<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 4.0.5) -->


<!DOCTYPE rfc  [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">

<!ENTITY RFC1034 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1034.xml">
<!ENTITY RFC1035 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1035.xml">
<!ENTITY RFC2181 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2181.xml">
<!ENTITY RFC2308 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2308.xml">
<!ENTITY RFC8109 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8109.xml">
<!ENTITY RFC8806 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8806.xml">
<!ENTITY RFC8914 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8914.xml">
<!ENTITY RFC8976 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8976.xml">
<!ENTITY RFC9520 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9520.xml">
<!ENTITY RFC9567 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9567.xml">
<!ENTITY RFC2119 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC8174 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
<!ENTITY I-D.fujiwara-dnsop-resolver-update SYSTEM "https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.fujiwara-dnsop-resolver-update.xml">
<!ENTITY I-D.vixie-dnsext-resimprove SYSTEM "https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.vixie-dnsext-resimprove.xml">
<!ENTITY I-D.wijngaards-dnsext-resolver-side-mitigation SYSTEM "https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.wijngaards-dnsext-resolver-side-mitigation.xml">
<!ENTITY I-D.ietf-deleg SYSTEM "https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-deleg.xml">
]>


<rfc ipr="trust200902" docName="draft-ietf-dnsop-ns-revalidation-13" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true">
  <front>
    <title abbrev="DNS Delegation Revalidation">Delegation Revalidation by DNS Resolvers</title>

    <author initials="S." surname="Huque" fullname="Shumon Huque">
      <organization>Salesforce</organization>
      <address>
        <postal>
          <street>415 Mission Street, 3rd Floor</street>
          <city>San Francisco</city>
          <region>CA</region>
          <code>94105</code>
          <country>United States of America</country>
        </postal>
        <email>shuque@gmail.com</email>
      </address>
    </author>
    <author initials="P." surname="Vixie" fullname="Paul Vixie">
      <organization>SIE Europe, U.G.</organization>
      <address>
        <email>paul@redbarn.org</email>
      </address>
    </author>
    <author initials="W." surname="Toorop" fullname="Willem Toorop">
      <organization>NLnet Labs</organization>
      <address>
        <postal>
          <street>Science Park 400</street>
          <city>Amsterdam</city>
          <code>1098 XH</code>
          <country>Netherlands</country>
        </postal>
        <email>willem@nlnetlabs.nl</email>
      </address>
    </author>

    <date year="2026" month="July" day="06"/>

    <area>Operations and Management Area</area>
    <workgroup>Domain Name System Operations</workgroup>
    <keyword>Internet-Draft</keyword> <keyword>DNS</keyword> <keyword>Resolver</keyword> <keyword>Delegation</keyword> <keyword>Revalidation</keyword> <keyword>Authoritative</keyword> <keyword>Name Server Record</keyword> <keyword>NS</keyword> <keyword>Parent</keyword> <keyword>Child</keyword> <keyword>Resource Record Set</keyword>

    <abstract>


<?line 189?>

<t>This document describes an optional algorithm for the processing of Name Server (NS) resource record (RR) sets (RRsets) during iterative resolution, and describes the benefits and considerations of using this approach.
When following a referral response from an authoritative server to a child zone, DNS resolvers should explicitly query the authoritative NS RRset at the apex of the child zone and cache this in preference to the NS RRset on the parent side of the zone cut.
The (A and AAAA) address RRsets in the additional section from referral responses and authoritative NS answers for the names of the NS RRset, should similarly be re-queried and used to replace the entries with the lower trustworthiness ranking in cache.
Resolvers should also periodically revalidate the delegation by re-querying the parent zone at the expiration of the shortest TTL among the parent NS RRset, the DS RRset (if present), and the child NS RRset.</t>



    </abstract>

    <note title="About This Document" removeInRFC="true">
      <t>
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-dnsop-ns-revalidation/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        DNSOP Working Group mailing list (<eref target="mailto:dnsop@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/dnsop/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/dnsop/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/shuque/ns-revalidation"/>.</t>
    </note>


  </front>

  <middle>


<?line 196?>

<section anchor="intro"><name>Introduction</name>

<t>This document recommends improved DNS <xref target="RFC1034"/> <xref target="RFC1035"/> resolver behavior with respect to the processing of NS record sets during iterative resolution.</t>

<t><xref target="upgrade-ns">Upgrading NS RRset Credibility</xref> recommends that resolvers, when following a referral response from an authoritative server to a child zone, should explicitly query the authoritative NS RRset at the apex of the child zone and cache this in preference to the NS RRset on the parent side of the zone cut.</t>

<t><xref target="upgrade-ns">Upgrading NS RRset Credibility</xref> works most reliably with good quality child NS RRsets, i.e. those whose name servers correctly serve the child zone. This is the case for the root and the zones delegated from it, but may not hold for zones further down the hierarchy, which may require a resolver to fall back to data from the delegating side of the zone cut. <xref target="scoped-upgrading"/> describes limiting the upgrading of NS RRset credibility to address this.</t>

<t>The address records in the additional section from the referral response (as glue) or authoritative NS response that match the names of the NS RRset should similarly be re-queried if they are cached non-authoritatively.
The authoritative answers from those queries should replace the cached non-authoritative A and AAAA RRsets.
This is described in <xref target="upgrade-addresses">Upgrading A and AAAA RRset Credibility</xref>.</t>

<t><xref target="strict">Strict and opportunistic revalidation</xref> makes a distinction between strict and opportunistic revalidation.
Strict revalidation provides <xref target="impact">DNSSEC protection of infrastructure data</xref> with DNSSEC signed infrastructure data and validating resolvers, but for it to work correctly, good quality child NS RRsets are a pre-requisite.
Opportunistic revalidation allows for fallback to the non-authoritative data returned in the referral responses, and therefore does not provide the same degree of protection as strict revalidation.</t>

<t>Finally, <xref target="revalidation">Delegation Revalidation</xref> recommends that resolvers revalidate the delegation by re-querying the parent zone at the expiration of the shortest TTL among the parent-side NS RRset, the DS RRset (if present), and the child NS RRset.</t>

<section anchor="terminology"><name>Terminology</name>
<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>

<?line -18?>

<t>This document uses the following terminology:</t>

<dl newline="true">
  <dt>Triggering query:</dt>
  <dd>
    <t>the DNS query that caused ("triggered") a referral response.</t>
  </dd>
  <dt>Infrastructure RRsets (data):</dt>
  <dd>
    <t>the NS and address (A and AAAA) RRsets used by resolvers to contact the authoritative name servers</t>
  </dd>
  <dt>Revalidation:</dt>
  <dd>
    <t>the process of obtaining the authoritative infrastructure data</t>
  </dd>
  <dt>Validation (validating) query:</dt>
  <dd>
    <t>the extra query that is performed to get the authoritative version of infrastructure RRsets</t>
  </dd>
  <dt>Delegation revalidation:</dt>
  <dd>
    <t>re-establishing the existence and validity of the parent-side NS RRset of a delegation</t>
  </dd>
  <dt>Revalidation point:</dt>
  <dd>
    <t>a delegation under revalidation</t>
  </dd>
  <dt>Re-delegation:</dt>
  <dd>
    <t>the process of changing a delegation to another set of authoritative name servers, potentially under different administrative control</t>
  </dd>
</dl>

</section>
</section>
<section anchor="motivation"><name>Motivation</name>

<t>There is wide variability in the behavior of deployed DNS resolvers today with respect to how they process delegation records.
Some of them prefer the parent NS set, some prefer the child, and for others, what they preferentially cache depends on the dynamic state of queries and responses they have processed <xref target="SOMMESE"/>.</t>

<t>While this variability is expected to continue in deployed implementations, this document specifies an algorithm that can be adopted by resolvers to achieve several benefits.</t>

<t>This algorithm predictably prefers the authoritative NS set at the apex of the child zone, which better comports with the DNS protocol's data ranking rules. (Note that the proposed redesign of the DNS delegation mechanism in <xref target="I-D.ietf-deleg"/> is expected to fundamentally alter where authoritative delegation information will reside. This document deals with the DNS delegation mechanism as currently deployed.)</t>

<t>This algorithm also offers several security advantages.
The mechanisms described in this document help defend against GHOST domain attacks and a variety of cache poisoning attacks with resolvers that adhere to Sections <xref target="RFC2181" section="5.4.1" sectionFormat="bare">Ranking data</xref> and <xref target="RFC2181" section="6.1" sectionFormat="bare">Zone authority</xref> of <xref target="RFC2181"/>.
Strictly revalidating referral and authoritative NS RRset responses enables the resolver to defend itself against query redirection attacks, see <xref target="security">Security and Privacy considerations</xref>.</t>

