    <abstract>
      <t>This document describes the DNS Security Extensions (commonly called "DNSSEC") that are specified in RFCs 4033, 4034, and 4035, as well as a handful of others. One purpose is to introduce all of the RFCs in one place so that the reader can understand the many aspects of DNSSEC. This document does not update any of those RFCs. A second purpose is to state that using DNSSEC for origin authentication of DNS data is the best current practice. A third purpose is to provide a single reference for other documents that want to refer to DNSSEC.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="237"/>
  <seriesInfo name="RFC" value="9364"/>
  <seriesInfo name="DOI" value="10.17487/RFC9364"/>
</reference>
<reference anchor="RFC4035">
  <front>
    <title>Protocol Modifications for the DNS Security Extensions</title>
    <author fullname="R. Arends" initials="R." surname="Arends"/>
    <author fullname="R. Austein" initials="R." surname="Austein"/>
    <author fullname="M. Larson" initials="M." surname="Larson"/>
    <author fullname="D. Massey" initials="D." surname="Massey"/>
    <author fullname="S. Rose" initials="S." surname="Rose"/>
    <date month="March" year="2005"/>
    <abstract>
      <t>This document is part of a family of documents that describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection of new resource records and protocol modifications that add data origin authentication and data integrity to the DNS. This document describes the DNSSEC protocol modifications. This document defines the concept of a signed zone, along with the requirements for serving and resolving by using DNSSEC. These techniques allow a security-aware resolver to authenticate both DNS resource records and authoritative DNS error indications.</t>
      <t>This document obsoletes RFC 2535 and incorporates changes from all updates to RFC 2535. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="4035"/>
