<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->


<!DOCTYPE rfc  [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">

]>


<rfc ipr="trust200902" docName="draft-duan-dnsop-work-amplification-00" category="info" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true">
  <front>
    <title abbrev="DNS Work Amplification">DNS Work Amplification: Problem Statement, Terminology, and Taxonomy</title>

    <author fullname="Huayi Duan">
      <organization>HKUST(GZ)</organization>
      <address>
        <postal>
          <street>No.1 Du Xue Rd, Nansha District</street>
          <city>Guangzhou</city>
          <code>511453</code>
          <country>China</country>
        </postal>
        <email>huayiduan@hkust-gz.edu.cn</email>
      </address>
    </author>
    <author fullname="Liwen Xu">
      <organization>ETH Zurich</organization>
      <address>
        <postal>
          <street>Universitätstrasse 6</street>
          <city>Zürich</city>
          <code>8092</code>
          <country>Switzerland</country>
        </postal>
        <email>liwen.xu@inf.ethz.ch</email>
      </address>
    </author>
    <author fullname="Adrian Perrig">
      <organization>ETH Zurich</organization>
      <address>
        <postal>
          <street>Universitätstrasse 6</street>
          <city>Zürich</city>
          <code>8092</code>
          <country>Switzerland</country>
        </postal>
        <email>adrian.perrig@inf.ethz.ch</email>
      </address>
    </author>

    <date year="2026" month="July" day="01"/>

    <area>Operations and Management</area>
    
    

    <abstract>


<?line 146?>

<t>Recursive DNS resolvers are expected to bound the amount of "work"
performed when answering a client query. DNS specifications
discuss such bounds but leave key concepts, accounting rules, and
safe limits underspecified. This leeway has led to divergent
implementations and makes systematic bounding difficult,
contributing to denial‑of‑service attacks that amplify resolver
work and harm different DNS components. This document describes
the problem space of DNS work amplification. It defines
terminology for discussing work performed during a single
resolution instance, develops a taxonomy of work‑amplification
vulnerabilities along resource and mechanism axes, and analyses
where existing DNS specifications leave amplification‑relevant
behavior underspecified. The document is descriptive: it does
not itself specify protocol changes or operational requirements.</t>



    </abstract>



  </front>

  <middle>


<?line 163?>

<section anchor="introduction"><name>Introduction</name>

<t>DNS specifications have long warned that resolvers need to bound the amount of
work performed per client query in order to avoid runaway loops and chain
reactions (see <xref target="RFC1034"/> and <xref target="RFC1035"/>).  In practice, a single resolution can
exercise multiple interacting mechanisms —- alias processing, delegation traversal,
retries and failover, caching, DNSSEC validation, etc.
Many RFCs specify functional behavior but leave resource‑relevant properties
underspecified or inconsistently defined: which internal actions are counted
toward a bound, whether and when counters reset, what defaults are safe, and
what constitutes relevant data for resolvers to process.</t>

<t>Over the past several years, a series of disclosures and research results have
shown that <em>protocol‑compliant but adversarially crafted authoritative zones and
query/response patterns</em> can drive disproportionate resource consumption during
resolution, stressing DNS infrastructure.  Examples include published attacks
such as NXNSAttack <xref target="AFEK2020-NXNSATTACK"/>, TsuNAME <xref target="MOURA2021-TSUNAME"/>,
KeyTrap <xref target="HEFTRIG2024-KEYTRAP"/>, and CAMP <xref target="DUAN2024-CAMP"/>. The underlying
amplification potential is largely inherent to DNS design: resolution may
legitimately require multiple upstream transactions, may traverse delegation
structures, may restart at aliases, and may validate cryptographic proofs, etc.
Specification gaps and non‑uniform guidance further increase this underlying
complexity by making worst‑case behavior harder to predict and by encouraging
divergent accounting and limit choices across implementations.</t>

<t>This document addresses this class of availability vulnerability, referred to
here as <strong>work amplification</strong>.  A work‑amplification vulnerability allows an
attacker to trigger disproportionate resource consumption —- such as outbound
resolver queries, on‑wire bytes, CPU, or resolver state —- during the processing of a single
client query (i.e., one resolution instance).  In this document, <em>work</em> is the
resources consumed while processing one resolution instance and is treated as a
vector of resource dimensions (Section 4).</t>

<t>Work amplification differs from classic <em>traffic reflection and amplification</em>
attacks. Reflection primarily amplifies on‑wire bytes delivered to an external
victim and typically relies on source‑address spoofing; mitigations such as
anti‑spoofing and response rate limiting address that threat.  Work
amplification primarily stresses DNS components and nearby infrastructure by
amplifying their internal work (e.g., query load, validation CPU, and
per‑transaction state), and can be effective even without spoofing.  Reflection
mitigations are therefore insufficient on their own; bounding work requires
explicit budgets, accounting rules, and operational anomaly handling.  This
document is complementary to existing BCP guidance for reflection mitigation
(e.g., <xref target="BCP38"/>, <xref target="BCP84"/>, and <xref target="BCP140"/>).</t>

<t>The goals of this document are:</t>

<t><list style="symbols">
  <t>to define a terminology for discussing DNS work amplification,
including the notions of resolution instance, resolver query, work
budget, and budget exhaustion;</t>
  <t>to develop a two‑axis taxonomy of work‑amplification
vulnerabilities along resource and mechanism dimensions; and</t>
  <t>to identify where existing DNS specifications leave
amplification‑relevant behavior (such as bounding, accounting,
and safe defaults) underspecified, without prescribing remedies.</t>
</list></t>

<t>Protocol fixes and operational mitigation guidance are out of scope
for this document.  Those topics are addressed in the companion
document <spanx style="verb">draft-dnsop-work-amplification-bcp</spanx>.</t>

<t>This document does not attempt to catalogue implementation bugs that
rely on malformed packets or memory corruption.  Those issues are
important, but they are orthogonal to the protocol‑level behaviors
considered here.</t>

</section>
<section anchor="terminology"><name>Terminology</name>

<t>Unless otherwise noted, the terms in this section are used in the
sense described in <xref target="RFC9499"/>.</t>

<t><list style="symbols">
  <t><strong>Client query:</strong>  A DNS query received by a resolver from a stub
resolver or other downstream client.</t>
  <t><strong>Resolver:</strong>  A DNS component that performs resolution on
behalf of a client query.  This includes full recursive resolvers
and forwarders that themselves perform recursion.</t>
  <t><strong>Authoritative server:</strong>  A DNS server that is authoritative for at
least one zone and answers queries for names within that zone.</t>
  <t><strong>Resolution instance:</strong>  The entire resolution process undertaken
by a resolver in response to a single client query.  A resolution
instance encompasses all resolver queries, alias-induced restarts,
delegation traversal steps, auxiliary lookups (e.g., nameserver
address fetches and DNSSEC chain construction), retries, and
transport fallback operations.  <vspace blankLines='1'/>
A resolver can <em>coalesce</em> multiple identical client queries (including
client retransmissions) onto a single in-flight resolution instance; in
that case the work budget applies to the shared instance.</t>
  <t><strong>Resolver query:</strong>  A DNS query emitted by a resolver to another
resolver or authoritative server during a resolution instance.  This
includes queries for nameserver addresses (A/AAAA), DNSKEY/DS/NSEC*
records, and any queries triggered by extension processing.
Retransmissions and retries are counted as separate resolver queries.</t>
  <t><strong>Restart:</strong>  The act of continuing a resolution instance for the
<em>same client query</em> while changing the current target name due to
alias processing (e.g., following a CNAME or DNAME).  In RFC 1034
terms, this corresponds to the resolver algorithm's alias handling:
substituting a new name for the current name being resolved and
re-entering the search procedure at the new target name.
The resolver can reuse cached state across restarts, but each restart
represents additional work that is accounted for.</t>
  <t><strong>Delegation step:</strong>  A transition within a resolution instance where
the resolver processes a referral at a zone cut and updates its candidate
authoritative server set for a child zone.  In RFC 1034 terms, this
corresponds to processing an NS RRset and updating the resolver's list of
candidate servers ("SLIST") for the next zone cut.  Each delegation step
represents additional work that is accounted for.</t>
  <t><strong>Work budget:</strong>  A per-resolution-instance set of counters that
collectively bound the amount of work the resolver performs.</t>
  <t><strong>Budget exhaustion:</strong>  The event that occurs when <strong>any</strong> work-budget
counter reaches its configured limit.  When budget exhaustion occurs,
the resolver stops expanding the resolution instance.
The resolver typically returns an appropriate error to the client
(typically SERVFAIL); under severe overload, a resolver may shed load
by dropping responses.</t>
  <t><strong>Max-work event:</strong>  A client query and associated upstream response
pattern that causes a resolver to exhaust its work budget under the
configured limits.</t>
  <t><strong>Work-amplification vulnerability:</strong>  A protocol behavior or feature
interaction that allows an attacker, via protocol‑compliant authoritative
data and/or query patterns, to cause disproportionate resource consumption
(queries, bytes, CPU, or state) while processing a single client query.
Amplification potential is often exacerbated when specifications omit, loosen,
or inconsistently define the bounds and accounting rules needed to make
worst‑case behavior predictable.</t>
</list></t>

</section>
<section anchor="threat-model"><name>Threat Model</name>

<t>Work amplification becomes exploitable when an adversary can both (1) influence
the authoritative data and server behaviors consulted during a resolution
instance so that a resolver following protocol rules performs unusually large
work, and (2) trigger resolution instances that exercise those behaviors at one
or more target resolvers.</t>

<t>Accordingly, this document assumes an attacker with the following core
capabilities:</t>

<t><list style="symbols">
  <t><strong>Adversarial authoritative inputs:</strong>  the attacker can publish and serve
protocol‑compliant DNS data for one or more zones and can choose response
behaviors that remain within protocol syntax.  This includes crafting
delegations, aliases, glue (or the absence of glue), DNSSEC material, and
record sets that induce additional dependency lookups.  It also includes
response patterns that influence resolver control flow (e.g., selective
omission of optional data, returning referrals, and controlled use of
truncation) while remaining syntactically valid.</t>
  <t><strong>Triggering resolution:</strong>  the attacker can cause client queries to be sent
to one or more target resolvers for names whose resolution depends on the
adversarial inputs.  This may be achieved by sending queries directly,
embedding attacker‑controlled names in web resources or email, or leveraging
clients that use the target resolvers.</t>
</list></t>