<t>The delegation NS RRset at the bottom of the parent zone and the apex NS RRset in the child zone are unsynchronized in the DNS protocol.
<xref section="4.2.2" sectionFormat="of" target="RFC1034"/> says "The administrators of both zones should insure that the NS and glue RRs which mark both sides of the cut are consistent and remain so.".
But for a variety of reasons they may not be <xref target="SOMMESE"/>.
Officially, a child zone's apex NS RRset is authoritative and thus has a higher cache credibility than the parent's delegation NS RRset, which is non-authoritative (Sections <xref target="RFC2181" section="5.4.1" sectionFormat="bare">Ranking data</xref> and <xref target="RFC2181" section="6.1" sectionFormat="bare">Zone authority</xref> of <xref target="RFC2181"/>).
Hence the NS RRset "below the zone cut" should immediately replace the parent's delegating NS RRset in cache when an iterative caching DNS resolver crosses a zone boundary.
However, this can only happen if (1) the resolver receives the authoritative NS RRset in the Authority section of a response from the child zone, which is not mandatory, or (2) if the resolver explicitly issues an NS RRset query to the child zone as part of its iterative resolution algorithm.
In the absence of this, it is possible for an iterative caching resolver to never learn the authoritative NS RRset for a zone, unless a downstream client of the resolver explicitly issues such an NS query, which is not something that normal end user applications do, and thus cannot be relied upon to occur with any regularity.</t>

<t>Increasingly, there is a trend towards minimizing unnecessary data in DNS responses.
Several popular DNS implementations default to such a configuration (see "minimal-responses" in BIND and NSD).
So, they may never include the authoritative NS RRset in the Authority section of their responses.</t>

<t>A common reason that zone owners want to ensure that resolvers place the authoritative NS RRset preferentially in their cache is that the TTLs may differ between the parent and child side of the zone cut.
Some DNS Top Level Domains (TLDs) only support long fixed TTLs in their delegation NS sets.
This inhibits a child zone owner's ability to make more rapid changes to their name server configuration using a shorter TTL, if resolvers have no systematic mechanism to observe and cache the child NS RRset.</t>

<t>Similarly, a child zone owner may also choose to have longer TTLs in their delegation NS sets and address records to decrease the attack window for cache poisoning attacks.
For example, at the time of writing, root-servers.net has a TTL of 6 weeks for the root server identifier address records, where the TTL in the priming response is 6 days.</t>

<t>A zone's delegation still needs to be periodically revalidated at the parent to make sure that the parent zone has not legitimately re-delegated the zone to a different set of name servers, or even removed the delegation.
Otherwise, resolvers that refresh the TTL of a child NS RRset on subsequent queries or due to pre-fetching, may cling to those name servers long after they have been re-delegated elsewhere.
This leads to the second recommendation in this document, "Delegation Revalidation" - Resolvers should record the TTL of the parent's delegating NS RRset, and use it to trigger a revalidation action.
Attacks exploiting lack of this revalidation have been described in <xref target="GHOST1"/>, <xref target="GHOST2"/>.</t>

<t>The child-side and parent-side TTLs discussed above act as complementary bounds on how long a resolver relies on cached delegation information.
The parent-side TTLs bound how long a resolver will honor a delegation after the parent may have removed or re-delegated it, limiting exposure to ghost domain attacks (see <xref target="security"/>).
The child's apex NS RRset TTL provides the complementary bound, letting the child zone dictate how quickly resolvers revalidate the delegation, and thereby how quickly a re-delegation onto other name servers is detected.</t>

</section>
<section anchor="upgrade-ns"><name>Upgrading NS RRset Credibility</name>

<t>When a referral response is received during iteration, a validation query <bcp14>SHOULD</bcp14> be sent in parallel with the resolution of the triggering query, to one of the delegated name servers for the newly discovered zone cut.
Note that DNSSEC validating resolvers today, when following a secure referral, already need to dispatch a query to one of the delegated name servers for the DNSKEY RRset, so this validation query could be sent in parallel with that DNSKEY query.</t>

<t>A validation query consists of a query for the child's apex NS RRset, sent to one of the newly discovered delegation's name servers.
Normal iterative logic applies to the processing of responses to validation queries, including storing the results in cache, trying the next server on SERVFAIL or timeout, and so on.
Positive responses to this validation query <bcp14>SHOULD</bcp14> be cached with an authoritative data ranking.
Successive queries directed to the same zone <bcp14>SHOULD</bcp14> be sent to the name servers listed in the child's apex, due to the ranking of this answer.
If the validation query fails, the parent NS RRset <bcp14>SHOULD</bcp14> remain the one with the highest ranking and <bcp14>SHOULD</bcp14> be used for successive queries.</t>

<t>A response to the triggering query to the child may contain the NS RRset in the authority section as well.
This NS RRset however has a lower trustworthiness than the set from the direct query (<xref section="5.4.1" sectionFormat="of" target="RFC2181"/>), so regardless of the order in which the responses are received, the NS RRset from the answer section from the direct child's apex NS RRset query <bcp14>MAY</bcp14> be stored in the cache eventually.</t>

<t>When a resolver detects that the child's apex NS RRset contains different name servers than the non-authoritative version at the parent side of the zone cut, it <bcp14>MAY</bcp14> report the mismatch using DNS Error Reporting <xref target="RFC9567"/> on the Report-Channel for the child zone, as well as on the Report-Channel for the parent zone, with an extended DNS error code of TBD (see <xref target="IANA"/>). Such a mismatch is not necessarily a resolution failure, but it is often a sign of a delegation misconfiguration that the parent and child operators may wish to detect and reconcile.</t>

<t>A No Data response (see <xref section="2.2" sectionFormat="of" target="RFC2308"/>) for the validating NS query should be treated the same as a failed validating NS query.
The parent NS RRset <bcp14>SHOULD</bcp14> remain the one with the highest ranking and <bcp14>SHOULD</bcp14> be used for successive queries.
All resolution failures <bcp14>MUST</bcp14> be cached as directed in <xref target="RFC9520"/>, to prevent aggressive requeries.</t>

</section>
<section anchor="scoped-upgrading"><name>Limiting upgrading NS Credibility</name>
<t><xref target="upgrade-ns">Upgrading NS RRset Credibility</xref> works most reliably with good quality child NS RRsets, where the name servers referenced in the Rdata of the NS RRset correspond to IP addresses of name servers which correctly serve the child zone.
The root and the zones delegated from the root have good quality child NS RRsets. However, experience has shown that zones further down in the hierarchy are sometimes less competently administered. Hence those zones may be less suitable for upgrading NS RRset credibility, and may require falling back to the parent-side NS RRset, or forgoing revalidation of those zones entirely.
An implementation <bcp14>MAY</bcp14> limit revalidation to delegations that cross administrative boundaries such as anywhere in ".ip6.arpa" and ".in-addr.arpa" as well as any so-called "public suffix" such as the root zone, top level zones such as ".com" or ".net", and effective top level zones such as ".ad.jp" or ".co.uk".</t>

</section>
<section anchor="upgrade-addresses"><name>Upgrading A and AAAA RRset Credibility</name>

<section anchor="upgrading-glue"><name>Upgrading glue</name>

<t>Additional validation queries for the "glue" address RRs of referral responses (if not already authoritatively present in cache) <bcp14>SHOULD</bcp14> be sent with the validation query for the NS RRset as well.
Positive responses <bcp14>SHOULD</bcp14> be cached with authoritative data ranking.
The non-authoritative "glue" <bcp14>MAY</bcp14> be cached with non-authoritative data ranking for fallback purposes.</t>

<t>The names from the NS RRset in a validating NS response may differ from the names from the NS RRset in the referral response.
Outstanding validation queries for "glue" address RRs that do not match names in a newly discovered authoritative NS RRset may be discarded, or they may be left running to completion.
Their result <bcp14>MUST</bcp14> no longer be used in queries for the zone.
Outstanding validation queries for "glue" address RRs that do match names in the authoritative NS RRset <bcp14>MUST</bcp14> be left running to completion.
They do not need to be re-queried after reception of the authoritative NS RRset (see <xref target="upgrade-additional"/>).</t>

<t>Validated "glue" may result in unreachable destinations if they are obtained from poorly managed zones with incorrect address records.
A resolver <bcp14>MAY</bcp14> choose to keep the non-authoritative value for the "glue" next to the preferred authoritative value for fallback purposes.
Such a resolver <bcp14>MAY</bcp14> choose to fall back to using the non-authoritative value as a last resort, but <bcp14>SHOULD</bcp14> do so only if all other authoritative "glue" led to unreachable destinations as well.</t>