  <seriesInfo name="DOI" value="10.17487/RFC4035"/>
</reference>
<reference anchor="RFC5011">
  <front>
    <title>Automated Updates of DNS Security (DNSSEC) Trust Anchors</title>
    <author fullname="M. StJohns" initials="M." surname="StJohns"/>
    <date month="September" year="2007"/>
    <abstract>
      <t>This document describes a means for automated, authenticated, and authorized updating of DNSSEC "trust anchors". The method provides protection against N-1 key compromises of N keys in the trust point key set. Based on the trust established by the presence of a current anchor, other anchors may be added at the same place in the hierarchy, and, ultimately, supplant the existing anchor(s).</t>
      <t>This mechanism will require changes to resolver management behavior (but not resolver resolution behavior), and the addition of a single flag bit to the DNSKEY record. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="STD" value="74"/>
  <seriesInfo name="RFC" value="5011"/>
  <seriesInfo name="DOI" value="10.17487/RFC5011"/>
</reference>



    </references>

</references>


<?line 257?>

<section numbered="false" anchor="acknowledgments"><name>Acknowledgments</name>

<t>We thank the researchers, reviewers, and engineers who contributed to the analysis and testing process.</t>

<t>The authors thank Mohamed Boucadair, Chris Box, Ross Gibson, Eliot Lear, Martine Sophie Lenders, Jim Reid, Michael Richardson and Hannes Tschofenig for their contributions, questions and comments.</t>

</section>


  </back>

<!-- ##markdown-source:
H4sIAFqwS2oAA41c63Ybx5H+j6eYlc/ZUHsAyKQulrVJvLQoR9qjW0gqOdk9
+2MwaAAdDmaQ6RnSsKx32WfZJ9v6qqpvA1COf1gEMNNdXV2Xry7ds9ls0tu+
Ni+KB2/a6+Li/VVxZaqhs/2+KJtl8bGzt2W1L/402KWpbWPcg0m5WHTmVt6Y
0Ruz9Meq7M267fYvikW1m0yWbdWUWxp+2ZWrfmZNv5rZtm93Dv/Mlo2brcPb
s2+fTNyw2FrnbNv0+x299+bV9U+Tqm2cadzgXhR9N5gJTf54UnamfFHQSJO7
trtZd+2we1HI2JMbs6cvl+7FpChmBdHJ/xKt/K/TFfKHnaxwcmuaweD5te03