<t>Some amplification vectors can also be triggered by querying existing
misconfigured zones; attacker‑controlled zones make worst‑case behavior
reliable and repeatable.</t>

<t>Depending on the scenario, the attacker may additionally have:</t>

<t><list style="symbols">
  <t><strong>Distributed clients:</strong> enough sources to sustain a desired request rate or
to evade per‑client limits.</t>
  <t><strong>Multiple cooperating authoritative servers/zones:</strong> the ability to spread an
amplification pattern across multiple zones or servers, which can bypass some
per‑upstream operational limits.</t>
  <t><strong>Source‑address spoofing:</strong> while not required for work amplification,
spoofing can hinder attribution and can bypass some per‑client defences in
deployments where spoofing remains possible.</t>
</list></t>

<t>Work amplification can be exacerbated by packet loss and delay (benign or
adversarial), because retries and failover can amplify work.  This document does
not assume an on‑path adversary; on‑path manipulation is out of scope except
insofar as it resembles loss/delay that a resolver may experience in normal
operation.</t>

<t>Off-path side-channel attacks against DNS resolution (e.g., SAD DNS
<xref target="MAN2020-SADDNS"/>) are out of scope as an independent threat, but
amplified resolution work can compose with such side channels by
enlarging the observable surface (more queries, retries, and state
transitions) that off-path observers can probe.</t>

<section anchor="potential-victims"><name>Potential Victims</name>

<t>Depending on the attack construction, different DNS components can be the
<em>primary</em> victim (the component whose resources are intentionally exhausted).
Other components may act as <em>amplifiers</em> or experience collateral damage.</t>

<t>This document distinguishes the following common victim roles:</t>

<t><list style="symbols">
  <t><strong>Target resolver (primary victim):</strong>  a recursive or forwarding resolver is
directly targeted.  The attacker sends client queries that cause the resolver
to consume disproportionate CPU (including DNSSEC validation),
recursion state, cache resources, and/or outbound query capacity.</t>
  <t><strong>Target authoritative server (primary victim):</strong>  an authoritative server is
targeted by inducing many resolvers to generate amplified resolver queries
toward it.  The attacker typically uses attacker‑controlled authoritative
infrastructure to publish an amplification pattern that requires resolvers to
fetch many dependencies (e.g., nameserver‑address lookups) from the victim.</t>
  <t><strong>Uninvolved third‑party server (primary victim):</strong>  a server that is not
under the attacker’s control and not otherwise part of the intended
resolution can become the primary victim if resolvers are induced to direct
dependency lookups to it by name (e.g., NS targets under the victim’s zone) or
by address (e.g., glue addresses pointing at the victim).  The victim is
often an authoritative server but can also be any DNS‑speaking service
reachable at the induced address.</t>
  <t><strong>Adjacent infrastructure and clients (collateral victims):</strong>  work
amplification can saturate links, overload stateful middleboxes (e.g., NATs,
firewalls, load balancers), increase latency, and cause budget‑exhaustion
errors for benign clients.</t>
</list></t>

<t>The most common primary targets are resolvers that perform the amplified resolution
work and authoritative servers that receive the resulting amplified resolver queries.
In these cases, we refer to the attack as self-amplification. This distinguishes 
the attack from conventional reflective amplification, where third-party servers 
send amplified responses to a spoofed victim address.</t>

</section>
<section anchor="example-attack-scenarios"><name>Example Attack Scenarios</name>

<t>The taxonomy in Section 4 abstracts attacks into resource and mechanism
categories.  This section provides non‑exhaustive end‑to‑end scenarios,
organised by the primary victim role (Section 3.1).  Many scenarios have
secondary victims (e.g., authoritative servers receive expanded queries).</t>

<t><list style="numbers" type="1">
  <t><strong>Target resolver (resolver as primary victim).</strong>  An attacker operates one
or more authoritative zones and publishes well‑formed content that forces a
resolver into expensive control flow.  By inducing clients to resolve names
in those zones (or querying directly), the attacker causes the target
resolver to follow alias chains, traverse multiple delegations, perform
QNAME‑minimisation probes, fetch nameserver addresses, and validate DNSSEC
material.  The resolver expands the resolution instance until the configured
work budgets are exhausted, degrading service for other clients.</t>
  <t><strong>Target authoritative server (authoritative as primary victim).</strong>  An
attacker publishes a delegation in an attacker‑controlled zone whose NS
targets are names under the victim authoritative server’s zone (e.g.,
<spanx style="verb">ns1.victim.example</spanx>, <spanx style="verb">ns2.victim.example</spanx>, ...), with little or no glue.
The attacker then sends initiating client queries to many resolvers.
Each resolver must resolve the NS target names to addresses,
sending many A/AAAA resolver queries to the victim authoritative server.
Aggregated across many resolvers, the victim receives amplified query load
that is disproportionate to the attacker’s initiating traffic.</t>
  <t><strong>Uninvolved third‑party server and infrastructure stress.</strong>  This
scenario resembles Scenario 2, but the amplified dependency traffic is
directed at an external victim that is not authoritative for the attacker’s
zone.  The attacker induces resolvers to send dependency traffic to a victim
that is not under the attacker’s control, for example by providing
in‑bailiwick glue that points to a victim IP address or by referencing many
random names under a victim zone.  The induced traffic can overload the
victim server even though its responses do not influence the attacker‑
controlled zone’s correctness.  When combined with loss or delay, retries,
failover, and transport fallback can further increase outbound queries, wire
bytes, and connection state, stressing links and stateful devices along the
path.</t>
</list></t>

</section>
</section>
<section anchor="taxonomy-of-workamplification-vulnerabilities"><name>Taxonomy of Work‑Amplification Vulnerabilities</name>

<t>This section defines the two‑axis classification used throughout this
document.  Each vulnerability is labelled with one or more
<strong>resource amplification labels</strong> and <strong>mechanism labels</strong> as defined
below.  By separating <em>what</em> resource is amplified from <em>how</em> it is
amplified, we avoid overlapping categories and provide a stable basis
for both protocol clarifications and operational mitigations.</t>

<section anchor="scope-and-limitations-of-the-taxonomy"><name>Scope and Limitations of the Taxonomy</name>

<t>The two axes are intended to be orthogonal: the resource axis (R)
describes <em>what</em> resource is amplified, while the mechanism axis (M)
describes <em>how</em> amplification is induced.  Because the same mechanism
can amplify multiple resources (for example, delegation traversal can
drive both resolver queries and wire bytes), individual vulnerabilities
are typically labelled with a non-empty subset of each axis.  Treating
the two axes independently keeps the categories non-overlapping at the
axis level even when individual labels co-occur in concrete attacks.</t>

<t>The label sets in the following two subsections are not claimed to be
exhaustive.  An issue is included when it has been observed in deployed
resolver behavior, demonstrated in published research, or discussed in
prior IETF or operational work; emerging mechanisms and unobserved
compositions are likely to require additional labels in future
revisions.  The taxonomy is descriptive, not prescriptive: the goal is
to give readers a stable vocabulary for discussing work-amplification
vulnerabilities rather than to enumerate every possible vector.</t>

</section>
<section anchor="resource-amplification-labels"><name>Resource Amplification Labels</name>

<t><list style="symbols">
  <t><strong>R1 - Resolver-query amplification:</strong>  A client query triggers an
excessive number of resolver queries during a resolution instance,
including nameserver-address lookups, DNSSEC-related lookups, and
transport retries.  R1 covers both the count of resolver queries and
the concurrency of outstanding resolver queries.</t>
  <t><strong>R2 - Wire bytes amplification:</strong>  A client query results in
disproportionate bytes on the wire, either upstream (resolver to
authoritative) or downstream (authoritative to resolver or resolver
to client).  Examples include responses with large RRsets, many
RRsets, repeated retries and TCP fallback due to truncation.</t>
  <t><strong>R3 - Computation amplification:</strong>  The amount of CPU or wall‑clock
time spent by the resolver is disproportionately high.  Parsing
large responses, following complex rewrite patterns and
cryptographic DNSSEC validations drive R3.</t>
  <t><strong>R4 - State amplification:</strong>  A query causes the resolver to
allocate disproportionate in‑memory state—either per‑resolution
structures (e.g., per-instance dependency tracking) or longer-lived
cache state.
R4 often accompanies R1-R3 when large numbers of RRsets are
processed or stored.</t>
</list></t>

<t>NOTE: R1 and R2 are intentionally distinct axes.  Many attacks amplify
both, but they can occur independently: a single oversized response can
trigger R2 without many resolver queries, while many small resolver
queries (e.g., for dependencies) can trigger R1 without large
responses.  Implementations typically account for both dimensions.</t>

</section>
<section anchor="mechanism-labels"><name>Mechanism Labels</name>

<t><list style="symbols">
  <t><strong>M1 - Alias and restart semantics:</strong>  Amplification enabled by
aliasing and restart behavior.  CNAME and DNAME chains can trigger
multiple restarts.  Common underspecified aspects include limits on chain length, loop
detection, and how work budgets are applied across restarts.</t>
  <t><strong>M2 - Delegation traversal and nameserver discovery:</strong>  Issues
arising from delegation and referral processing.  Examples include
glueless referrals, out‑of‑bailiwick nameserver names, and deep or
cyclic delegation structures.  Missing limits on delegation depth or
the number of nameserver addresses to fetch contribute directly to
amplification.  This label also covers query-name probing behavior
during delegation traversal, such as QNAME minimisation
(<xref target="RFC9156"/>), which can increase resolver queries for deep names if
not bounded.</t>
  <t><strong>M3 - Server selection, retries and concurrency:</strong>  Amplification
from query retry and failover logic.  Underspecified retry limits and
concurrency policies can cause explosive growth in outstanding
queries when resolvers attempt to contact multiple servers or fall
back to other transports or protocols.</t>
  <t><strong>M4 - Response content multiplicity and section semantics:</strong>
Amplification enabled by large or numerous RRsets and by the handling
of response sections (answer, authority, additional).  Large RRsets,
many RRsets, or records with many RDATA entries can inflate parsing,
validation, and caching work.</t>
  <t><strong>M5 - DNSSEC validation and proof semantics:</strong>  DNSSEC introduces
additional queries (to fetch DNSKEY and DS RRsets) and cryptographic
validation work.  Underspecified aspects include whether DNSSEC queries count
toward budgets, limits on cryptographic verification work, and
bounding NSEC3 parameters and candidate key sets to mitigate
algorithmic-complexity DNSSEC attacks.</t>
  <t><strong>M6 - Cache admission, relevance and maintenance:</strong>  The rules
governing what a resolver may cache, for how long, and when to
evict entries are only partially defined.  Attackers can fill
caches with irrelevant or malicious records, causing memory
exhaustion or eviction of useful data.  Negative caching and
bailiwick rules are also relevant here.</t>
  <t><strong>M7 - Extension‑induced secondary resolution:</strong>  New DNS extensions
sometimes implicitly trigger additional lookups or state (for
example, records that reference additional names that must be
resolved, or transport and discovery mechanisms that initiate
extra exchanges).  If resource bounds are not clearly specified,
these features can open new work‑amplification vectors.</t>
</list></t>