</section>
<section anchor="upgrade-additional"><name>Upgrading additional address from authoritative NS responses</name>

<t>Authoritative responses for a zone's NS RRset at the apex can contain name server addresses in the Additional section.
An NS RRset validation response is an example of such a response.
A priming response is another example of an authoritative zone's NS RRset response <xref target="RFC8109"/>.</t>

<t>When additional addresses in authoritative NS RRset responses are DNSSEC verifiable (because the complete RRset is included, including a verifiable signature for the RRset) and DNSSEC secure, they <bcp14>MAY</bcp14> be cached authoritatively immediately without additional validation queries.
DNSSEC validation is enough validation in those cases.
Otherwise, the addresses cannot be assumed to be complete or even authoritatively present in the same zone, and additional validation queries <bcp14>SHOULD</bcp14> be made for these addresses.</t>

<t>Note that there may be outstanding address validation queries for the names of the authoritative NS RRset (from referral address validation queries).
In those cases no new validation queries need to be made.</t>

</section>
</section>
<section anchor="strict"><name>Strict and opportunistic revalidation</name>

<section anchor="strictly-revalidating-referrals-and-authoritative-ns-rrset-responses"><name>Strictly revalidating referrals and authoritative NS RRset responses</name>

<t>Resolvers may choose to delay the response to a triggering query until it can be verified that the answer came from a name server listening on an authoritatively acquired address for an authoritatively acquired name.
This would offer the most trustworthy responses with the least risk of forgery or eavesdropping.
However, without fallback to lower ranked NS RRsets and addresses, there is no failure mitigation, and a failed NS RRset validation query, due to a broken child NS RRset or to malfunctioning child zone's authoritative servers, will then lead to a hard failure to query the referred-to child zone.</t>

<t>If the resolver chooses to delay the response, and there are no name server names in common between the child's apex NS RRset and the parent's delegation NS RRset, then any responses received from sending the triggering query to the parent's delegated name servers <bcp14>SHOULD</bcp14> be discarded, and this query should be sent again to one of the child's apex name servers.</t>

<t>Resolvers that choose to perform such <strong>strict</strong> upgrading of NS, A and AAAA RRset credibility <bcp14>SHOULD</bcp14> limit it to the root zone and zones delegated from the root zone only (see <xref target="scoped-upgrading"/>).</t>

</section>
<section anchor="opportunistic"><name>Opportunistic revalidating referral and authoritative NS RRset responses</name>

<t>In practice, many implementations are expected to answer the triggering query in advance of the validation query for performance reasons.
An additional reason is that there are unfortunately a number of name servers in the field that (incorrectly) fail to properly answer explicit queries for zone apex NS records, and thus the revalidation logic may need to be applied lazily and opportunistically to deal with them.
In cases where the delegated name servers respond incorrectly to an NS query, the resolver <bcp14>SHOULD</bcp14> abandon this algorithm for the zone in question and fall back to using only the information from the parent's referral response.</t>

<t>Following the recommendation in <xref target="strict"/> to limit <em>strict</em> upgrading to the root zone and zones delegated from the root zone, operators <bcp14>MAY</bcp14> perform <em>opportunistic</em> revalidations for further delegations (see <xref target="scoped-upgrading"/>).</t>

</section>
</section>
<section anchor="revalidation"><name>Delegation Revalidation</name>

<t>The essence of this mechanism is revalidation of all delegation metadata that directly or indirectly supports an owner name in cache.
This requires a cache to remember the delegated name server names for each zone cut as received from the parent (delegating) zone's name servers, and also the TTL of that NS RRset, and the TTL of the associated DS RRset (if seen).</t>

<t>A delegation under revalidation is called a "revalidation point" and is "still valid" if its parent zone's servers still respond to an in-zone question with a referral to the revalidation point, and if that referral overlaps with the previously cached referral by at least one name server name, and the DS RRset (if seen) overlaps the previously cached DS RRset (if also seen) by at least one delegated signer.</t>

<t>If the response is not a referral or refers to a different zone than before, then the shape of the delegation hierarchy has changed.
If the response is a referral to the revalidation point but to a wholly novel NS RRset or a wholly novel DS RRset, then the authority for that zone has changed.
For clarity, this includes transitions between empty and non-empty DS RRsets.</t>

<t>If the shape of the delegation hierarchy or the authority for a zone has been found to change, then currently cached data whose owner names are at or below that revalidation point <bcp14>MUST NOT</bcp14> be used.
Such non-use can be by directed garbage collection or lazy generational garbage collection or some other method befitting the architecture of the cache.
What matters is that the cache behave as though this data was removed.</t>

<t>Since revalidation can discover changes in the shape of the delegation hierarchy it is more efficient to revalidate from the top (root) downward (to the owner name) since an upper level revalidation may obviate lower level revalidations.
The essential requirement is that the supporting chain of delegations from the root to the owner name be demonstrably valid; further specifics are implementation details.</t>

<t>Revalidation <bcp14>MUST</bcp14> be triggered no later than when the delegation metadata has been cached for the shortest of the following TTLs: the delegating NS RRset TTL, the DS RRset TTL (if a DS RRset is present), and the child zone's apex NS RRset TTL.
However, resolvers <bcp14>SHOULD</bcp14> impose a sensible minimum TTL floor they are willing to endure to avoid potential computational DoS attacks inflicted by zones with very short TTLs.</t>

<t>The delegating NS and DS TTLs, and the child's apex NS RRset TTL, serve as complementary bounds on how long the delegation is honored; see <xref target="motivation"/> for the rationale.</t>

<t>In normal operations this metadata can be quickly revalidated with no further work.
However, when re-delegation or take-down occurs, a revalidating cache <bcp14>SHOULD</bcp14> discover this within one delegation TTL period, allowing the rapid expulsion of old data from the cache.</t>

</section>
<section anchor="IANA"><name>IANA Considerations</name>

<t>IANA is requested to assign a value to the "Extended DNS Error Codes" registry <xref target="RFC8914"/>.</t>

<texttable>
      <ttcol align='left'>INFO-CODE</ttcol>
      <ttcol align='left'>Purpose</ttcol>
      <ttcol align='left'>Reference</ttcol>
      <c>TBD</c>
      <c>referral NS RRset mismatch</c>
      <c>[this document]</c>
</texttable>

</section>
<section anchor="security"><name>Security and Privacy Considerations</name>

<section anchor="impact"><name>DNSSEC protection of infrastructure data</name>

<t>Referral response NS RRsets and glue, and the additional addresses from authoritative NS RRset responses (such as the root priming response), are not protected with DNSSEC signatures.
An attacker that is able to alter the unsigned A and AAAA RRsets in the additional section of referral and authoritative NS RRset responses, can fool a resolver into taking addresses under the control of the attacker to be authoritative for the zone.
Such an attacker can redirect all traffic to the zone (of the referral or authoritative NS RRset response) to a rogue name server.</t>

<t>A rogue name server can view all queries from the resolver to that zone and alter all unsigned parts of responses, such as the parent side NS RRsets and glue of further referral responses.
Resolvers following referrals from a rogue name server, that do not revalidate those referral responses, can subsequently be fooled into taking addresses under the control of the attacker to be authoritative for those delegations as well.
The higher up the DNS tree, the more impact such an attack has.
An attacker controlling a rogue name server for the root has potentially complete control over the entire domain name space and can alter all unsigned parts undetected.</t>

<t>Strictly revalidating referral and authoritative NS RRset responses (see <xref target="strict"/>) enables the resolver to defend itself against the above described attack with DNSSEC signed infrastructure RRsets.
Unlike cache poisoning defences that leverage increased entropy to protect the transaction, revalidation of NS RRsets and addresses also provides protection against on-path attacks.</t>

<t>Since December 6, 2023, the root zone contains a DNSSEC signed cryptographic message digest <xref target="RFC8976"/><xref target="ROOT-ZONEMD"/>, covering all root zone data.
This includes all non-authoritative data such as the A and AAAA RRsets for the IP addresses of the root server identifiers, as well as the NS RRsets and glue that make up the delegations.
A root zone local to the resolver <xref target="RFC8806"/> with a verified and validated ZONEMD RRset, would provide protection similarly strong to strictly revalidating the root and the top level domains.</t>

</section>
<section anchor="cache-poisoning-protection"><name>Cache poisoning protection</name>

<t>In <xref target="DNS-CACHE-INJECTIONS"/> an overview is given of 18 cache poisoning attacks of which 13 can be remedied with delegation revalidation.
The paper provides recommendations for handling records in DNS responses with respect to an earlier version of the idea presented in this document <xref target="I-D.wijngaards-dnsext-resolver-side-mitigation"/>.</t>