w4KWt7XWbbry0bFlFkVNC3U9Pbbp+5178eiRPj6X9+e2PfLiI2HDlp/8CiNk
8Pmm39YPJpNy6DdtJ2sRbj44X2xoDHNTvOOhQFBRtN0au9J0Vr8w29LW9FWp
T89l4v+weGS+6h5kQzbLztwVb1vX79PxPr18OxqNH5zXeHB+9vg/hqqel9V8
uBkN15TFu5Imov83y7KmP78+7Hzrn7tnyP+02+Jd+0tt9vl6V+2ibn/OR/v7
lh+kpcqv86rdZoO9K/uNNUPxcmiqjckGfH91Pnu7b5viX4sjzNzKi/OKX0x4
OWnajn60tyRGE8wbPhUFrZYWx6N9LHeGN7Mo+rJbG5IhL0JL66r21nT7eWDA
I7t8ZEhGm/7R6bdnZ4+fPn/8SN4Vtf2pa7e0Z+3NsCv6lv6qbpbtXcOaHOWu
IGJUsZs19KF4VbVu73qzdTTaq/dvrs7xdNlU5qe2o49nxym8u7ubm8a6cm6G
rt3hn0e7YVFb0nvSWfeIfjub9abaNPRVPbPbXW22pun5ZxZxzJGuAJMV1/6N
4k32RuGpmkzm8/lkMpvNinLh+q6s+snkmsS6IBMz4PmiHXpZrJ+FV/2m6U3X
GPp5VdDzzdoVJ8SAhwVJ27CiYYbOdK7ozLrsluBOvzFFTjZeBT9dPyzoQdfW
tEeFa1f9HRmhgh5YmltbGTdlm4lZMQhNUK55lOKXFnQNzsivu6HbtY6+cUO1
KUqn7xdk51Z2PXQyK8YKkwy7dVcujZsXb/qitFuH3d7a3q7JVASLRvOSVeyJ
ENNsmAVq3oQyeqVckvI6R3bTyDTE8vB2tSnr2jRrmmYywYp5sQNTszD9nTFh
qTzeaIU0UHcLZi7NzjRLWvCuFUnED/zWHRlH2+jsxAnaGFhv5RxxzZn4ML46
eLKoShCDLaLNI4Yu9p59C7Mpb23bzYvXBmvvM/Eoa9cSO9pbUopERognOnSY
i3i7KXusom73rC1+0SnPscVuZyq7slXRWUek0chNT5+JKlrkaHqsr7wxtAO3
JQnW2kCsaBVEET0vXNJ92JI2lKRJtMtKMC8zk1hVhq1dLmvSjm8g6F27HCrs
1mRySZwsO5Iushwt04oZPIcwdbquz5/HBurLl8Jt2jvsGLFrR1K1LBrSYDKj
u9oy57CXoK9vq5aEqIf1Jp87LdblzoEB8bdht2u7XjY5rPJ2qBti+MLWxFJI
NqtzTTMxo4eGZl3aqi8XtcnkNawCw5mfRZWSLVqRGpuOjSYUGk/RxlgyR+1q
ptJVlH1fVjd+1rBNQUDAriAkZdW1zjEbwbZELXbkDYoTmXwajIOsVPy27dkL
EENWXUmWa+ANfDj1/LPbstuTd9ltSkeUBGuSLNNuSQBIIjH3WAj+urG1CGOg
9kD2tiWhud2u3rMFaILCDA78oZVORy8AcBEXSBNSKSFDVUaRr0rS1buNIeMk
XoJo7AzJB42wFG9QsOVyZjXUwSqu2rpu7zAvyZSjh8hZzmgTzOHLaqrCjMBT
nQE2SqSISK3IwDuSzp6+JQvFyz+U97WBtNUzNb5eoogQ7whn2WrpTVMs7WpF
KySWYGuHDkZ6U8L7GFL53lbkWuGBx4MHh+AtPDhKXov807LYtXfkP/DNsN1h
rVPSeNJ3IsU2VdsRI/po+XNfJPaPaSux1ApcNMtMP8Q0JpK0IqgivwH15stc
tsw5QttwvyQiPDbtApFJChQZTRar6aHXpOnkJZYYn/i8FWMJSmEqaAB2c/Sj
8qT4GsOvWX7w8hZyiT27/OllcAeZTIrd59FJjNXWwuVhcC8X9EuQl0A6BRQD
LbVdsIPCwBQtrDfY08RIJlxR5YQYkfJBerblDe9PXxC/LW1f4kvFbY3M2YjN
UMGFUZ8i2uyI34oelsBP9O0xdzhWiztb18oI6FXivyIKMOWWLbA6K1A+Io8Q