<t>Each vulnerability analysed in Section 5 is annotated with one or more
resource and mechanism labels along with typical victims and
preconditions.  This labelling enables readers to map specification
ambiguities to corresponding resource budgets and to determine which
mitigations are most appropriate.</t>

</section>
<section anchor="example-mapping-of-known-attacks"><name>Example Mapping of Known Attacks</name>

<t>This subsection provides an <em>informative</em> mapping from a few
well-known work-amplification attacks to the taxonomy in this document.
The mapping is illustrative rather than exhaustive; individual attacks
often have variants that exercise additional mechanisms.</t>

<texttable>
      <ttcol align='left'>Attack (informative name)</ttcol>
      <ttcol align='left'>Typical resource labels</ttcol>
      <ttcol align='left'>Typical mechanism labels</ttcol>
      <c>NXNSAttack</c>
      <c>R1, R2</c>
      <c>M2, M3</c>
      <c>TsuNAME</c>
      <c>R1</c>
      <c>M1, M2</c>
      <c>KeyTrap</c>
      <c>R3</c>
      <c>M5</c>
      <c>CAMP</c>
      <c>R1-4</c>
      <c>M1-4</c>
</texttable>

</section>
</section>
<section anchor="analysis-of-amplification-vectors-and-specification-enablers"><name>Analysis of Amplification Vectors and Specification Enablers</name>

<t>This section connects the taxonomy in Section 4 to existing DNS
specifications.  Work amplification is often inherent to DNS design:
recursive resolution deliberately combines delegation traversal, alias
following, caching, retries, transport fallback, and (in many deployments)
DNSSEC validation.  Those mechanisms can legitimately require substantial
work in some cases.</t>

<t>The focus here is narrower: it identifies where <em>specification text and
non-uniform guidance</em> can make worst‑case work harder to predict and
harder to bound, and therefore make implementation and operational
mitigations less systematic.  Concretely, this section highlights places
where RFCs:</t>

<t><list style="symbols">
  <t>do not clearly identify which work needs to be bounded for a single
client query;</t>
  <t>do not define what counts toward those bounds, or when counters reset;</t>
  <t>do not provide (or align on) safe default limits; or</t>
  <t>introduce feature interactions that change work without calling out the
associated bounding and accounting implications.</t>
</list></t>

<section anchor="conventions-for-rfc-references-in-this-section"><name>Conventions for RFC References in this Section</name>

<t>DNS behavior relevant to work amplification is specified across a large
set of RFCs, and relevant text is often scattered.  Reproducing all
relevant material verbatim would be both impractical and potentially
misleading without the original context.</t>

<t>For each issue below, this document therefore provides two reference
lists:</t>

<t><list style="symbols">
  <t><strong>Primary normative anchors (complete within scope):</strong> the RFC sections
that most directly define the base protocol behavior for the issue.
These are the first places implementers and reviewers should consult.</t>
  <t><strong>Additional related documents (non‑exhaustive):</strong> other RFCs, BCPs, and
active Internet‑Drafts that refine the behavior, introduce related
mechanisms, or provide operational guidance.</t>
</list></t>

<t>Each issue discussion then explains (a) what the anchor text requires,
(b) what is left to implementation or local policy, and (c) how that
leeway can exacerbate the amplification vectors in Section 4.</t>

</section>
<section anchor="selection-and-structure-of-issues"><name>Selection and Structure of Issues</name>

<t>An issue (A-*) is included in this section when published
specification text leaves leeway in bounding, accounting, or safe
defaults that directly enables one or more of the resource and
mechanism vectors catalogued in Section 4.  Issues that arise solely
from implementation defects (e.g., bugs in parsing or memory handling)
are excluded; the focus is on specification-level ambiguity that
propagates predictably across conformant implementations.</t>

<t>The issues are grouped to mirror the mechanism axis (M1-M7) of the
taxonomy: A-1 covers the cross-cutting work-budget framing, while A-2
through A-8 align with the alias, delegation, retry, response-content,
DNSSEC, caching, and extension mechanisms respectively.  This grouping
lets readers move between an attack's mechanism labels and the
specification anchors most relevant to clarifying it.</t>

<t>The list of issues is not claimed to be exhaustive.  As with the label
sets in Section 4, additional issues are likely to be identified as
new DNS extensions are deployed and as further work-amplification
research is published; the issues here are the ones for which
sufficient deployment or research evidence currently exists to motivate
inclusion.</t>

</section>
<section anchor="work-budgeting-and-accounting"><name>Work budgeting and accounting</name>

<t><strong>Issue identifier:</strong> A‑1</t>

<t><strong>Primary normative anchors (complete within scope):</strong></t>

<t><list style="symbols">
  <t><xref target="RFC1034"/> §5.3.3 — describes the resolver top‑level algorithm and
notes that resolvers should bound the work performed for a single
request, but does not formalise a complete accounting model.</t>
  <t><xref target="RFC1035"/> §7.1-§7.2 — sketch resolver implementation considerations,
including a per‑request work counter (§7.1) and query sending,
server selection, and retry handling (§7.2), while leaving most
accounting choices to implementations.</t>
</list></t>

<t><strong>Additional related documents (non‑exhaustive):</strong></t>

<t><xref target="RFC2181"/> (RRset handling and ranking), <xref target="RFC2308"/> (negative caching),
<xref target="RFC4033"/>-<xref target="RFC4035"/> (DNSSEC), <xref target="RFC5155"/> and <xref target="RFC9276"/> (NSEC3 and
operational guidance), <xref target="RFC7766"/> (DNS over TCP), <xref target="RFC8198"/> (aggressive
use of DNSSEC‑validated cache), <xref target="RFC8767"/> (serve‑stale), <xref target="RFC9156"/>
(QNAME minimisation), and <xref target="I-D.fujiwara-dnsop-dns-upper-limit-values"/>
(upper‑limit values).</t>

<t><strong>What is specified:</strong></t>

<t>The base DNS specifications (<xref target="RFC1034"/> §5.3.3 and <xref target="RFC1035"/> §7.1-§7.2)
acknowledge that resolvers must place bounds on the work performed on
behalf of a client query and sketch one approach (e.g., a per‑request
counter).  They also define multiple mechanisms that
can legitimately trigger additional resolver queries and processing.</t>

<t><strong>What is left to implementation or policy:</strong></t>

<t>The base specifications do not define a concrete <em>accounting model</em> for
work, including:</t>

<t><list style="symbols">
  <t>which internal actions are charged to the same budget as the client
query (e.g., nameserver address discovery, DNSSEC validation fetches,
retries and failover, transport fallback, QNAME‑minimisation probes);</t>
  <t>whether and when counters reset (e.g., on alias‑induced restarts);</t>
  <t>whether independent limits compose safely (e.g., separate limits for
restarts, depth, and outstanding queries without an overall envelope);
and</t>
  <t>what safe defaults are for modern resolver deployments.</t>
</list></t>

<t>These choices materially affect worst‑case work and therefore vary across
implementations.</t>

<t><strong>Work‑amplification relevance:</strong></t>

<t>When budgets are incomplete or inconsistently applied, an attacker can
force expensive combinations of mechanisms (e.g., restarts * delegation
traversal * retries * validation), increasing R1-R4 and enabling M1-M7.</t>

</section>
<section anchor="alias-processing-and-restart-logic"><name>Alias processing and restart logic</name>

<t><strong>Issue identifier:</strong> A‑2</t>

<t><strong>Primary normative anchors (complete within scope):</strong></t>

<t><list style="symbols">
  <t><xref target="RFC1034"/> §3.6.2 and §5.3.3 — describe CNAME processing and the
resolver‑algorithm restart step, but do not bound chain length or
loop‑handling work as part of a single client query's budget.</t>
  <t><xref target="RFC1035"/> §3.3.1 — defines CNAME RR semantics without specifying
resolver‑side restart accounting.</t>
  <t><xref target="RFC6672"/> §3 — defines DNAME substitution semantics and CNAME
synthesis without specifying combined alias‑chain bounds.</t>
</list></t>

<t><strong>Additional related documents (non‑exhaustive):</strong></t>

<t><xref target="RFC2181"/> (clarifications), <xref target="RFC8020"/> (NXDOMAIN termination under empty
non-terminals), and resolver‑implementation guidance and limits such as
<xref target="I-D.fujiwara-dnsop-dns-upper-limit-values"/>.</t>

<t><strong>What is specified:</strong></t>

<t>Alias records (CNAME and DNAME) intentionally redirect resolution and can
cause the resolver to restart its search for a different name while still
answering the original client query.</t>

<t><strong>What is left to implementation or policy:</strong></t>

<t>Specifications do not provide consistent, protocol‑level guidance on:</t>

<t><list style="symbols">
  <t>bounding alias chain length and alias‑induced restarts <em>as part of</em> a
single client query’s work;</t>
  <t>detecting and handling alias loops across administrative boundaries;</t>
  <t>how restarts interact with other bounds (depth, outstanding queries,
timeouts); and</t>
  <t>whether partial state can be reused safely across restarts (which in
practice affects whether work is repeated).</t>
</list></t>