<t><xref target="upgrade-ns">Upgrading NS RRset Credibility</xref> allows resolvers to cache and utilize the authoritative child apex NS RRset in preference to the non-authoritative parent NS RRset.
However, it is important to implement the steps described in <xref target="revalidation">Delegation Revalidation</xref> at the expiration of the parent's delegating TTL.
Otherwise, the operator of a malicious child zone, originally delegated to, but subsequently delegated away from, can cause resolvers that refresh TTLs on subsequent NS set queries, or that pre-fetch NS queries, to never learn of the re-delegated zone <xref target="GHOST1"/>, <xref target="GHOST2"/>.</t>

</section>
<section anchor="other-considerations"><name>Other considerations</name>
<t>Some resolvers do not adhere to Sections <xref target="RFC2181" section="5.4.1" sectionFormat="bare"/> and <xref target="RFC2181" section="6.1" sectionFormat="bare"/> of <xref target="RFC2181"/>, and only use the non-authoritative parent side NS RRsets and glue returned in referral responses for contacting authoritative name servers <xref target="I-D.fujiwara-dnsop-resolver-update"/>.
As a consequence, they are not susceptible to many of the cache poisoning attacks enumerated in <xref target="DNS-CACHE-INJECTIONS"/> that are based upon the relative trustworthiness of DNS data.
Such resolvers are also not susceptible to the GHOST domain attacks <xref target="GHOST1"/>, <xref target="GHOST2"/>.
Such resolvers will, however, never benefit from DNSSEC protection of infrastructure RRsets and are susceptible to query redirection attacks.</t>

<t>Revalidating referral and authoritative NS RRset responses will induce more traffic from the resolver to the authoritative name servers.
The traffic increase may be substantial if the address RRsets for the names in the NS RRset's Rdata were provided non-authoritatively (as glue or as additional addresses) and need revalidation too <xref target="REDIRECTED-QUERY-TRAFFIC"/>.
Resolvers <bcp14>SHOULD</bcp14> take care to limit the amount of work they are willing to do to resolve a query to a sensible amount.</t>

</section>
</section>


  </middle>

  <back>


<references title='References' anchor="sec-combined-references">

    <references title='Normative References' anchor="sec-normative-references">

&RFC1034;
&RFC1035;
&RFC2181;
&RFC2308;
&RFC8109;
&RFC8806;
&RFC8914;
&RFC8976;
&RFC9520;
&RFC9567;
&RFC2119;
&RFC8174;


    </references>

    <references title='Informative References' anchor="sec-informative-references">

&I-D.fujiwara-dnsop-resolver-update;
&I-D.vixie-dnsext-resimprove;
&I-D.wijngaards-dnsext-resolver-side-mitigation;
&I-D.ietf-deleg;
<reference anchor="GHOST1" target="https://www.ndss-symposium.org/ndss2012/">
  <front>
    <title>Ghost Domain Names: Revoked Yet Still Resolvable</title>
    <author initials="J." surname="Jiang" fullname="J Jiang">
      <organization></organization>
    </author>
    <author initials="J." surname="Liang" fullname="J Liang">
      <organization></organization>
    </author>
    <author initials="K." surname="Li" fullname="K Li">
      <organization></organization>
    </author>
    <author initials="J." surname="Li" fullname="J Li">
      <organization></organization>
    </author>
    <author initials="H." surname="Duan" fullname="H Duan">
      <organization></organization>
    </author>
    <author initials="J." surname="Wu" fullname="J Wu">
      <organization></organization>
    </author>
    <date year="n.d."/>
  </front>
</reference>
<reference anchor="GHOST2" target="https://www.ndss-symposium.org/ndss-paper/ghost-domain-reloaded-vulnerable-links-in-domain-name-delegation-and-revocation/">
  <front>
    <title>Ghost Domain Reloaded: Vulnerable Links in Domain Name Delegation and Revocation</title>
    <author initials="X." surname="Li" fullname="Xiang Li">
      <organization></organization>
    </author>
    <author initials="B." surname="Liu" fullname="Baojun Liu">
      <organization></organization>
    </author>
    <author initials="X." surname="Bai" fullname="Xuesong Bai">
      <organization></organization>
    </author>
    <author initials="M." surname="Zhang" fullname="Mingming Zhang">
      <organization></organization>
    </author>
    <author initials="Q." surname="Zhang" fullname="Qifan Zhang">
      <organization></organization>
    </author>
    <author initials="Z." surname="Li" fullname="Zhou Li">
      <organization></organization>
    </author>
    <author initials="H." surname="Duan" fullname="Haixin Duan">
      <organization></organization>
    </author>
    <author initials="Q." surname="Li" fullname="Qi Li">
      <organization></organization>
    </author>
    <date year="n.d."/>
  </front>
</reference>
<reference anchor="DNS-CACHE-INJECTIONS" target="https://ieeexplore.ieee.org/abstract/document/8057202">
  <front>
    <title>Internet-Wide Study of DNS Cache Injections</title>
    <author initials="A." surname="Klein" fullname="Amit Klein">
      <organization></organization>
    </author>
    <author initials="H." surname="Shulman" fullname="Haya Shulman">
      <organization></organization>
    </author>
    <author initials="M." surname="Waidner" fullname="Michael Waidner">
      <organization></organization>
    </author>
    <date year="n.d."/>
  </front>
</reference>
<reference anchor="ROOT-ZONEMD" target="https://lists.dns-oarc.net/pipermail/dns-operations/2023-December/022388.html">
  <front>
    <title>Root zone operational announcement: introducing ZONEMD for the root zone</title>
    <author initials="D." surname="Wessels" fullname="Duane Wessels">
      <organization></organization>
    </author>
    <date year="n.d."/>
  </front>
</reference>
<reference anchor="SOMMESE" target="https://par.nsf.gov/servlets/purl/10186683">
  <front>
    <title>When parents and children disagree: Diving into DNS delegation inconsistency</title>
    <author initials="R." surname="Sommese" fullname="Raffaele Sommese">
      <organization></organization>
    </author>
    <author initials="G. C. M." surname="Moura" fullname="Giovane C.M. Moura">
      <organization></organization>
    </author>
    <author initials="M." surname="Jonker" fullname="Mattijs Jonker">
      <organization></organization>
    </author>
    <author initials="R." surname="van Rijswijk-Deij" fullname="Roland van Rijswijk-Deij">
      <organization></organization>
    </author>
    <author initials="A." surname="Dainotti" fullname="Alberto Dainotti">
      <organization></organization>
    </author>
    <author initials="K. C." surname="Claffy" fullname="K.C. Claffy">
      <organization></organization>
    </author>
    <author initials="A." surname="Sperotto" fullname="Anna Sperotto">
      <organization></organization>
    </author>
    <date year="n.d."/>
  </front>
</reference>
<reference anchor="REDIRECTED-QUERY-TRAFFIC" target="https://www.icann.org/en/system/files/files/reduced-risk-redirected-query-traffic-signed-root-name-server-data-22may24-en.pdf#h.8mh7wvmas7vi">
  <front>
    <title>The reduced risk of redirected query traffic with signed root name server data</title>
    <author initials="W." surname="Toorop" fullname="Willem Toorop">
      <organization></organization>
    </author>
    <author initials="Y." surname="Thessalonikefs" fullname="Yorgos Thessalonikefs">
      <organization></organization>
    </author>
    <author initials="B." surname="Overeinder" fullname="Benno Overeinder">
      <organization></organization>
    </author>
    <author initials="M." surname="Müller" asciiSurname="Muller" fullname="Moritz Müller" asciiFullname="Moritz Muller">
      <organization></organization>
    </author>
    <author initials="M." surname="Davids" fullname="Marco Davids">
      <organization></organization>
    </author>
    <date year="n.d."/>
  </front>
</reference>


    </references>

</references>


<?line 470?>

<section anchor="Acknowledgements"><name>Acknowledgements</name>

<t>Wouter Wijngaards proposed explicitly obtaining authoritative child NS data in <xref target="I-D.wijngaards-dnsext-resolver-side-mitigation"/>.
This behavior has been implemented in the Unbound DNS resolver via the "harden-referral-path" option.
The combination of child NS fetch and revalidating the delegation was originally proposed in <xref target="I-D.vixie-dnsext-resimprove"/>, by Paul Vixie, Rodney Joffe, and Frederico Neves.</t>

<t>The authors would like to thank Ralph Dolmans who was an early collaborator on this work, as well as the many members of the IETF DNS Operations Working Group for helpful comments and discussion.</t>

</section>
<section anchor="implementation-status"><name>Implementation status</name>