AvOJt1y0eGx2iOGQjAWLPFlUSISjUIWXgC2hJb7LQBQWOcCDqy+IQkzItu/s
YlDNTg2a5xA4ThAu2B41Tbm193ZOYS3TnQoGadqu7Bjs4dGK2GEQghCXzG1Z
D+q43Yii0WZFZSCRBY4XZ0+BA/G493DwHwMNbdhi04K7fjbsSG42luSJpMU4
0Y5FS4K0bbsoIDV4XJVgFJNp4eWjp8vWy6CF3ybH1GRoJfdyYzDMg8K12DrY
SOIPi7Usc9a3s6puh2UB+RoahfCEBX4gFfzuydOzL1+mBTGIF6vyy0wGgKO1
dQnPRmOQVwTqdh6JHZj23Bl5gQLjvU/BpFYws1CxJGl1/DZNMALoXieISQAa
MHU9M4s12LmWBD3zGoLXIsAUw+lFT6icFxQKEb4oMdc9YcHnbzxmpz2Yeffv
vvDQnz+TxW9cybZ3Rn8u2639hd8leHXXDvUSRBMziOzOKslgST7RVFhSAqcR
O7v9jtYyC4CLxsLuqK7mLLDwEcsBok7rI0DSboV209xakqgt2/RU/4NH0Jl0
q7EzjuW1K1cwriIm358+/fbLF40WaMu3tmnrdr0/xCDgE2kSAzR998n339O7
BFzlUXqiNz8TSrxCnHXp46zOrGBbdDOjyImNvOcxH3TQDyyyi/3o7Tkg88u2
uYUXYZGkwS4MKZUVizABJLkxZByRSCoevPt0df1gKv8W7z/w35ev/vzpzeWr
C/x99fr87dvwx0SfuHr94dPbi/hXfPPlh3fvXr2/kJfp2yL7avLg3fnfHsgS
H3z4eP3mw/vztw+ORBUdywziIcS5ZEd6toITgrBk/BairT++/Ph//3v6hPj+
L8T3s9NT4rt+eH763RMI48Y0MlvbiENogAnNfkLSST4So5BBJFu7Izxbw0E5
DhAatsHEzX/7b3Dmf14Uv19Uu9Mnf9QvsODsS8+z7Evm2eE3By8LE498dWSa
wM3s+xGnc3rP/5Z99nxPvvz9D3A8xez0+Q9/nECE/pTlGpBCFXuYO8bP3yB3
kNgHEa+IhQN2V/BCukaBjZEA1zsEP4Wa3CwdwZKPHGmn2QDSD439ZzvgHIp6
mvV0bPJorw3U2UKY8ogfGsIqkqQkfCJE43yvWiAqU1p3r2GcTA4w9gKgPWIz
it8gaQuKzvCB0PaSok6EwG8+esilGa1AMIaOWPvO1PXspoFw0lKb9BF6ya4b
+NM4EvkH+k6mZpd9S4BBTaVZjpIyW0MoZRkzNxevX34sPjCKL55pMAlrTGMP
dc9qAxMsWzLykoBVjakD2BtRG5ytAJaEERlJAVsu6ra6kQ3xGGHX1hbJH5IA
NnSa3vJhASIXHxvgN4096n2a/mFSYo6rYK1eJMkqgBawzE+aM8wnAcidXuUC
683DvfsdHgU5OruqO8BTHk2SsLfs2slcG9EVZ2paDacAwlhzDjVXtnMIkIwE
L7JZjJjLgmCiXXrR2qHy4CddGB3SLImi0zkrOblVIqbLVz05m3tDkOTIAhrW
xMAvmg4cMUyTg5PH5Bo/3j4rLgkV0wTnSyK/t07GOrk8f6h+9Pnpt88A1SCK
9Lh++eT0Kdn1E7sq3v3htFhYlkV6aYpBn4jcyqNnp4/P4If/Ska/CPgiJjrb
XQzm2ZQ0PBaPAMm9l0gXHP2zxyCwxwRwKglDIePEzDeC1z174+QWOYddTYFz
ov7FiZmv5yK/Ql3x+KF4RiAnWM+hiSuhvWSUwTqLtAWprc+0s0kzMACs7NGA
nVxcXD6MCyAOJVRrWCA2Q1OzYoD9nGVF0uoUuRXlbWlrKIoY1SvJJHwknMYc
vI4wsXhzUVymSJEs6f0ocjK5arfmMG1xYFL5WzJDQzD2SKm2RTacz5xoogMw