<t><strong>Work‑amplification relevance:</strong></t>

<t>Alias chains and loops can multiply resolver queries (R1) and state
tracking (R4), and can be composed with delegation traversal (M2) and
retries (M3).  Ambiguous or non‑uniform restart accounting can make these
worst cases larger.  Cyclic CNAME and NS dependencies, as in the
TsuNAME phenomenon <xref target="MOURA2021-TSUNAME"/>, illustrate how alias and
delegation interactions in deployed zones can amplify queries to
authoritative servers.</t>

</section>
<section anchor="delegation-traversal-and-nameserver-discovery"><name>Delegation traversal and nameserver discovery</name>

<t><strong>Issue identifier:</strong> A‑3</t>

<t><strong>Primary normative anchors (complete within scope):</strong></t>

<t><list style="symbols">
  <t><xref target="RFC1034"/> §4.3 and §5.3.3 — describe the delegation model and
iterative search, including nameserver‑address discovery, but do not
bound dependent‑lookup fan‑out per client query.</t>
  <t><xref target="RFC1035"/> §3.3.11 (NS RR semantics) and §4.1 (message sections) —
define the on‑wire encoding of referrals and additional‑section glue
without prescribing resolver‑side admission or fetch limits.</t>
  <t><xref target="RFC2181"/> §5.4.1 and §6 — clarify RRset ranking, zone cuts, and
glue handling, but leave out‑of‑bailiwick and missing‑glue policy to
resolver implementations.</t>
</list></t>

<t><strong>Additional related documents (non‑exhaustive):</strong></t>

<t><xref target="RFC9156"/> (QNAME minimisation) and operational guidance on
bailiwick and glue handling (e.g., <xref target="RFC2181"/> and DNSOP operational
documents).</t>

<t><strong>What is specified:</strong></t>

<t>Delegation traversal is fundamental to DNS.  Referrals provide NS RRsets,
and resolvers may need to obtain IP addresses for nameservers (via glue
or by resolving nameserver names).</t>

<t><strong>What is left to implementation or policy:</strong></t>

<t>Specifications leave substantial leeway that affects worst‑case work,
including:</t>

<t><list style="symbols">
  <t>how aggressively to pursue nameserver address discovery when glue is
missing or inconsistent (including out‑of‑bailiwick and cyclic cases);</t>
  <t>how to bound and account for the resulting dependent lookups as part of
the client query's budget;</t>
  <t>how to bound "fan‑out" across multiple nameservers and multiple
referral steps; and</t>
  <t>how QNAME minimisation changes the number and structure of delegation
queries, and how those extra queries are bounded and coalesced.</t>
</list></t>

<t><strong>Work‑amplification relevance:</strong></t>

<t>Delegation traversal and nameserver discovery are a primary source of
resolver‑query fan‑out (R1) and wire bytes (R2) and interact strongly
with restarts (M1) and retries/failover (M3).  NXNSAttack
<xref target="AFEK2020-NXNSATTACK"/> is a concrete instance of this fan‑out, in which
glueless delegations to many nameserver names force resolvers to issue
dependent A/AAAA queries.  Such delegation fan‑out can compose with
alias restarts (M1), retries (M3), and DNSSEC validation (M5) to reach
high query counts per client query.</t>

</section>
<section anchor="retry-failover-and-concurrency"><name>Retry, failover and concurrency</name>

<t><strong>Issue identifier:</strong> A‑4</t>

<t><strong>Primary normative anchors (complete within scope):</strong></t>

<t><list style="symbols">
  <t><xref target="RFC1034"/> §5.3.3 — describes server selection and the resolver's
behavior after timeouts in the iterative algorithm, but does not
prescribe concrete concurrency or retry budgets.</t>
  <t><xref target="RFC1035"/> §7.2 — provides resolver implementation considerations
including request retry handling, while leaving timing, fan‑out, and
failover policy to implementations.</t>
</list></t>

<t><strong>Additional related documents (non‑exhaustive):</strong></t>

<t><xref target="RFC7766"/> (DNS over TCP).</t>

<t><strong>What is specified:</strong></t>

<t>Resolvers retry queries on timeouts and may query multiple servers for
robustness (<xref target="RFC1034"/> §5.3.3 and <xref target="RFC1035"/> §7.2).  Modern resolvers
also implement parallelism for performance and transport fallback
(e.g., UDP to TCP).</t>

<t><strong>What is left to implementation or policy:</strong></t>

<t>Specifications do not define interoperable guidance for:</t>

<t><list style="symbols">
  <t>concurrency limits (outstanding resolver queries) as part of a per‑query
budget;</t>
  <t>retry timing, backoff, and failover policies under adversarial load;</t>
  <t>whether and how to coalesce identical in‑flight work across multiple
client queries; and</t>
  <t>how to bound transport fallback behavior (e.g., repeated TCP fallback
to unresponsive servers).</t>
</list></t>

<t><strong>Work‑amplification relevance:</strong></t>

<t>Retry and failover logic can turn loss, delay, or adversarial response
patterns into additional resolver queries (R1) and state (R4).  Under
stress, naive retry policies can also cause "query storms" that amplify
impact on upstream authoritative infrastructure.</t>

</section>
<section anchor="response-content-and-section-semantics"><name>Response content and section semantics</name>

<t><strong>Issue identifier:</strong> A‑5</t>

<t><strong>Primary normative anchors (complete within scope):</strong></t>

<t><list style="symbols">
  <t><xref target="RFC1035"/> §4.1-§4.2 — define DNS message format and the semantics
of Question, Answer, Authority, and Additional sections, but do not
bound per‑response processing work.</t>
  <t><xref target="RFC2181"/> §5.4.1 — defines RRset ranking and credibility rules but
leaves cache‑admission limits to implementations.</t>
  <t><xref target="RFC2181"/> §6 — clarifies zone cuts and glue handling without
bounding admission of large or repeated additional‑section data.</t>
</list></t>

<t><strong>Additional related documents (non‑exhaustive):</strong></t>

<t><xref target="RFC6891"/> (EDNS(0)), <xref target="RFC8482"/> (minimal ANY responses),
<xref target="RFC7766"/> (TCP fallback), and DNSOP guidance on response minimisation and
truncation behavior.</t>

<t><strong>What is specified:</strong></t>

<t>DNS messages have Answer, Authority, and Additional sections
(<xref target="RFC1035"/> §4.1-§4.2), and specifications describe how resolvers
interpret and cache data from those sections, including glue handling
and basic credibility rules (<xref target="RFC2181"/> §5.4.1 and §6).</t>

<t><strong>What is left to implementation or policy:</strong></t>

<t>Specifications do not provide consistent guidance on:</t>

<t><list style="symbols">
  <t>bounding the amount of processing for large but well‑formed responses
(record multiplicity, section size, name compression effects);</t>
  <t>which kinds of Additional or Authority data are "relevant enough" to
admit into cache or to act upon during the current resolution;</t>
  <t>how to treat repeated or inconsistent data across multiple responses in
the same resolution instance; and</t>
  <t>how EDNS(0) buffer sizes and response truncation interact with query
retry and TCP fallback budgets.</t>
</list></t>

<t><strong>Work‑amplification relevance:</strong></t>

<t>Large responses and permissive acceptance rules increase bytes processed
and stored (R2/R4) and can induce additional follow‑up work (M4/M6),
especially when combined with caching behavior.</t>

</section>
<section anchor="dnssec-validation-and-proof-semantics"><name>DNSSEC validation and proof semantics</name>

<t><strong>Issue identifier:</strong> A‑6</t>

<t><strong>Primary normative anchors (complete within scope):</strong></t>

<t><list style="symbols">
  <t><xref target="RFC4033"/> §3, <xref target="RFC4034"/> §2 (DNSKEY), §3 (RRSIG), and §5 (DS), and
<xref target="RFC4035"/> §5 — define the DNSSEC trust model and the validator's
chain‑of‑trust construction, which drives additional fetches and
cryptographic work without bounding per‑query validation cost.</t>
  <t><xref target="RFC5155"/> §5 and §10.3 — define NSEC3 hash calculation and the
iteration‑count guidance that together determine validation cost.</t>
  <t><xref target="RFC9276"/> — provides operational guidance for NSEC3 iteration
counts but does not normatively bound per‑query validation work.</t>
</list></t>

<t><strong>Additional related documents (non‑exhaustive):</strong></t>

<t><xref target="RFC6840"/> (DNSSEC operational practices), <xref target="RFC8198"/> (aggressive use of
DNSSEC‑validated cache), and documents describing algorithmic complexity
attacks against DNSSEC validation (informative).</t>

<t><strong>What is specified:</strong></t>

<t>Validating resolvers (<xref target="RFC4035"/> §5) perform additional fetches (e.g.,
DNSKEY/DS/NSEC*) and cryptographic work (e.g., RRSIG verification) to
establish authenticity and denial of existence.</t>

<t><strong>What is left to implementation or policy:</strong></t>

<t>DNSSEC specifications and operational guidance do not fully align on:</t>

<t><list style="symbols">
  <t>how much validation work is acceptable per client query and how to
account for it in a unified budget;</t>
  <t>safe default bounds for attacker‑controlled parameters (e.g., number of
candidate keys, signature multiplicity, and NSEC3 iteration cost); and</t>
  <t>how validation work interacts with caching (including whether expensive
intermediate results are cached and reused).</t>
</list></t>

<t><strong>Work‑amplification relevance:</strong></t>

<t>DNSSEC validation can dominate CPU work (R3) and can drive additional
resolver queries (R1).  Key‑set amplification, key‑tag collision, and
expensive denial‑of‑existence proofs are examples of M5‑style vectors;
KeyTrap <xref target="HEFTRIG2024-KEYTRAP"/> illustrates the algorithmic‑complexity
dimension of M5.</t>

</section>
<section anchor="cache-admission-relevance-and-maintenance"><name>Cache admission, relevance and maintenance</name>

<t><strong>Issue identifier:</strong> A‑7</t>

<t><strong>Primary normative anchors (complete within scope):</strong></t>

<t><list style="symbols">
  <t><xref target="RFC2181"/> §5.4.1-§5.4.2 — define RRset credibility ranking and
ordering rules used during cache admission, but leave admission
limits and replacement policy to implementations.</t>
  <t><xref target="RFC2308"/> §3 and §5 — define negative caching of name and type
errors, without prescribing detailed eviction or replacement policy.</t>
</list></t>