<t><strong>Note to the RFC Editor</strong>: please remove this entire appendix before publication.</t>

<t><list style="symbols">
  <t>The Unbound resolver software supports opportunistic revalidation of referral and authoritative NS RRset responses, as described in <xref target="upgrade-ns"/>, <xref target="upgrade-addresses"/> and <xref target="opportunistic"/> in this document, implemented since version 1.1 (released August 29, 2008).
It is enabled with a configuration option <spanx style="verb">harden-referral-path: yes</spanx> which is disabled by default.  <vspace blankLines='1'/>
"Redhat Enterprise Linux has been running Unbound with the <spanx style="verb">harden-referral-path:</spanx> option set to <spanx style="verb">yes</spanx> for years without problems", as mentioned by Paul Wouters during dnsop workgroup session at the IETF 119.</t>
  <t>The Knot Resolver software revalidates the priming response as part of priming the root zone since version 1.5.1 (released December 12, 2017).</t>
  <t><xref target="revalidation"/> has been implemented in the Unbound resolver since version 1.4.17 (released May 24, 2012).</t>
</list></t>

</section>


  </back>

<!-- ##markdown-source:
H4sIAAAAAAAAA8196XLcRrbm/3oKXPYPk4qqEknLWjh3aZqkLNmSKJNUq+2+
HdFZQFZVmihkNRIgVZb1LvdB5tfMi81ZcgVQFNXu6BhFdJuFJZeTZ/nOkonJ
ZDJqVFPKo+xUlnIhGqWr7ELeiFIV/GO2yU7fXMI1o8sbWZuRmM1qeXNEV7e8
NCp0XokVtFrUYt5MlGzmk6Iyej2pzKSOnpwcfD0aqXV9lDV1a5rD/f1n+4cj
085Wyhi432zW0MrLs6vnI1FLcZSdr2VNb5pMVEX2WlRiIVeyarJjuD+6XcDA
9EqoKnsDA8guN6aRq+it0fXt0SjLJtnLqpF1JZvJKQ6RLsGM6L9urnzRT9He
i6aJF47bZqlr1cCVG0lXuGNZQwvweK7rgi9z429hHhX3d7JUZeF7bOtc2ufh
7WaUi+YoM00xupFVK3HQi1q3ayL8+Vv4CbMsgcJI1j8ihae6XuBTqlm2M3h1
2f69lQ87BB+N1uoo+0uj83FmdN3Ucm7gr80K//jraCRoOkQi+F+WqcocZZfT
7AU2Rld4YS+X7QpWPVyGzkWlfqVO4LYopZlrmBLdNNCPhOk8Ovgme80rm13S
tXH2Ncz3eal1TU/mqtng61X2vBZVrkyu6XotF9TwyTE/pgsYxLNHB/vf2N9t
1dTw5rtKNRIICOshTabn2fFK1ioX9JRkkjFl/rjAX9Ncr9LJvp1mf1IfVDzZ
t6Ito4udqb48y87aWq/lOHs3/W4a97SGF/9Yy2Im6souT9TT+2l2BfPW66ir
96osgWGj62lvb14Bz2avxMwkhL3MlayAf4C7rrNH+/sRLY9XIAJ1IVYR4Q72
nz3N/vwiJd0b2SxlXYJYmXgOtzSiP1YldFxCv9OqHI0qXa+I44/o0YvnJwf7
Xz+Kf3zjfxwePD0IP77ef+p/PIVxhB9P9x+HH88OHkU/noQ7z7453I9+PH5y
BAqkmqfjeTk5nc7bX9StqIVVPLUV6km7BkmInrvBdcWH5IcGn1Krda3jhm7V
L9VCiLow0VPcllGFnKxUo1hDhHdY46Hq4GvfvTi/vLJUwH+NqBe4bsumWZuj
hw9vb2+nQHczAUlca6PaFbLLQ7x0uH9w+DC8yNp657ulNk2s6oCfQDfpa2D+
n4BDLhtYNqvJxKyUO76FIOHu3yT62/Hh99n3SlSL5A4x7ffT3p3h919tfb97
Z+j9H+Cp/ss/TNPL23re0u1n3nyRnbai6r/7Ytq9Mdzv+3awX3uZWODwH2KB
yVqAAXu4wDWfFLTmwIOlFoUsJjctSGaNazwpVXVtJnDTPoMDYy5kYwuijcZA
5/TzM0x1YTs4yv7kewAaQg8ws8TIRigAbfKF7+FLme7PyBiDy/fneyzft0L/
0lbw3MAyfDvtXB/svgVxgQF8K4ZHkF4fauG1qhYr+F/283KQ+V9Pe3eGmvlR
zcEAbmnjx/u18fNSt4Ok/Pk+kiBAKVa/Sxx+VIO9/+h7BxgzOTk+eXE2efnm
+7OTq5fnby63S4eSUn5Yl7qWU/yTRAOMUVOLvHkIcLNFDPjw6f43Tw4BQPpW
LGN7sPceFDboxrbYIDZACHsi8qUENPiLzAkgfinPHoP6z34opRqg1PG0d2eY
2huBgKpcbSF3/94w8+VLIcvsvVBFJetB7ovvXZyfX01+Pn9z9vp0O91LZRoz
Bbs30aLOp0DDh2sFygixwUO67KH1Q6D815NTmcvVDLTV/uHh10+fTpfNquyt
x4XWTfarrmTmXxclKI8KsEhOcP4IhtzUumhzEicaZQZWPgOMktXu9S9dLORb
mb2XxsjS9Al0Ok3uXZ6/fn12ebadOGtRTyszny70zUMDgL+UjXm4buvy4cH+
wdPHj59+3Zv5+6WsABaiD8AeTI5OAPzMCmXEAtAcDEPd4KSBAJpYNGhwuJYD
pWFNAO1tvnT2F2I+BwYBAdArAAyyT4CL6cC9oaa+U/oGSXkyBaZ6Db6L6Df2
3XTw7iDriqZRv5jse11db+Hc3q3BGWqErxkMLbuA9gC5XQNDql8GZ3rXU4OS
XgJb45KA4dMw3kF5H7g5CG+ANtlJCQuyGUI5QzcHh1RVoDlAhKBLPTgef5NF
/uz05QXo2rPTyY/vzi5+mlxdHD9//vLkblQC7lNF7stDWT005FE/nCtw8Oz/
g4PT5oBEamWuAV8UqgZdCr/Byao3E1DR87nKASsvKnwIZJeBiSEXeQJoXEwO
D1dic/hoIqvpupj/YTl9ulo+ub1ZCfPkRvWE6Ap1AHeaYaeoy0O/GfWb2X7B
f2mWGXfOigM7z7jzDDv/UjHqu2gJ0VOvbnszPwFBtclgLsaIUlfqGjzwfnM/
Tbc/MoiCJGjR7BwmB4anGBImwEKDtwcFE0Mbv2av/+//hjkPC2b/3rCE1zmK
zo0qBib5eupujSaTSeYM+2h0tVQmc+YdFKHJazWTqDnBcjizUS5wlMuVtw/g
wOVAMlSiwBlxPGb3zeVeVrtoS83Rlt2Liz1gCFDI8Bf+dy8r2ppUcEPW6UbS
O2WLPY5JbYehYIczWcm5chodNXThw1QwgpaG0uBcxBoGB5BjOiJLMNdlqW/x