0h0EO2J1+4xi58NjMZ8xzuFovG1XsqOsTGQHzmEHF7YJPuU3+BHCgHLbNmvn
IakP7qYe3eX5eWAY3oadmoBUpYNFid417i6HAa4HlzheujKVaMCT+VOm7/v5
GYN/RlBPOVI6sG6kJksfwgbmga5PFx/F9MGG5UnOY5xNUo8U7tfF6bMZlLlD
RM7E5ENkexfUiTWFvFWNRB2sIb9NSwiCqW/QMxw5ggCKgNla7lOjuyVDaXfj
iZjX4ad0yVwgGXoOVogdIv+v6UMN5qAmc/22+AtF5shCf9P39Qxhuplt9JHf
BgwqeqTwCpiQw7LrTdEM2wX7rlyC4QmFYBEIcnokcXZrZtft7C0ytbdCzgmR
5h5qnIYEnVgYQr0auA3kvaHlZbf35l4p5LA9JxM5qLE8kOtZ2Z8h2SAY6YZk
JxnQEykupE45AUHqCmOIKqabatmq5orOKo9lOWfDCgsWy5qI/Z8i0YEOAAjk
3Tn8RKneslpKntI2Ifc5S7OYybbMJZLqSN4IbLBZ5R0AA3lwzUgq7ghkuiQ9
GoAR8Yi1LnWcgjex3MrYW04hxsLYEsVyhnZqF2TlMRcTFzfKCGLXJGjlXC7z
Yx8tAmMDgYsuYWLIuopWIpUAbnlQlRcfyDSV8InEb3D6btNyvopQ0Qp5e5mx
t1u2nklWMyQxddgtIaKad5Owy5ZXjlE5TzGZ5NEGWxcPKgQniZgLwsmqElKZ
ZIYnKxylJDBCSFfFwULljeuNTorLeAAjWcnI921bEEKj/cI291i92L1DKYSY
rzpDH5vep5FVzJH/wWgsVabh5G0YK0t9874moYBCjhQ8wOw15IRU9Rn0jSuZ
KkPz3PoIY8tKEwzBpbEdViO5aRtROZ0cj8PwFQRxsMKUWq2AKHIRhpEElLVi
JQjmdthqrfVn/ptHpkj1AIJLOj5kcYljAWAvJHoQVK2WAHAvJn1HsWSS+vVi
pLnDe0jSUbWOpOT5UimHJM70Pv5wgVgfMgR0zkiwIggJEzQ2F8yxfwy2U3Qp
IgRJZkRm2yUqsYYBfMAWQAncWCCG02PHQ+vycBoS7jvDVHvBTNwfSqDLzGaw
mZ6N9bi8bSmIYOOeGHI2KBW7D9MIQNJsWm41wAZhEIdtWEZSclyRy4Ze80Km
jOJ8oMJ+XlRUGEqLWuaRU0gtcsQ1a1erAia9N2sr1dOaFtEfKOjekzoV5+aM
IfwTqZqRwaAFbR1nA4FxpeYL2l+Rspx8+zAGcUe8OEwusY4nR6JW34bG6OtT
VveAMnssG8EG/rqmUASPZkDr6ekZCR77BqJcI8GoIr9zIfVRkf/+wL4jVIRo
Q5bcLELGvh6WJim10UpZ7oBfaJ4NfIvUmGV12B8VA0gcizINbrs0Qm5Azy1c
EVuJaEroLbEttBbXIw1UGZo0LOaYSfLcUk5pmR3lA/8TjQDcSV74xpDEU+jJ
IfuHj9fFk1MFss+ef38KIHsdxLcr11m2Ow6ReVfUtchd7ETRRdwNJxRiPWt7
6KEkds/K1kLI998hdoWgoSK03sQaQxonw8iUPALbHMmCphaRAg0/QGJr+Emh
PeWjbgmvx7OT0XKXMo0NHA1VYh3qDmO1FytYGKw7lPmQMUJC3+88p9El4ZMC
QdIt9uYJyzgd3rVcaYWjDYXo0KUiVWOHmqR1o6Qel4yMSP0t+3BYLxKHLWq3
nUiAFG6x1S7fa46WyV1aqT7cK2+ijlzhutZkAEQk0URt+dDnHbkQ9oZeZyVG
oz8lQYE2LOJs4yOW1JKpbJx++/ipNzFvpHnGZ1p+9LgNiQ5vEWmiy2g6P6qR
olDjmOlCN0XIwPE+ZmB7XM+FixREaiTDlBjhNON07uQjxUdAJt1aRIUliWMU
SFKICRrEyj3/fWgnGeYmhX+M49+U3SiRqEfxjb2i78A5YYEo12sgIKK3VqvO