<t><strong>Additional related documents (non‑exhaustive):</strong></t>

<t><xref target="RFC1034"/> (caching discussion), <xref target="RFC8198"/> (aggressive use),
<xref target="RFC8767"/> (serve‑stale), and operational guidance on cache sizing and
eviction behavior.</t>

<t><strong>What is specified:</strong></t>

<t>Caching is fundamental for performance.  RFCs (<xref target="RFC2181"/> §5.4.1-§5.4.2
and <xref target="RFC2308"/> §3, §5) describe credibility and negative caching and
leave detailed cache policy (admission, eviction, replacement) to
implementations.</t>

<t><strong>What is left to implementation or policy:</strong></t>

<t>Specifications do not normatively define:</t>

<t><list style="symbols">
  <t>what constitutes <em>relevant data to process and cache</em> for a given
response and recursion context (especially for Additional‑section data);</t>
  <t>limits on cache insertion work per response (e.g., record multiplicity
across names and types);</t>
  <t>how to account for cache maintenance work (eviction, replacement,
memory pressure) in the presence of adversarially crafted names; and</t>
  <t>how to prevent attacker‑controlled names from forcing repeated cache
misses (e.g., via cache flooding and eviction attacks).</t>
</list></t>

<t><strong>Work‑amplification relevance:</strong></t>

<t>Cache admission and maintenance affect state and memory (R4) and can turn
a small number of adversarial responses into sustained work via repeated
misses, churn, and eviction overhead (M6/M7).</t>

</section>
<section anchor="extensioninduced-secondary-resolution"><name>Extension‑induced secondary resolution</name>

<t>In this document, an <strong>extension</strong> (in the A‑8 sense) is a DNS
mechanism that induces additional outgoing resolver queries <em>beyond
the direct resolution path</em>.  Examples include HTTPS/SVCB target
resolution (where processing a record triggers follow‑up lookups for
the target name) and custom EDNS options or new RR types whose
processing triggers secondary lookups.  Core resolution mechanisms
that already have a dedicated issue are explicitly out of A‑8 scope:
CNAME/DNAME chasing is discussed under A‑2 (alias processing),
delegation traversal — including glueless referrals and nameserver
fan‑out — is discussed under A‑3, and DNSSEC chain‑of‑trust
construction (including RRSIG/DS fetches) is discussed under A‑6.
A‑8 concerns the <em>additional</em> work an extension introduces on top
of those core mechanisms.</t>

<t><strong>Issue identifier:</strong> A‑8</t>

<t><strong>Primary normative anchors (complete within scope):</strong></t>

<t><list style="symbols">
  <t><xref target="RFC6891"/> §6 — defines the EDNS(0) OPT pseudo‑RR and option‑code
framework that extension specifications use, but does not bound the
work induced by individual options.</t>
</list></t>

<t><strong>Additional related documents (non‑exhaustive):</strong></t>

<t><xref target="RFC9460"/> (SVCB/HTTPS records), <xref target="RFC9156"/> (QNAME minimisation),
<xref target="RFC8767"/> (serve‑stale), <xref target="RFC7766"/> (TCP), and future DNSOP extension
documents.</t>

<t><strong>What is specified:</strong></t>

<t>DNS has an extension culture: the EDNS(0) framework (<xref target="RFC6891"/> §6)
and new RR types frequently add processing steps and sometimes require
additional lookups or validation.</t>

<t><strong>What is left to implementation or policy:</strong></t>

<t>Extension specifications do not always make explicit:</t>

<t><list style="symbols">
  <t>whether a feature introduces additional resolver queries (including
"secondary" resolutions triggered by record processing);</t>
  <t>how those queries are charged to per‑query budgets and concurrency
limits; and</t>
  <t>what safe defaults and failure modes are when those budgets are
exhausted.</t>
</list></t>

<t><strong>Work‑amplification relevance:</strong></t>

<t>Unaccounted extension‑induced work can bypass otherwise effective bounds
(M7), and can be composed with other mechanisms (e.g., SVCB/HTTPS address
fetches plus retries, or privacy probes plus delegation fan‑out).</t>

</section>
</section>
<section anchor="security-considerations"><name>Security Considerations</name>

<t>This entire document concerns security of the DNS against
work‑amplification attacks.  By describing terminology, a taxonomy,
and specification gaps that affect work amplification, this document
aims to clarify the attack surface.  Readers translating this analysis
into mitigations face trade‑offs:</t>

<t><list style="symbols">
  <t>Budget exhaustion may cause resolvers to return SERVFAIL for
legitimate complex queries; tuning limits and monitoring for false
positives involves trade‑offs between security and availability.</t>
  <t>Strict alias and delegation limits may break badly configured but
non‑malicious zones; correcting such configurations at the zone is
generally preferable to weakening limits.</t>
  <t>Per‑upstream fairness and rate limiting may allow a malicious
nameserver to consume its share of resolver resources while
legitimate queries are slowed; fairness algorithms benefit from
monitoring and adjustment.</t>
  <t>Some mitigations, such as dropping large additional sections, may
interfere with future legitimate protocols that rely on these
sections.</t>
  <t>Amplification can never be completely eliminated: an adversary can
always consume some resolver resources by issuing queries.  The
goal is to make amplification predictable and bounded.</t>
</list></t>

</section>
<section anchor="iana-considerations"><name>IANA Considerations</name>

<t>This document has no IANA actions.  It does not define any new DNS
resource record types, EDNS options or protocol registries.</t>

</section>
<section anchor="privacy-considerations"><name>Privacy Considerations</name>

<t>This document does not introduce any new mechanisms for collecting or
processing personal data.  It describes behaviors that affect
resource consumption.  The analysis does not reveal client identities
or change privacy properties beyond those already inherent in the DNS.
General DNS privacy guidance (e.g., QNAME minimisation and encrypted
transports) is relevant when mitigations are deployed but is outside
the scope of this document.</t>

</section>


  </middle>

  <back>


<references title='References' anchor="sec-combined-references">

    <references title='Normative References' anchor="sec-normative-references">



<reference anchor="RFC1034">
  <front>
    <title>Domain names - concepts and facilities</title>
    <author fullname="P. Mockapetris" initials="P." surname="Mockapetris"/>
    <date month="November" year="1987"/>
    <abstract>
      <t>This RFC is the revised basic definition of The Domain Name System. It obsoletes RFC-882. This memo describes the domain style names and their used for host address look up and electronic mail forwarding. It discusses the clients and servers in the domain name system and the protocol used between them.</t>
    </abstract>
  </front>
  <seriesInfo name="STD" value="13"/>
  <seriesInfo name="RFC" value="1034"/>
  <seriesInfo name="DOI" value="10.17487/RFC1034"/>
</reference>

<reference anchor="RFC1035">
  <front>
    <title>Domain names - implementation and specification</title>
    <author fullname="P. Mockapetris" initials="P." surname="Mockapetris"/>
    <date month="November" year="1987"/>
    <abstract>
      <t>This RFC is the revised specification of the protocol and format used in the implementation of the Domain Name System. It obsoletes RFC-883. This memo documents the details of the domain name client - server communication.</t>
    </abstract>
  </front>
  <seriesInfo name="STD" value="13"/>
  <seriesInfo name="RFC" value="1035"/>
  <seriesInfo name="DOI" value="10.17487/RFC1035"/>
</reference>

<reference anchor="RFC2181">
  <front>
    <title>Clarifications to the DNS Specification</title>
    <author fullname="R. Elz" initials="R." surname="Elz"/>
    <author fullname="R. Bush" initials="R." surname="Bush"/>
    <date month="July" year="1997"/>
    <abstract>
      <t>This document considers some areas that have been identified as problems with the specification of the Domain Name System, and proposes remedies for the defects identified. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="2181"/>
  <seriesInfo name="DOI" value="10.17487/RFC2181"/>
</reference>

<reference anchor="RFC2308">
  <front>
    <title>Negative Caching of DNS Queries (DNS NCACHE)</title>
    <author fullname="M. Andrews" initials="M." surname="Andrews"/>
    <date month="March" year="1998"/>
    <abstract>
      <t>RFC1034 provided a description of how to cache negative responses. It however had a fundamental flaw in that it did not allow a name server to hand out those cached responses to other resolvers, thereby greatly reducing the effect of the caching. This document addresses issues raise in the light of experience and replaces RFC1034 Section 4.3.4. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="2308"/>
  <seriesInfo name="DOI" value="10.17487/RFC2308"/>
</reference>

<reference anchor="RFC4033">
  <front>
    <title>DNS Security Introduction and Requirements</title>
    <author fullname="R. Arends" initials="R." surname="Arends"/>
    <author fullname="R. Austein" initials="R." surname="Austein"/>
    <author fullname="M. Larson" initials="M." surname="Larson"/>
    <author fullname="D. Massey" initials="D." surname="Massey"/>
    <author fullname="S. Rose" initials="S." surname="Rose"/>
    <date month="March" year="2005"/>
    <abstract>
      <t>The Domain Name System Security Extensions (DNSSEC) add data origin authentication and data integrity to the Domain Name System. This document introduces these extensions and describes their capabilities and limitations. This document also discusses the services that the DNS security extensions do and do not provide. Last, this document describes the interrelationships between the documents that collectively describe DNSSEC. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="4033"/>
  <seriesInfo name="DOI" value="10.17487/RFC4033"/>
</reference>

<reference anchor="RFC4034">
  <front>
    <title>Resource Records for the DNS Security Extensions</title>
    <author fullname="R. Arends" initials="R." surname="Arends"/>
    <author fullname="R. Austein" initials="R." surname="Austein"/>
    <author fullname="M. Larson" initials="M." surname="Larson"/>
    <author fullname="D. Massey" initials="D." surname="Massey"/>
    <author fullname="S. Rose" initials="S." surname="Rose"/>
    <date month="March" year="2005"/>
    <abstract>
      <t>This document is part of a family of documents that describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection of resource records and protocol modifications that provide source authentication for the DNS. This document defines the public key (DNSKEY), delegation signer (DS), resource record digital signature (RRSIG), and authenticated denial of existence (NSEC) resource records. The purpose and format of each resource record is described in detail, and an example of each resource record is given.</t>
      <t>This document obsoletes RFC 2535 and incorporates changes from all updates to RFC 2535. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="4034"/>
  <seriesInfo name="DOI" value="10.17487/RFC4034"/>
</reference>