roAu5rKuYULQ1xrelNm81iucqohjTI51QRMJth5kCsdkKpxnajID+A9uIWhS
OcjNxokFDDdtD6N7OO1MNHx3LT/gqPHv0D5PjcASTQTg4ZpGTHEHGAw+7psC
U0ULQYYuQ3K4FqmtvG2mI5Ti3WNq9xj+7WWiAENoDDdBPdBwikLZlTaM0Zgu
PXIx9XtzE5W5RYI45kB+NG40bsBjRy9w/1UpaiDXDBeddJgCzYFNtwb+gJnW
cl0KnDQ0ANOD+4a1DF6A5cTFwWjmra6BVBVOqRbVNdt0puF0dNFdKVEanYG2
VroAhVvCCHzcjruKYMBs48a2Yc7ypOal4oWEtVfMhW660FXdSPDxrq5eZWKl
03cDMfDiqVvLXTXHpTbwyB4zf+AM98qUBXeliqKUo9FLi92o74F/H/9A6O7T
6D+if11pR+kELAIOcGZjMgXx+MePNtz06ZP/+xv42/E+rNwSlAksNy0Ksgfw
jWPRjm64dEqAWO4OsYcZfvzYrhc1+MQTEOvdd/Q3Pu65/gSN0EyVqtns0YD8
BJqlaIJwjrPbf7bw//8v7l9MPhCfa5OtMCRRy1KJGUyKVnShNRp5gQ92+BBI
q6ZyCl1rIOEt/X9k7w0o5xpRAjRFVzqzRluLk2WtngtchtjncMyPzxonkMCW
tFYKBGfWNhkgmQwwYLbU0Cq+zk/P2xrjq8Dft0ytpQIuq/PlBtkBfDd6sZZ/
bwHHEEdYdgZiz0EfZDORX+MPxCzcY6wVgJCDdAcRMTl4WcWkdRQH2gbzVSqM
X1pF4B+xssHrkod1Icazahr5YjoiNe4usSx9VnUTPXsMvytMtihbuZcBzXo8
6x8jUVqJJl9uV+ef0+aKHt9kwK/M5AWsWDVJOi03bKLSkXhrwvNA/uJGvR6P
rcO2trNg9izfTkeO89zSFEjFIDOWxDIRnW4zHREioQMopUD97V7yf/EFvV6D
HWgr8CMBIMfpIZS7lbhGW4oOKTAGL9tMNrcSVJa5TyPTke0rvoiKFxAetPzx
I6hzgUMCbX55doJ3GssesI6qmtcC+gHr0cLyILeTNkDJty9YND/wZMbuH3cK
BIpULoomSqMiU4DKJSiD8Z06hdhEoP6bkHgasA/T0fnW+YMpB73OiAMl1wku
sWuPFWjYtYQp8JyGpcN4ywu3NM5WAylRzVi6sn1HVVdIDCMgKSPCgmyZ/qIA
gzxXFYKNMSxLMofdLbndOw3bvxqyUALmd+KWK1mvwGcv9WKDGMb9I9m/Bh1x
Sxpt5/W7y6udMf83e3NOf1+c/fgO/OlT/PvyxfGrV/6PkX3i8sX5u1en4a/w
5gkGl96c8stwNUsujXZeH/+0w6PeOX+LwdHjVzvMHTFGQs4EzgLtpjDECdNF
cyTMKNEi3568/T//c/AIlvjfKB938Iyg079RCu4J4ijEI9ybrtDM0k9UkSNw
WKSosRW0QblYA9+WyI2k8MCUIUcCGR/8BSnz16Ps32f5+uDRf9oLOOHkoqNZ
cpFo1r/Se5mJOHBpoBtPzeR6h9LpeI9/Sn47ukcX//2/SgD02eTg6X/956gL
WFtj3cEA7JrAXEegjI+yGwOqT/7Hzv7Op9FVrRYLSYiT5OJodMQcDNzp0BvI
RS7I8djdafh5WezsDSHGKeLuRCNa9bVLOtS1Ti5R4U124oHZF6g/Elgn18Bj
4NY2qLX7iDIGWKNRrCxcnxZ0o0zrWSNU5VRA2tCAQh+N/hTppKDZ91KSyQ9N
LWKiwbqAL4VpYfbZFnJo5DjiYbPDlBiNIi1YdyYG6gz0EsBSZZZuPvIDx2Zl
MERoUKwuG1JaeE9EijIlYLbWINjYW/xM1mLoJkvrOi7iVN8A4XNMGrGzEbWE
eA6sCAJTN5itazuG0cDkGkXeKY+hUHNyCkAVFcDpCgM39CKyS63L0ei1ht9i
myeIvuDKPxE7hIQsYSUUOtdAsBtRgw/AKNRaSe/owbALgF16Y13EmHELsek5
gqC4GAA6+hTxMhOGBRCjVw5Or6zz0/GWOXCAj0W3ycCwLkUAQLQlj49N3Mb7
UZaO7GTB8MmeWk+q2ADhAVYYrGPBQTiQic2GgAe1BzTwCw3z//jR5i0I/72H
0VgXLiGgQVPL4VIr26pqUQIDIQGllZSL4UDWuGN6kJhqzmOKYnBWZSFkBJbQ
62ZAlcCMlSRnFq6ABnPhs6nVqKG1NeLZvCHfj+lmhl3azzq0zskCJAtKGWa8
QvgWBW6QbxAw6VyXXxkLy2zYpm5LaabZ7hvdWAfECtdaI8lhkBIxqeu1k7RZ
SZQ9ZVaM6NP6EDC+ncWYg2QJojuyhyhxuLckCh3gGKeFbAEM/I31OkhukBnr
zkbxUzDd6YwHhwm2PW9rZFEYgOOH6V5vdShkpee0Km4twdFra2QxUdwImMNC
GvajfPMdFyflqqUs13B/LtFELcBSAPKjyomMaxpgkcEKXdtYH/G0ZAXLcgT6
0mgyL+5BJ/uO/XD1REH0BGKDtNjEb/bN9NH0INu9sGtORpO6eYyXfyaUahdg
s4c92tomlDN2eOKYHXsf1kQPBiZZ/QdhlhWWWBiL/4Pzb6kB8iHLuScK2zqX
9SCIzxMGjQToH/w+txC7l35JoJm3NejafNOJUrOzeJVC9m6kaIaJpFVqzEKw
yIuef81q6TioBERvK7Op8mUNq/RrcHhi6ZuO/Kpkj6aH00NLbBvzM2JjOAcU
mRxdk5GDIS5tvMW640AstOdeaC38wUADDtOHXsAdpJcN+ahOfbQMsX3StbEK
mFjR6OnOdPSt9SsTZqylMMhTpKBdQGgmU+V8jvkpxd5XHM37ynQJaXpRCKR3
a0D3o6e+VAs04CwBSbQGJC5arK/M0PI6zajMgHe6+08RkL3p6AUHDuMgzc5M
lmyIfbhqxy8b+JeFAuNHMhUiKr2JxAFEF13n8CpMPQRy8To+G6MDIJWmiIrg
/mcaNW+9gcHqW1Rn1uShNSO3aInOUIXRo92DvVROQQgl9LPFOiXy4CqGNz4o
RhAwDfwOGy/FLv8KiI4sD3wDjLd7uGcDWmE4URxYGdOykfYDsThZ98TTIH0J
BWIyaygMHrT/FLwNnu3M0NqSzCiMwDL8BtoqrBkj4Rhai1jJVUjvrARXs7qL
hCxoTJK2KhG6CYqoYiGsWGV5qVBI9WfJYVogJ9OEqNGhMIK6xqJ6UBxU7lpm
kpNANWbxoD2b4Cv0OAgkpspZ1DFmDfqtXTPK1jkoYTZGokKeXrSlQC4gty1H
hQHdoSpoHOwVGUwKG9a3WH2aobJbqV9xVG1VScR7wK2MVLBaK4qSIny1Bnmt
19gT3e5AOjQtoi0JEjNBUNPN1aK1MZhdNCU71K8oJ75xCkR8+/LNKc37zeXp
HqLlcaTtaDVVlZetjUz9AyIBN1Qdz2h0jLBtRRgd1SuvDZcR3VZo3G8BceBk
ZKT0g+kPWmTLaDrInAennGJVJliRq6tXhmbK/o+Pj0aG0Rf3bMmHkHuBi3Kl
19krIFhpiyrBJ796dWr2WOeYluKMWYmRr7n6ACxFnfvBpRo9jiVXS7ADGL6M
ZZwohRYmBPQx4JutMKhYi7Uq2FOUxioI6CKumEgZhDPbwkbpahzaGJVRIDp5
JxXwF9WNCIyVBqCJcjHjREycbxqI0l26SP54YDq0EgRG86XGkDy6eNgvEo1H
dSfBkoCIy2EQ8iK5tDxD8AokuAJ9Q4poC+Kcjp5rVDkChW3swFOj2Ju8rSnd