lWEyBJzDIfnhUg9hH04SPYxRcoDbvP/Rh4yaxMp6DWi52aqvW7SDpjZ1obw6
UJasmBNKYb+PARJGxr1LwUjMDUrO1VcARyU6D6MFQuZGSAM5X/SLr3o/Ma5a
Qq4jRiIYQIZeMrSaJnp69i36piRdUDyen6mhCQNJxKCQ8Lhbl2mIdxSzuL44
xXBtozmyaM2TlEfIrh/UJ8cQKrZepJCeJQvlxNr45OF3z76jhShIS0oOkPqs
Ac63mqyYfL8vg9iNDITnYYevIHAE18T0WLKZtMtDNZ4lao/mShg92dVRNMmJ
o4b0hNA8wBaEz2o3lDqOIG+ps26bdSvp8DRbz/CX9pDbYmSXZHeRXLft4Ein
Yu6YZAY6z+ZjcDH193LUP/cqzVIWV76mSwbqWKVXykbb8u+a6s67+CSwyvKe
goTY+D59HHw2uw3xmspB7aGoyl3P6sWsclKQgPLBp3MmTftSSZPsbqjVW+SL
CBl/3l0YSW7s7kO2O+eAdNaG5kHoaSKc+WoUbYTxEFcgAdqZNYhB6yZ3TSxv
rZamMJvhVJ4XQMv9jsdanknkOeoI7Qix02S8Ru/RrPNdT7GzR6QMabSWbC0E
Ly/cMQLxrd5ZDSuDvbw/3BucVHI/fz5eVvsygoUK9v14wZwgts1ZyvlG6c4M
NS0vN9dvr4qTCzRLa1PI86fPudLgH/jzpzcv8cSfQ6b8DP0AU58m5odeX19/
5HFeh4rFk+dP8BQbhmUr+RxwbIXmKq+qy9ZoSEzqT+h5HA6mXTScqgIgIj+3
n/KuD73CoSQ1lOxtSGX13oVoy7TzdVOIT1I425XsOdUVZ/XQAHa0ndfFRNNi
nzZh+VTQfmabGVE0k/bd4uTcXr976HtSBTRJhMipsR29zY1be1GZpOgr5SsO
ipONDZvKaD5Y7HKNCLgf56hyMzLNkKmG8jtCg9Jedej2vnv+GG5POl5ke+E+
xN59kv2hIa9evRzXwXHshTg1yvH6Bu8G9p/TdoDCcADANp6Dvr2D9hbdVpra
viXnszUHOV9AnINCBEbWB7irPjTkAGvbCuXbFY+egoa8A9xyEiwDDtXG0BZy
QlBcAOPDJZOQyYrXNp+uwMGMtMCtCPH80Tn955NVlxfn1+ecSZM2ENWQjqwU
SUuQVyK6psiWnBLcqO0EkYxgPeKSPFciLgE9WGHkpMexUJyMJyGvXly1/TdN
bu+Tcg+XkrH5sXFfuHWkqT1jbzaHHiQYD168b3sNZI5EmIyftbgvp1TGJzEC
rgnZIImd9QSCa2XshE1YBffx7+qy8oDlUO/FtOUdVb6ZsG6Rj4pjcjNNFibG
kwh6CCERkrQqPsr7kq4qJQFGJ3aIUFltf9FtwoYkq1Lr/fjZk4j7Mgiu5eEA
QGNeKTZLakAPHwNhumt91hqcTiY7keRRbgri71++PEwThuW4Wsj9XR94o15e
IHAMeFB1izvKrzJkzFqJ0UakzI4UDlWDfdXlfEAuttcO3Qso9cn5xUNfUtcY
leXRAyxUiQYrZRwt8IeyiWcbcI4abu71gb72ON7owrDDjt4y5TaSphKU9Goc
7uXB2pOXuIKYLV9kkf1Gu+7K3QZgMJgwHdw3V2vif6qnJNhv910LZ4IumqGT
k1o/Sssrb72XxyCIDAmGRomIWdavRGh3xmoOJ+36Tzo1ozEV/oEW6ayHL1Wn
pw02IZUsWEO9qmir5nVRgeJ95DIIRQ/S7N3u+vmor2scQmIOtp/Eu5DyiUEG
jrfYGyOtr2k3eBotlcUGkNa/fktGTsBL2rI5FaQaCcYsPLbdtO0y2btktyU3
FUu+oyS8dCENjjtteXM1rvK2RBbbgf42dMrkRgnuWHw3HwGTSg5FFTLfKpXF
A/rmEt0kGC3tPKEdRTczw3pDZsa36N+1ol62H0LgriYpHcpVhKc628I4/Arz