<reference anchor="RFC4035">
  <front>
    <title>Protocol Modifications for the DNS Security Extensions</title>
    <author fullname="R. Arends" initials="R." surname="Arends"/>
    <author fullname="R. Austein" initials="R." surname="Austein"/>
    <author fullname="M. Larson" initials="M." surname="Larson"/>
    <author fullname="D. Massey" initials="D." surname="Massey"/>
    <author fullname="S. Rose" initials="S." surname="Rose"/>
    <date month="March" year="2005"/>
    <abstract>
      <t>This document is part of a family of documents that describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection of new resource records and protocol modifications that add data origin authentication and data integrity to the DNS. This document describes the DNSSEC protocol modifications. This document defines the concept of a signed zone, along with the requirements for serving and resolving by using DNSSEC. These techniques allow a security-aware resolver to authenticate both DNS resource records and authoritative DNS error indications.</t>
      <t>This document obsoletes RFC 2535 and incorporates changes from all updates to RFC 2535. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="4035"/>
  <seriesInfo name="DOI" value="10.17487/RFC4035"/>
</reference>

<reference anchor="RFC5155">
  <front>
    <title>DNS Security (DNSSEC) Hashed Authenticated Denial of Existence</title>
    <author fullname="B. Laurie" initials="B." surname="Laurie"/>
    <author fullname="G. Sisson" initials="G." surname="Sisson"/>
    <author fullname="R. Arends" initials="R." surname="Arends"/>
    <author fullname="D. Blacka" initials="D." surname="Blacka"/>
    <date month="March" year="2008"/>
    <abstract>
      <t>The Domain Name System Security (DNSSEC) Extensions introduced the NSEC resource record (RR) for authenticated denial of existence. This document introduces an alternative resource record, NSEC3, which similarly provides authenticated denial of existence. However, it also provides measures against zone enumeration and permits gradual expansion of delegation-centric zones. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="5155"/>
  <seriesInfo name="DOI" value="10.17487/RFC5155"/>
</reference>

<reference anchor="RFC6672">
  <front>
    <title>DNAME Redirection in the DNS</title>
    <author fullname="S. Rose" initials="S." surname="Rose"/>
    <author fullname="W. Wijngaards" initials="W." surname="Wijngaards"/>
    <date month="June" year="2012"/>
    <abstract>
      <t>The DNAME record provides redirection for a subtree of the domain name tree in the DNS. That is, all names that end with a particular suffix are redirected to another part of the DNS. This document obsoletes the original specification in RFC 2672 as well as updates the document on representing IPv6 addresses in DNS (RFC 3363). [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="6672"/>
  <seriesInfo name="DOI" value="10.17487/RFC6672"/>
</reference>

<reference anchor="RFC6840">
  <front>
    <title>Clarifications and Implementation Notes for DNS Security (DNSSEC)</title>
    <author fullname="S. Weiler" initials="S." role="editor" surname="Weiler"/>
    <author fullname="D. Blacka" initials="D." role="editor" surname="Blacka"/>
    <date month="February" year="2013"/>
    <abstract>
      <t>This document is a collection of technical clarifications to the DNS Security (DNSSEC) document set. It is meant to serve as a resource to implementors as well as a collection of DNSSEC errata that existed at the time of writing.</t>
      <t>This document updates the core DNSSEC documents (RFC 4033, RFC 4034, and RFC 4035) as well as the NSEC3 specification (RFC 5155). It also defines NSEC3 and SHA-2 (RFC 4509 and RFC 5702) as core parts of the DNSSEC specification.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="6840"/>
  <seriesInfo name="DOI" value="10.17487/RFC6840"/>
</reference>

<reference anchor="RFC6891">
  <front>
    <title>Extension Mechanisms for DNS (EDNS(0))</title>
    <author fullname="J. Damas" initials="J." surname="Damas"/>
    <author fullname="M. Graff" initials="M." surname="Graff"/>
    <author fullname="P. Vixie" initials="P." surname="Vixie"/>
    <date month="April" year="2013"/>
    <abstract>
      <t>The Domain Name System's wire protocol includes a number of fixed fields whose range has been or soon will be exhausted and does not allow requestors to advertise their capabilities to responders. This document describes backward-compatible mechanisms for allowing the protocol to grow.</t>
      <t>This document updates the Extension Mechanisms for DNS (EDNS(0)) specification (and obsoletes RFC 2671) based on feedback from deployment experience in several implementations. It also obsoletes RFC 2673 ("Binary Labels in the Domain Name System") and adds considerations on the use of extended labels in the DNS.</t>
    </abstract>
  </front>
  <seriesInfo name="STD" value="75"/>
  <seriesInfo name="RFC" value="6891"/>
  <seriesInfo name="DOI" value="10.17487/RFC6891"/>
</reference>

<reference anchor="RFC7766">
  <front>
    <title>DNS Transport over TCP - Implementation Requirements</title>
    <author fullname="J. Dickinson" initials="J." surname="Dickinson"/>
    <author fullname="S. Dickinson" initials="S." surname="Dickinson"/>
    <author fullname="R. Bellis" initials="R." surname="Bellis"/>
    <author fullname="A. Mankin" initials="A." surname="Mankin"/>
    <author fullname="D. Wessels" initials="D." surname="Wessels"/>
    <date month="March" year="2016"/>
    <abstract>
      <t>This document specifies the requirement for support of TCP as a transport protocol for DNS implementations and provides guidelines towards DNS-over-TCP performance on par with that of DNS-over-UDP. This document obsoletes RFC 5966 and therefore updates RFC 1035 and RFC 1123.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="7766"/>
  <seriesInfo name="DOI" value="10.17487/RFC7766"/>
</reference>

<reference anchor="RFC8020">
  <front>
    <title>NXDOMAIN: There Really Is Nothing Underneath</title>
    <author fullname="S. Bortzmeyer" initials="S." surname="Bortzmeyer"/>
    <author fullname="S. Huque" initials="S." surname="Huque"/>
    <date month="November" year="2016"/>
    <abstract>
      <t>This document states clearly that when a DNS resolver receives a response with a response code of NXDOMAIN, it means that the domain name which is thus denied AND ALL THE NAMES UNDER IT do not exist.</t>
      <t>This document clarifies RFC 1034 and modifies a portion of RFC 2308: it updates both of them.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8020"/>
  <seriesInfo name="DOI" value="10.17487/RFC8020"/>
</reference>

<reference anchor="RFC8198">
  <front>
    <title>Aggressive Use of DNSSEC-Validated Cache</title>
    <author fullname="K. Fujiwara" initials="K." surname="Fujiwara"/>
    <author fullname="A. Kato" initials="A." surname="Kato"/>
    <author fullname="W. Kumari" initials="W." surname="Kumari"/>
    <date month="July" year="2017"/>
    <abstract>
      <t>The DNS relies upon caching to scale; however, the cache lookup generally requires an exact match. This document specifies the use of NSEC/NSEC3 resource records to allow DNSSEC-validating resolvers to generate negative answers within a range and positive answers from wildcards. This increases performance, decreases latency, decreases resource utilization on both authoritative and recursive servers, and increases privacy. Also, it may help increase resilience to certain DoS attacks in some circumstances.</t>
      <t>This document updates RFC 4035 by allowing validating resolvers to generate negative answers based upon NSEC/NSEC3 records and positive answers in the presence of wildcards.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8198"/>
  <seriesInfo name="DOI" value="10.17487/RFC8198"/>
</reference>

<reference anchor="RFC8482">
  <front>
    <title>Providing Minimal-Sized Responses to DNS Queries That Have QTYPE=ANY</title>
    <author fullname="J. Abley" initials="J." surname="Abley"/>
    <author fullname="O. Gudmundsson" initials="O." surname="Gudmundsson"/>
    <author fullname="M. Majkowski" initials="M." surname="Majkowski"/>
    <author fullname="E. Hunt" initials="E." surname="Hunt"/>
    <date month="January" year="2019"/>
    <abstract>
      <t>The Domain Name System (DNS) specifies a query type (QTYPE) "ANY". The operator of an authoritative DNS server might choose not to respond to such queries for reasons of local policy, motivated by security, performance, or other reasons.</t>
      <t>The DNS specification does not include specific guidance for the behavior of DNS servers or clients in this situation. This document aims to provide such guidance.</t>
      <t>This document updates RFCs 1034 and 1035.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8482"/>
  <seriesInfo name="DOI" value="10.17487/RFC8482"/>
</reference>

<reference anchor="RFC9499">
  <front>
    <title>DNS Terminology</title>
    <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
    <author fullname="K. Fujiwara" initials="K." surname="Fujiwara"/>
    <date month="March" year="2024"/>
    <abstract>
      <t>The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document.</t>
      <t>This document updates RFC 2308 by clarifying the definitions of "forwarder" and "QNAME". It obsoletes RFC 8499 by adding multiple terms and clarifications. Comprehensive lists of changed and new definitions can be found in Appendices A and B.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="219"/>
  <seriesInfo name="RFC" value="9499"/>
  <seriesInfo name="DOI" value="10.17487/RFC9499"/>
</reference>

<reference anchor="RFC9156">
  <front>
    <title>DNS Query Name Minimisation to Improve Privacy</title>
    <author fullname="S. Bortzmeyer" initials="S." surname="Bortzmeyer"/>
    <author fullname="R. Dolmans" initials="R." surname="Dolmans"/>
    <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
    <date month="November" year="2021"/>
    <abstract>
      <t>This document describes a technique called "QNAME minimisation" to improve DNS privacy, where the DNS resolver no longer always sends the full original QNAME and original QTYPE to the upstream name server. This document obsoletes RFC 7816.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9156"/>
  <seriesInfo name="DOI" value="10.17487/RFC9156"/>
</reference>

<reference anchor="RFC9276">
  <front>
    <title>Guidance for NSEC3 Parameter Settings</title>
    <author fullname="W. Hardaker" initials="W." surname="Hardaker"/>
    <author fullname="V. Dukhovni" initials="V." surname="Dukhovni"/>
    <date month="August" year="2022"/>
    <abstract>
      <t>NSEC3 is a DNSSEC mechanism providing proof of nonexistence by asserting that there are no names that exist between two domain names within a zone. Unlike its counterpart NSEC, NSEC3 avoids directly disclosing the bounding domain name pairs. This document provides guidance on setting NSEC3 parameters based on recent operational deployment experience. This document updates RFC 5155 with guidance about selecting NSEC3 iteration and salt parameters.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="236"/>
  <seriesInfo name="RFC" value="9276"/>
  <seriesInfo name="DOI" value="10.17487/RFC9276"/>
</reference>