MqaEkq2BMVhXZ205hjnhsccZ8NO1SdNPdgmAnYBFwfWqu4MeW0fBsqgTr3Wt
VlbhsokB7ngMemPDQmUxR0QXQ9XjlZRMB9BmWxLThZueZXrHTSnmiqEizhI1
JPQFhFg5Cz8JyTQvJpTkDAEGG59IIxJI6RuJGmFFCeI06gwYC7XprTKwEB0f
AGQdriw9rcgIp3yH3rhpgUHBRFSN98Ghz6Kl4WFKYC4bMmdj4kIwQGg0tM0N
JblHEmExbzhQYB33maTRR/OXpZG3HFUlOQajWDhhRP2oCYHaCLzz/1I3apzt
bAnf70T7m6KUFaXAI0p8DmqNXUGETafY0CTBmDgRkvMqHFtfjEp4Od1YojBZ
yJC+FMjSSYXxJopPn8bu70PvtdC6cWANBxYH2kj4C2XylsIjYqZR22ASy1AU
wBpEMKSE/ygEg/EhXq0Y4ZW0+JXL6g373+zs9gZAbQ+2S/76UleEbKI2PaM4
8UH2Ito4Xtd1yjiYgPbpXCC1ZinUGW0c6DrQu6mbSCDdk7LngiBf+Aweaeg+
6aB32fhccqSkKYTTSJr+31uVX5dxQGhrzihKec02ycsimjihBSyV5ShmInGU
Tm0osgKMcnfJAUYiQ4FCWprS/zfi+q2hwg3iZ/IGik5BCU0pi1idgbhNYcxw
3BVhIlhxULSACHysJkLgVjybTvZgTNa08kgj8EVCEl8GJW8xuIMb7LAYsIiQ
SYhy2XzrUEKVI6sDlSzEUCGDCTMuwYgWGzInZFWVWVP6XgRH5P7jhiH9cPaT
r9rSLrbZoWlOiu0OkvLssCl6gQzhQCvk9xs2DnzNDWRQTsbcXzqjHqkD58L7
8SyR9uRpBGep1AuATORweEjWKWKK4sG6OweFmWMG4lQiAl6jE1B4DbC/8V4z
MFDIzVbyg8cbuFnz7OJPz49fvkKdg0hGt9YEYAAQdN5bbZTzFMNYhpcmsLtV
pNYp6oY3owAsoOU2pxnfhHoLX+/rTCMSkri4I1Au9Z7YYgznFEmIyq7l2Bl3
opGNdThDxeUf4PryyvbmNheqNONOmoBVjR2UjR3hEzhUL+AUw8FSJ9sjEjfM
gzJyyHmmRwfi3FAdoweVQ+rsE1DBdJ4dSNcdEz13DGzlrSxLi0j880uOk1jo
Olz66GNQ5L/7siVaPDu4EGSyMaYkdkRSDv4y+MClzWUR9eqCfEzruFuOdpWg
pIFYCY/TOfoh8Fr2K5Ps0IbtIA/49fFPxF0gTRETkTuAaLRpESZPIxthbT0b
o8iPHO7Ero2JwG/CvJ6k/Xidy2imyHvIA6U4DU6kluRg4r0VOGWkmtmvQ+/0
rK417mPHZ/AaVVzivttPn1yyim9OTmBUFSjYREHaWI3lH/zv3S9FrsLYKwbQ
RQB1bW5P0oBwHzPO6OrbU4dkXh6/OUYUk11yKMNPxsZ0XMREWQDhDSoKLZgs
LhHi4JUG8IUr57I6CTJboSaPveCuoxNcf97ehMHpFaUh0d/Qlg1sKBmaylUp
SYzfYIl8E8UC7dScdIRYOO6jhsl6ukUm2lcPWHQ/Q3UgvWtFapLkFecti6FX
YxD7r9Bgx5yy6iyIyaiCJBgKESl98gjsfnB0CdgbuyHyLxa17QHrtZyWfOWg
cRvjwAQB2oR0r2DyM2AQ8eC/qLo1+PeJRvCluV4bXZD97NZFUsUb8hZZzZdv
s1BW2HGtrVr9TL0s8cnnS2N9BIP8l7tmOM187B1zojUfa7D01UY+5NcpqFWd
mlqyABTFVVgfSoYDXRbZcFbTpY4Qj0GfNjmBLjs3juIKjEfvmVY1wkWy2/7K
RhkXBkVxIS8WAOLTcRHgcPEaVgviniCG2RG0oEUMQ8PgT03lqcdVJ6JL+pxc
wLQF0jlOf1nzQ8mPbtWGTYEoHyFHyLNhpgMS70zV+vFU1Guxw6VpU1VRZaq7
FtQ8BrmNnmDACLhgZ93OSqxnaOdz9WHHN+4ZgxV+o9dAcgyF2hyefWwHj+nY
QQrtYKjMFsZJMI45DXv7e6KY/rK2b+Z62l7vJI7gXQW0sUPoxeQeqsD6h6ET
zDXGpYVYXTg6DrXRfcju1foOvrsT74xhwN/b+oLFjmjknLPVKWV2hZAe7O91
QbJX431Ma8cS0sEODA6g/i3g/g5kfzWIY+zELdCK29pWQWutTlJ0u25rrNBw
ZepcK+41Ugx7RccMegscBfn9i3e0wzC0V5l33jamAVbD1rcs98BSk5wW2ub8
EMpwzzTenle5JalhNRk+CAga4bCuQ6aGdNwc1EVbVTZyyZEdH8viHAxmicga
V9pF1Z1RV322Zdvw+ybdmfAdaRuHEj4zkY0jpQtEdHZ4UbwNnYZ1HGbZ0qcF
ZpF+sNJMcTRXtIiaj2fIJoHIqLB+D6Q0X5JRKSSW2VvNHG9M4EpJZ0LXWuM+
hhUdeFVYPUcCgXvCyUh3swFTdgzZ9UBJCtmRaynX2zwIgaURHQVE4QAffCD+
7nFceHFA/iwm3zKcZH+L2y25fXDsbQrDyb3a7ruxqgcWmYISmMCbU9EyBwYH
9UvJnLB1Pbyqi9R5tKvFEZz3am3bsmIYVQ7wSscqfNk/sCFJj6G7kCX/KnLW
4/I4LGlwEYA4uxfgoMvM9rbwEOzwjUZyHQdAyWmjBBjKkfGLb9Xh8WBKyhWi
Rm/2okLdSfn3yRnAA6Vs2SO6b72Fsrrzc5VYKH0u9AnKYa6IMXZnkkqxo/B3
I0OFjs12F3G4TcTvoy8pqLjYCRe9yyU0bmcLBU9tJj01fl2LHlfIoB7QbRPP
uK9wp6NOOBcTFwgndbtYJhcrizdxA5xJcmjEQJ6WodhBGNOuvFb1xHHZuTvQ
SBK5G7tM7B3QKCCMFUiTo6WJxgXrnxRq1tKZOh1ZJCe7d6CvZG/ZNkOQbkbe
3uqeLZjxhEVTCkZ8aACRhcJJYv77Phuv0HWl5+6JUkefqVvcsqO6Iy6/S4kF
ZRaykhSe9LYBHBexScJ7nBjuhThb8Iswcu6qj1n0KOrhVB9H/HJkN1bZifKj
mDCBBzrJqse1IieXLpQK2Mqmrc9h4zZkekuhGKqV5UgbOv4hVLqJtE/YSi7J
xNkDLtA3xGmiTIEXbYoaGIEQtPeYnRqIN51xUBbRsUy2tIWKB2mimqNKu+hL
Fs61s2LpAkZDyt+moGzoXGSzWl+D4Hfz6TVXCJTzljcWIrHTwseB3c4Y9sAk
aYNKHbPh3MUS4KwfLFwJG54dQJkgCIyCFS5sHwoAicvMMJtF6UeyCCiuEbd4
ZGprkuISoOGwrguR3F2M2XDtYswRPp1ITAuas3AIaVucv9tFN5sWlGjkF/D4
gAm64UPDUTWK+iWZrWSeaSIrkmcON3iBtvtyGBU8eMAa68GD7ubjcd85j0tb
7Qw42KE8OPXBBHr37mAUFxAhUHS58N5GacTy2zZ6fnGB98c/JKr796G/VHm+
xP21WG2RS6xDqTa9Uj/k4HiXgdWFg0yEGAmr93O/0INBAbuQ9JwteCZwGNlv
W6gXlc7Vrgp8TpRg/AJ6uMVDw3pBSAsQQI2XVo/venen3OyR+HPoFyPt2BJP
yxV8Jiad2cKKpK+Y8qWbLPvRTDn1yvWM3h5zJrYA9+NXSiR0DTIVSJE+ESF9
z8WybPVDBHeLbLoAbTRRXrCoWDXRYlYUxAwGo20lUP9QHJo9++qGc3q4Q6nv
eJFA4AvxphIvOF6xDG0/fB72PS7lQI2S24z+6RNZJhJdJ/+R+P+DojyOsi0I
nZ2eeZCsz4Nkje0mbRdJjmKkd6qEbYdlhz1tcSdb0RhHpdAER/XT8XahTmWU