8SNp268wIPiD/gqNpH/xkvkDvlYqLy8dPSG5qR/oa7gdV/z2f79Ofn0xm81e
JP/X/+7/8PX/aMTibxhZ//8+mYy/Ch/CioIz90o398tSiCLrmv/zdiMydl5E
gt4f0nCcIE+H++cIgcsFzj9na8+AEBYqFR2mIs4/Ysv7o1QcYcv79h6CLsSD
ExXpVEcWfHyqZMH5FAdLvcdP5Qz//KL45j7vKcdq//AgH/dQqR58AT7/ZjT/
y3T+v0SfMpFqYZkZaOGgwApzxN7kFUk+EqvVw3va98tjntgrddx9wAc1TRTm
oEdhQ3aT86TBrcyJ+fVeIstaLVYyCnsIo/HTcV9r1ZuQbew3e221QTDWtVsr
XWuHp19iZrQscIQfBITTnBz3q8029yatFGI5z1COA0edm8jnK9sTfkueLZh3
LmxHL4QTR35o23NQjMZLFzovjzjleXHe7MUzYTWxAcD3WGHjuGPcv6pNE/14
GdNibW+5Fq8MT/mcWBr8lCwJ6Tp4dBIOj5HgPbEv0jfYaL9nMApS1EiChUPZ
OJAzqevr619HfAKUn3AVQltjYjQZN5e2QhIOePkuRnkxcxvX30uDGzcJMMjO
jEAitO5I/yyE9ggIjNnkEgXJHq1cl5FU8AhPpG+k3QIhPkLlY9wTPrYZH+Pu
/QQ/kZqN8+P5fG6B0Wgo221n6hXYKl2aerr0mJYcGO+0QzHRlPCcIMOjY2Hn
yKq0tLqXGa4chYiJrtsmj/rHDlKrxhyJ+Kp3IuXjCLAARkVyGYeyULgVaoGI
S+l6MV2e1KJPrk8G90iUm1NiPzOo4BpPYpWHnkYSgdUce+h4SKZIxm6MpGHQ
/7yxXOdl7EUOsg2cJei/0UNr0gKX2z1pgEdbz27pcyd52oeFMg+RD8U6tDbx
oTw937WDYfANlKMXsoaRkLIS/R2jeY2f1YBzMiQ7OZv0h2sxJRVqijRG+5rg
Yq3bCZAPsaE8HrWCuE/BM/n42CpxIDT38CQUL8rceHGGN+6P5Mf5DT3pDmMo
hxPifvEdFfjZ6cEAdn47XRPaL8asG+ebw+kJnnymwqG9ekey2tiUp9+enmoe
UYcrq6odGknD+X7GPuCnPGiNpcf5wbmclFa27rEQBQb9F3JCY28OwKk5o/Lg
Dcki/dNXeUx9MV8ZqVd5cIIUkxdXdt3wIU4mxbPR+8NRdop9SoXOgMqnRMZn
M5RDmvqyiZP0O4RxQ6PjaDOO5mh9gjf4n1mkMjwjpytGOTbpkQiMSrromb1k
E2p0W6vDObyLQ3oXiDLnL7DJummOiRMfhQFhIQ8600qXz0vHtmNyUg4FqN6/
fKQJ+cux7GLssEw6JzVjnDUT+n7JcFA+ba9MXEzsi51mp6BLgmg1C7O/hIWb
NvATuoOkLDFq0vL2QFJFcFIDssGxeGLTBrMxIEuqpnqVRYViaKsWYNeiomaT
LmO0XHBq2qtBwoM0qz0/PDT3Xnf8g99x0kTybccuKZB87sHx/niu5p4rCqba
1x5TlVKGd1qC/M2rIWIbS8235NByR+fppTQuTeKCcJO+oFKOfvnIgbZxhXYM
5rFXcrkOAonW9wcq4APg/EzW6DIaJ63ILumb6kMx/RYVE8nJcMWn0aNhrLAu
aY7SCquo5jQcyqdZ+87qMQjNxQ+O+D2VAoy8hLpZn3ZaxX5Hznb5aw7yyxYU
5sXlRh/MXStp0g9G9N6VH0RksVW/lJuaVgf2RYr1R1JO8UYZZqAeOHNRT9D0
LBFN5HV+x4tv6R0aGN/UgvwutHfNxfwg41dCsuOJm3hWPQlf05tnpA0x2IQR
GPnaVTShn14PS/qirxaZ5Kz3CZHONSVxJg+5RoaSNNo/Y3PovUY7bxKyevwK