    </references>

    <references title='Informative References' anchor="sec-informative-references">

<reference anchor="BCP38" >
  <front>
    <title>Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing</title>
    <author initials="P." surname="Ferguson">
      <organization></organization>
    </author>
    <author initials="D." surname="Senie">
      <organization></organization>
    </author>
    <date year="2000" month="May"/>
  </front>
  <seriesInfo name="BCP" value="38"/>
  <seriesInfo name="RFC" value="2827"/>
</reference>
<reference anchor="BCP84" >
  <front>
    <title>Ingress Filtering for Multihomed Networks</title>
    <author initials="F." surname="Baker">
      <organization></organization>
    </author>
    <author initials="P." surname="Savola">
      <organization></organization>
    </author>
    <date year="2004" month="March"/>
  </front>
  <seriesInfo name="BCP" value="84"/>
  <seriesInfo name="RFC" value="3704"/>
</reference>
<reference anchor="BCP140" >
  <front>
    <title>Preventing Use of Recursive Nameservers in Reflector Attacks</title>
    <author initials="J." surname="Abley">
      <organization></organization>
    </author>
    <author initials="W." surname="Maton">
      <organization></organization>
    </author>
    <date year="2008" month="October"/>
  </front>
  <seriesInfo name="BCP" value="140"/>
  <seriesInfo name="RFC" value="5358"/>
</reference>


<reference anchor="RFC8767">
  <front>
    <title>Serving Stale Data to Improve DNS Resiliency</title>
    <author fullname="D. Lawrence" initials="D." surname="Lawrence"/>
    <author fullname="W. Kumari" initials="W." surname="Kumari"/>
    <author fullname="P. Sood" initials="P." surname="Sood"/>
    <date month="March" year="2020"/>
    <abstract>
      <t>This document defines a method (serve-stale) for recursive resolvers to use stale DNS data to avoid outages when authoritative nameservers cannot be reached to refresh expired data. One of the motivations for serve-stale is to make the DNS more resilient to DoS attacks and thereby make them less attractive as an attack vector. This document updates the definitions of TTL from RFCs 1034 and 1035 so that data can be kept in the cache beyond the TTL expiry; it also updates RFC 2181 by interpreting values with the high-order bit set as being positive, rather than 0, and suggests a cap of 7 days.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8767"/>
  <seriesInfo name="DOI" value="10.17487/RFC8767"/>
</reference>

<reference anchor="RFC9460">
  <front>
    <title>Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records)</title>
    <author fullname="B. Schwartz" initials="B." surname="Schwartz"/>
    <author fullname="M. Bishop" initials="M." surname="Bishop"/>
    <author fullname="E. Nygren" initials="E." surname="Nygren"/>
    <date month="November" year="2023"/>
    <abstract>
      <t>This document specifies the "SVCB" ("Service Binding") and "HTTPS" DNS resource record (RR) types to facilitate the lookup of information needed to make connections to network services, such as for HTTP origins. SVCB records allow a service to be provided from multiple alternative endpoints, each with associated parameters (such as transport protocol configuration), and are extensible to support future uses (such as keys for encrypting the TLS ClientHello). They also enable aliasing of apex domains, which is not possible with CNAME. The HTTPS RR is a variation of SVCB for use with HTTP (see RFC 9110, "HTTP Semantics"). By providing more information to the client before it attempts to establish a connection, these records offer potential benefits to both performance and privacy.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9460"/>
  <seriesInfo name="DOI" value="10.17487/RFC9460"/>
</reference>


<reference anchor="I-D.fujiwara-dnsop-dns-upper-limit-values">
   <front>
      <title>Upper limit values for DNS</title>
      <author fullname="Kazunori Fujiwara" initials="K." surname="Fujiwara">
         <organization>Japan Registry Services Co., Ltd.</organization>
      </author>
      <author fullname="Yorgos Thessalonikefs" initials="Y." surname="Thessalonikefs">
         <organization>NLnet Labs</organization>
      </author>
      <date day="9" month="February" year="2026"/>
      <abstract>
	 <t>   DNS was designed to have as few hard upper limits as possible to
   allow for future extensibility.  However, the lack of a clear upper
   limit leads to vulnerabilities, and several attack methods have been
   reported.  This document collects upper limit values implemented by
   DNS software to avoid vulnerabilities.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-fujiwara-dnsop-dns-upper-limit-values-05"/>
   
</reference>


<reference anchor="AFEK2020-NXNSATTACK" >
  <front>
    <title>NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities</title>
    <author initials="Y." surname="Afek">
      <organization></organization>
    </author>
    <author initials="A." surname="Bremler-Barr">
      <organization></organization>
    </author>
    <author initials="L." surname="Shafir">
      <organization></organization>
    </author>
    <date year="2020" month="August"/>
  </front>
  <seriesInfo name="USENIX Security" value="2020"/>
</reference>
<reference anchor="MOURA2021-TSUNAME" >
  <front>
    <title>TsuNAME: The Impact of Misconfigured DNS Loops on Authoritative Name Servers</title>
    <author initials="G. C. M." surname="Moura">
      <organization></organization>
    </author>
    <date year="2021" month="November"/>
  </front>
  <seriesInfo name="ACM IMC" value="2021"/>
</reference>
<reference anchor="HEFTRIG2024-KEYTRAP" >
  <front>
    <title>The Harder You Try, The Harder You Fail: The KeyTrap Denial-of-Service Algorithmic Complexity Attacks on DNSSEC</title>
    <author initials="E." surname="Heftrig">
      <organization></organization>
    </author>
    <author initials="H." surname="Schulmann">
      <organization></organization>
    </author>
    <author initials="N." surname="Vogel">
      <organization></organization>
    </author>
    <author initials="M." surname="Waidner">
      <organization></organization>
    </author>
    <date year="2024"/>
  </front>
  <seriesInfo name="ACM CCS" value="2024"/>
</reference>
<reference anchor="MAN2020-SADDNS" >
  <front>
    <title>DNS Cache Poisoning Attack Reloaded: Revolutions with Side Channels</title>
    <author initials="K." surname="Man">
      <organization></organization>
    </author>
    <author initials="Z." surname="Qian">
      <organization></organization>
    </author>
    <author initials="X." surname="Wang">
      <organization></organization>
    </author>
    <author initials="X." surname="Zheng">
      <organization></organization>
    </author>
    <author initials="Y." surname="Huang">
      <organization></organization>
    </author>
    <author initials="H." surname="Duan">
      <organization></organization>
    </author>
    <date year="2020" month="November"/>
  </front>
  <seriesInfo name="ACM CCS" value="2020"/>
</reference>
<reference anchor="DUAN2024-CAMP" >
  <front>
    <title>CAMP: Compositional Amplification Attacks against DNS</title>
    <author initials="H." surname="Duan">
      <organization></organization>
    </author>
    <author initials="M." surname="Bearzi">
      <organization></organization>
    </author>
    <author initials="J." surname="Vieli">
      <organization></organization>
    </author>
    <author initials="D." surname="Basin">
      <organization></organization>
    </author>
    <author initials="A." surname="Perrig">
      <organization></organization>
    </author>
    <author initials="S." surname="Liu">
      <organization></organization>
    </author>
    <author initials="B." surname="Tellenbach">
      <organization></organization>
    </author>
    <date year="2024"/>
  </front>
  <seriesInfo name="USENIX Security" value="2024"/>
</reference>
<reference anchor="SP26-RPROF" >
  <front>
    <title>Resolve the Unresolved: Systematic Work Profiling for DNS Resolvers</title>
    <author initials="L." surname="Xu">
      <organization></organization>
    </author>
    <author initials="H." surname="Duan">
      <organization></organization>
    </author>
    <author initials="Z." surname="Cai">
      <organization></organization>
    </author>
    <author initials="A." surname="Perrig">
      <organization></organization>
    </author>
    <date year="2026"/>
  </front>
  <seriesInfo name="IEEE S&amp;P" value="2026"/>
</reference>


    </references>

</references>


<?line 1053?>

<section anchor="implementation-status"><name>Implementation Status</name>

<t>This section is to be removed before publication as an RFC.</t>

<t>Resolver implementations vary in their existing protections, such as
maximum alias-chain length, maximum recursion depth, per-client rate
limits, query coalescing, and DNSSEC validation limits.  However,
implementations differ in accounting (what counts toward which limit),
in how limits interact with restarts, and in default values.
Systematic work‑profiling of deployed resolvers <xref target="SP26-RPROF"/> has
begun to characterise this variation empirically and to surface
worst‑case work distributions that the per‑implementation defaults
above do not directly expose.</t>

<t>This document does not currently track implementation conformance.  A
future revision may include an implementation report if such tracking
is considered useful by the working group.</t>