Zn822bPTCAp/cdREWXbBbe6V/2VLSPnUJKqXJH4LZ9FccQ0WoRYqF+U6TMy6
rugwv+3s6mJhhErypc8uouecmq0oP7YbKsr2nOFPy/pIn5aGGcHXpIn4jBpn
TaOKNfBCdK5oiMkucFjKao8SbHfuocyo1p/i1SLbqXvbMDnmDQ/tcH0k3d/B
KANW2UaZy6+MF2Z+Msq5YCV8NSEyeUnkGGkQKScAvRHwrJWlhX8eA4ClWEfQ
EVNhSrfG7S8swsOzDUYCGFviKLqLGSjbp2HoabiT5A1aP36t22dgJTrKoU6g
mY8HUDw7mmWduR2AaWEoF4suCfXj2QgWQ5FnuQR936ksohpDnyfC1BIXPBfT
oUHcZ1ko/ESDul1q1P+VxlxEDHs7t05TuJcWXbDGFlHBrB8gVhbnvG/Abk6x
YQeD591VRrHyclhUrtZ22xeG0vjXqU+1eaJ/nkrWhqRjFGGAVK45pxpHwtw4
XDu3sJPQ1U2ivuKjeYI2sodsEK3ctiDRPUGEaO1OFXDxZxtbxAm25FqT8zfb
hFTxQtQzscCwBMi23V5QowHfZAtZhfNHh5+j/b0cmMI9IRoR8VyFOkckkMJ8
ProhDhezXn1vj6ppbC1iKPsgBUvblyWnwSgGwzW8RB5Sn1TmScXvDLEiWuA0
XezfF+yr+zI9FzlQyb+kTWi2TCoqxfQ6G3Nru2hk9yjTiltRsl0rCmH99kCS
eds7GPI1beVBPk/GjEhKz25QQVu3tP+Q3SxKNhG3YTizRJtDYxJao8YOJHom
tAc82O8UH/TGS64PEBg3DlHunYbwvzwUsLubc+bLTpa1AKurSnZyovm5PIQ/
p4GSJYLLeEXFpZKdNfEG3EuRlRIH2/z5J3Y9Q6kl1hUfJe3FSWnaiZFocTSU
pJfDJdymteWElMGNiNBEFG4ItaAWgSo8uFxSDWjFe79o61C7or7n+JGHkN5A
l96iPcCI1ocXN1oV4ZgBiiS2jRPQU33py5cBnQLCt7vLo2zIjXVdaxqt6exq
ZQpRwPWS7nemPTTjsS19uE+9eGd1gb5U2S2BsxhPRmcdfAqbO+wE+QgPt9ss
nKzscKFlFaviQiV12I1hM6SejbHKJA4QLZPNBlbDNeIaLmEVBW1SQ5qkbi6r
K5dfcVqHBoUdovBVybypWpx2jIz5MCTvE9AGI/DO2tIdvIGnpKVHmlntOcKC
ruwkPU0zPTmCSr6G0LV92cJaaZzTa6igS9g8ktUKO2dxfRkXvJ3oAve54WdH
QENsbHrh2cEjSi/8Fjnfv211y7fc/G30W/byzfPzycn56Vn2W/aWk2RDZ2P8
Bu6FO3PPX0t7P/oHeseiOdeBRzchYezq5n7L/vsvybaS//5rt/cvn/tocDf6
wCp//IPfmnCfaPZodN/TxKJDKOkcsvvHYVDfd6v905AqZhWDShlMQA3nCrux
ot1ehUw3Y4Yam6KSjZuyk//olDTKN9moDClOaaElIltU0CgUpdto0lb2ZLXe
8XR3nOgX16PcJww2Jv0117qM88F02DkooigzA1RgH43zbXScjPf0/GQ4KJP0
mVYhXNqdvv4V7N6dm0D+tDsp2qoDArW7fgtx8D4+M7M9dgFqvWgTr4oLtLtX
aRg3St7SEHyYKhyPGPZGB1+A3WJcLnzJLxdu2jbJToBxUmEVVwH3+ZWSC9Ze
9CuL4pNqA/YIGSKbR+nNb5zF1SvJHh9UdkMH3CFFwnY7PrQR+YRqTP7Z7IGD
iPFiVOEu3YEKLddIoFXA7yyNbeaGASFuITMJbyGGS0XNDqu0Z7z2eCDZ3YkI
MD5gyWdR/eRu7Gy5AtBt6OIG8Vgxu4m22s4jSDG/H+qfcWiJC5PZuN7eF55i
QotFO/LCXj+/0fZzBz46N/ZdVapr51SF7bjUYy6tz1DSdvgFhr14U29BZzfr
9cbGj6kkm8Ph4EjzzsVxL/62JYNmT292G+TigxftTME9XQsM87hNwtarc9/L
yB6PM/yAxrgT+/R7AUSHGHm9WTd6AYhqSXuqjcHZFWqBzoKFK08ef/oEf4YP
fWClNKE34kiMTPmO0DT6neM2poBPbKm3i/VL31w4xu5WGPu59bYym2STQLMc
1FT27Ndr6UQzkmCqdvKzKXUeR2wsHzJZnu4/dgeKipAljk4OhV/2iyPugBTK
hLmTNqPVDQfMAltq9mbMoFj5mTtwEGpWWY6RJU46LBx6ugOjkM/w8ePQ93Rg
mhjzhTmSpYGlXSisx4CVOHi69cQk3KVOxd8HXztfAx3wQjmAkZyWFp8mekXG
Bt1/LwppFoA5A5zhomRd488LTk6v6B3YhvVEQGbc8h6d2UdZikIK58QOHSjF
523d/xtu9tTcLyvmtwe+puclEnVpm3QDD/46dPIEu9q9U5P6J233hbCzOSNy
8ji4o+h8M3seho9fcEihkeveOcP3Pvx160mtQ/vFKWDQqR9yWRreVwOersox
ipzsF4J5Lvhg2ihW3Ggu9EswQrgtbsWG4AgjCa7V2rLpn/Zkp7v77SFyftOk
C8L6Pf4u/UZ3O0fWeLQYbccmPbR11zoRpXMK16CQ80EhYR4WUd1xhJk7kine
RRcd7upK2Lby1DacGB9SPFCCTkdi8CGhpE22niNpZfLuDzQikY4Nn0jDS5S7
ujjn9pjWULGu9WMo7R0HYAdUm6xAK9TCbyDaojT5kDjoZkZAgc/wofUteTrd
TY72Y2JsQ8njCAtGgW2EBwNjxkYHj7fbxjedtjGINnbbMMeWJe1xigzN7+MV
x4gGt82kY9x60lwS//xi5EglParCr/gwpnZu2BYf6K5TZ9nyuAYcwnNVfyjk
qAkxoGgPyup8aiQt+OvsigWNxpupblHgrGEbPDDeH2FP3qIZ9P+53JMKCjpb
dFCSt32gCZf+ohtuxbgdcDprAc6m09xW+EVXsuJ4yPlQwBV0CEX7qcF4H34U
uuVm7Ic9sEQA3Nj8utK34I/xJ5fTaBxFVLpP9EM3o9F73aJ38t6b5HCQZnRO
VzgneMhkWlkLB2p+mYEnlOtPj/Whd28mwza6dxWf3JGcG3ejBAcOsQRN4rc4
mfEJ4e/YLxPZ0zT0amaryfkQXjt6tii8A7SDEiN0hWmgyBR6Ovlpb/l4LWqN
2Sb6bvE4u9BFBYzwPZYgsjF4jseWAlTV2RtQG/5TDkRtV7BIjhWHIKrr7EKU
a/DJNH6MEAtZNA3QYrMN5c3AmbPG3QIx5MEetCdVzaUF3i3Aj3wTmaNPfL+H
l5Es3+GXrxk6ynI9bykxsPLf0LOnuxDRAQ2nyRo8Qrc1CZem6ZwJP7Elyjga
PXjA1cSshMCiZmcg1rp+8OAoW5ekaDhVxxO2zjkdFVioDzYnnfEGOIuTRw/w
o16euTxjGT1vblkF25KNO4p9vzzwJrZ+XaIybGj6+90+UdsfP6ala58GjhyK
pYeTgQ6qH+D5kGA72e0+bhdgPLPDZ+jw7j/dwy9mv2y4FB1jB27PWOeoMZaq
7G9DMneUbaT5WzjCD7+lSC1hGpjPuJviF/B2LmSBpv2MD8sHSIpftG0/BBXg
tg+5pfEVFcP9/s0NCykNHPI3Ggcy6gZkwviKXJBKGM/K7NAiIJHgJR4fCSnr
RP8BIkJEJDr0zXdo3cS7+klUDg6eTS0f/YDI4qLHRCHo5uo1OnsuovMe3b00
+NBdxm+ShfShi4NDXMqDJ3vE2akvAaxyH/0aRKDTJQDaJ1Gfr8GkHz6i7g6x
u/8H8Rgf38KAAAA=

-->

</rfc>