0dBeW8FDWxhWn/SWpz03hw4pdJjGs1pX0V+GQuPX/FQeN4ZaPqeqpX2P7XG2
C4dO5h43GRU0O1HkG5dowhCy5E3k4TYeWoCs8Ed1Y9x72YhJXRYMaHx5D0Nc
+yP533zF700mH3P1THaL9RevZl01ehdBcgg0tofJpSueIg1p/YDTUDcLDTqi
CIs9F9EZUO5z9gbd9g4ktNOJoVJQEY+f8bh1u15z3HytHfRsMLIce7D0fOkB
n5G3+ORbAg6MVtoF5y+LUqwcbgZrm9/1JMhNHxumK8K5JMdd6MMLTXhpwe6v
I1MXYHuY/j4rKcfxOUbxxnjcfcdxbGxYjHhjpK24mLA+bKdIYeLR5qsyuexD
fdmByVWZ98FFXKlEjFU1cPsfbBL92clZUr0qEUWFRav9P3nrpXyacTrCXy6i
bRI/M5/rWLTVkG95FFppiiUWsKSfwXn7408J+KPtYc2pnfNSO25r9i322jKO
Y80szjroNAnIRYFwMg5sEkArhXqvCtndUdzBhF4kPlwVhAVxEV/h4hc/2o/i
E3w0DriS4VLPdvLu04V76E8h8S4d7kAmR/4c+uHxLd7GssmiitSZsiebLbht
/kDV75OdJEOQUZaU1AtfXqoAvQSEBqNzhEztQ/N3Bop1PZdMKVcAYR29iisZ
QAJbZFiT+Dw7dn9wGWB6cW52aOW3Lgf0BVW+morztLTxOr9OpghY2l9g3eRI
Q17V5DOAbL1gGaoaB33B5kNEOV5j1oU2XqfelnVPy2i8rFAuBdELLJLAXtpJ
o5HGDU3orym7eh8dvryR3UuT2cIkKM7MYmq2uL6A9aTsX1rXDdK6uBzCtVJH
Om/nxU9DB/bBi0yP+Mksb7IcKGJw6E4Z4fJxt9/4CBX3y/Mh/HB6Pj0QMs08
EDuXrMIadK2VQZB+1/sa0kO3W8RQHLQ1nDHXhjDgBz2FLPYzjUsOT9l61b9o
r0IrDvdmSBzhJ+R10boBBvRgcAz55JK31dd4GrGiXlHz/AwNyP5pmoqbkFYW
TpUd/r0incPOcA7gElr61jPz5PLy7cOibe6JpviYoQTUvqGM+9Njh5pitYQr
vs1AwG4aBnA+KtyqnWeY8xSoxCi98fW+5J64qa7UaDThj+SmfYx6kUgIcmvI
5gZ3tt1ngZkaf+KSoj1T3jSh+yy7fK1KDx3wnZtDF8/389UyOEmB2zBjFyMa
fVfaP6134+bn3I7e+3hwyZHvIcmMLDIouGoiNvslGs2dm+227dNOmXAYwi9q
KjBHTo9HjCSZWoJIwNfjs2/xNIsP3NUk5nlXbgImr70GrThg0stBfM7d6cE9
jau02fNY6+YmOcPT6NFVCUK3tA9c3vFX7aIzrW1xgzHPnzhhvUAgLx7xUeqh
48xR8uW9oeK8+AijnfdUyD03ASguiMaVlQCWQ7roGeZ8Ia2FyVRvKK3xKSI6
wJYpOuINrss9N/midTrLrvK5DO0pJ0YMjRYID6u6btQD+dVOcwH2aoRUh0jH
d5p3LfmOTA5ODGBKZaQ+n1/EF7uY9X5ewPG7pEke+ZPAqH9HOVB4Kj2Xokw4
90A4SY8w+GZD6cnUGwOkkUlODzkL11/5zltp3y+roF6wOamjZQv15vz9+YF1
yteCUmrTypM6HBJ6uIcYRWSMcl7h4qXaLPk0mZt8fiEnf8zyDw9WZe0M+g7+
ymXi5sanNPjIpUrlrTV3QRZNQ+GdgXnmg/MwW7iyMdzVRA+V9R7X5rLl04K7
Zka0n0jk2emM79pNiXtbfmyHqlyWluTp5YZEkr74eVpcQlP+ZBcOsvGqtrRt
b4m4KS6y71HXvWp3G0uOBHgFROJK+ktjl/SEpT00dXGJf7ulUwF5jSueXHHt
qk27Mo0NRV3bxfVIypcPfEZYzTYRe/P/J8Dzo6VhAAA=

-->

</rfc>