</section>


  </back>

<!-- ##markdown-source:
H4sIAAAAAAAAA819zXIbSZLmPZ8iTWO2DdAASKQolUq6DIuSqrRVVHFIqqq7
T50AAkCOEpmY/CGFqpbZvMKYzWXva7YvsaedN5knWf/cPf4SSbZqqtdsx3q6
KQAZGeHh4f75b0yn06TN28K8TB+9fn+d/lzVH9Oz7a7IV/kia/OqfJle1tW8
MNv0us1aszVlO0lvTL3Ny6qo1vtJmpXL9Cb7VJXVdv8oyebz2tzeO9yjhP7X
rKt6/zLNy1WVLKtFmW3p/cs6W7XTZZeV02XZVLvpHT08zcKHp0+eJE033+ZN
Q/9q9zt67N2bm7dJvqtfpm3dNe3JkydfPzlJaAJPk6w2GU3kx52p+fGGp3qR
ldma10GT7dpNVb9M0nSarrqikJl812X7PH1NM6Ev0rSq11mZ/6LU+O77D9c3
o2//PObvmrY2pn2Zvq9mx/RE+sfOpFfLSfo+K5tNlr7O6Qf5ouXfLvKWFv0t
Dbv+ZVN18lm1pBc+Oz4+ffZUP+jKFsQ53+Rlxh+ZbZYXL9MNZgXy/OPmIy10
uv5lZpbdbFH2Zv9DfmdKmsjA3N/cfJf+uaMJbaLJfyjzW1M3efsf/7Olz7Km
MenzYMp//o//7Z6RCb948vVJPN3ru7z9xdQFUTicdIHJzD51/0h7PTPt5pcZ
jxPO92xZ51mZXpq6ztf/X0w64xnNdjyjaOZlVW9pWrcGLHP19vz4ydNT/+cz
/fPk+MWx/fPpkxf65+mTp0/9n6f+T/vYs+Nn9s/nz786sX++OH3i/vzajvvV
V8+f658vnpzYH7w4/tq+7cXpCzvC16dff23/PH5mH/v65Cv6E0cwWNI355dP
eYQ0tVLhvWlxENN35bo2TZO+zYvW1Hm5fpm+NitDj5Zr+qvMsyKtVum1qW/z
hUnP2jZbfGzSuw1tAhF2V1T79N1lel11Nb5eLnm0611VrWiER/xOfxzxf1MS
EA2Jn1n61tTrrqnK+IvXM3pbmRv+dElS5WVKp//J9MkzYRSapWmwQDsgrY4W
9PTFI/03UYH+ffLi5KtHsvYXp/HaD9acErXSi65o8021NctUidM8MP23s/Sb
7KOpDxZ1nd1WRRZP/nT65OmDk39xGk/+6VdPTnXyx8InfvaXJIdJymHaH+hw
0OZcmUVHR+bWkHzaGnoHThBNiL5YFWbR0uJ03x5Y0H+fpWekD/bxpz/PSLC2
ukVuPS+mx08eXA9NOl7Qs6fPeH/Awl89/8qx8HNe3Lvp69mq++f8Lqsz1RL0
39NuR2d1WuTbvJ3eZkVnGvz47O2b70/ocEzf//H99dnNzdn59z3Wxue83pcB
aaC33pVmRUonNyX9v6iNn7qiJD0yz4u8pc8eINCfiEAr8zH+8IzYoDbbgub5
TVb3uOEH4oZNtsrriHo08ycv7qHeow/Xb96/+yMdAJo2ybtHYGR6AtO6+PHD
1Rn943h6c/3h/dnFm3jVN03HH6Y3G5O+2+6yRQveuMibRVWu8nVXE2ODCD9U
1a5JqzI941XmLYsJZh0+5sQ7D1Dh21l6TjxB/6ETH7M5zez4+L6FnZ1fpO8u
znVBx3jDd2/e3ly9+5b+eTr9/s2fbq7OLntLopV8l9VLU6d/qrr0piZU0vvs
LUt2fPi92d/U2U5l1rRaTZ3MKtZY5mabL9LzikSW+USkdaKMKEFkuX5z/sCq
38zS78yqtZrMff4d7fBi0xXbrOxJsfez9KdqbYr4U6Lbz1m+LE2PJU4fItv5
+bWSjWXCxdl7ZqLrs9c075hi2N/zbEHkuKxykqwQErJOOglFlS3NEmeCJFQn
yIk05Sa9zpeGgAmtwRQP7f33EAa9df55lv5T3v/wj1hmuT748M8b0/+UTtV3
3cFvia4OpwXn5mH28nTi8/L6AxPqdHp+dtFjLP6EeaEipEGEICUXwVnHHNk6
owm14JAHCBNON9zrb0xW/5IfyNmfclP0Pn0NdUJLOpAuAX5yH1/PCA128Wff
zAi9F4Up55mio7/NXMPChpns+vLk+fTq8urHtzHlrkxTFSQtWmKxD2Ut/yKe
ut43ZEQQ7RZiHJBxsSKRqqoVbKlPPihcSGD+sfsC0hLTnWf5Q7Ryi39+3+Lf
vXnzJr3+b5e66uePkmQ2myXJdDpNszmgJ+H7JNYftV1DSjZIaj7tSLmSVG2r
dE7Yc8lUybaAoRC9j4AhHiWkwwDG6Hd3xP6kdJo7AR1ZuihIFbXpv3Sm3s/4
DQ0N6biwSZYkvTtCKk1HaIvf0aTzrk0Lk9GUPpo9gd5yYXZtQ/baggEwRq67
wjRswSVNtjIpq9Ampcdp7vIGsySG2eQNDWXusn26yfAnr2UJBL6miSU5hCVM
qsDO2hLqoQn5/eZp4a3LHMqVUNQkoVmRsKSZ4nMMyUL5P//136oV/VejgjnT
Q9ZusjYVi3DvaJwwPMUbN1m95cFNDWqBTAsc3ZL+1egqyNzsMFF6U7OgN5sm
wWbs1MZtSB0yVMLDMnB43GfpOzxJiBXPeSOYmVf3ACvhJ/1+LjvdR3xZmISn
zoIVLNlmtDMTGvaWJC9p3Cxt1ZrGRDAUkSKaRnIbg5E0KyrsJg3L6JrJbxYk
qPNmm2afdI/p/7Ni39DUicGYL8k8Zfh+wFDKONFbaRa1KcxtRhs+N5vsNqdF
H7KK8TQGvZnMOzYw0pyIV9Hry4q+axtTrPS1e2xAWy2qIsWs17QkGruyhjtJ
3dr8S5fXzGONHr5tvlwSMZN/ILjW1tWyWzBtkoHVbLAYphEhxxLcC07yp7Q0
957OpLeX9Fd0HAGfK4YZ9DxB+nxJp6rMcFQKBlAgPC2KRHZtsoXMZ9QYk/76
q1qQnz/zj+y/n33+PJ4R1i2JKHgAzGFZJw1YZ0HSznwy9SIndL+FUUKHkKZD
fInHaLGOB5r0P//130lcFTmdXiL1wjCfgukKsxZNRoIMtMiKCU20rS3uXRFw
quiLCb1vseGHBAWlhLTzJT87SU27mCWk8/dA643b1VVXLnQDHcd4sWT5NWAs
TI4oDKZOYtYCQ+QlyYuGmJaoX+z1IJJSESOTV45XWSpD9rKoM8ukrWjn6QTI
Fk8gYmmba14ii1v5IfECzcq0+EHGRz0jwspQkJAiK/k7TIW0XdcaPKPTJ3pk
LAw8bxFbKMWJb3+8BaNA4GQEFho68jVNeE/qv+FNZvWDYw9hUlQNgXHZBswq
q2mV9AfPCCydNJvqrhRmPrIniKgJqUdbTfMBsbMl72tNgpWItoCbjciZRaD+
FxKS/KKEmfoxvYXkZoN5tqBqcwR2S5c1fkxzwzZVNW9t6zeSadJtd8xPIvQC
WTdh340ISJxR0rI1UaGmc0vLJI5/8wnyxsAiXRQdQc1dNy/yZoPZigZIWL8R
D3vTjY7NgKH3+TNZAGLo0A8OLCL6OrF2wK+/DtgXeB5kBwCkX0QQ8fNnEXPM
n8Uei4zkZLqrwKBwiEBtZqQiC4iJjagl4gesngRjvi5fhgd6m+0TOo4k0klh
4hkVev5wdzuQMNvisJaN8vkED9rja4IjnTji6m/ojzariSNaEQVWL+A7Pc20
h/V+11ZrIg2dKrButWr0gF+HUjVdZyrdStYNXZlDRKbrjsYhjUaHv+YjRrtJ
c26ABfMmpNrC21jzPfCCqs6mBQ/jCSc0NpkVsTsyT3MyWfFieoosdNiXa4zn
8EgIcfA7hjUkhCuSpTTlRV0RVOphFjqcMUDIxEVlGpn3osgaPpnZLUlEUb1E
tUARk9FZG8IeNeuShFUsserR0SGOODoidj8b1O3xkLRPRXUHMidyBIQIMDDX
pv7Ck8iy356cqmtZBCZWQrEay8EKvI13YLj5vsUH55cfJmkgzOgA4yU8nmIa
BU+qUJg+FuVEWnKUz8wMr4hUmEU/qu/acAMmKRPuCIeI3pLYpTW6NsbJeRG/
fnh4ZgIMQ3zIso8ImtyKw4tm7Ii2zOnFjWhoMnZ4jNMxccbPBzuoOLNJV3W1
Feag03JEpxDYFoxQ6AAMvKLN160kSHrlf7ar6dTXOZ16/TH0QLwhONpgccEq
JI7NJ9F4CaFkEhr8qna/o/cULD0KGSR1alZ5mvSzuF1fEYhq87WiJGWRhBRH
DvStP7L6RxRCDQ7gA8Vf6YCsgtoN6EtbCXL1ZaJbnigBmliMz0WSkI6b73ua
gRavg+2V4/LaK3s+XCMzWxN3CavBfTEJ0ImwMXQbIQtaVyA7haHHIgWh4OaE
imlfF6wU4T5lxwedGUcyWp7ftSQkHzACBJ4hMQgc1nTqQ2yxBzJtUtevvCHE
c1ch3xCWozUucijt5drca6lFsDgjM4EwPcnHclnI7CDFkhCCi5hlSUfUIc5x
uP+b88tAXPNBd/zoV5YodX/9lcMDUI3854tTqyX5n8enTwBcIUZNuq6ygqVl
G8vU2rxMkiOx9ADeYOzcb0YNG2ETsswFIVgBRPYE74Ce5QPTKhJ1JKYxJg0i
dJYlyN9Emk3WNXj8lZ0mW2WY512FE/QJcuRv2Wdp+pssNC93XjGf8pvzJUAE
gegvNNbopfeZa16PjqwasDwYMhkIi4mxK8BC33HPxJu4E0GamE1oZk/iryWt
k7b/0lpyq/yTgteQYz1fedbDycGIRM5mQT9OwAcR5zBfV8AQFYk3OWtWQS9h
goENwOhEUKK/Y7i/aFT5voDyfLH7y4Hmh40KngLqNKRDsRv0e9rCdWd6uIEY
Zy3ijxQUHUSGcYW1FaGwW7Zlt2Zb1fDC1HW3E1eCrihvms7wiuBGIVWeQfcB
uNOa9kIbAlLVmskH5S8q14L9AhzqdrhJ2ERaspYA48xgIAfx+iT5UBYQ2RVk
1R1sR1oq9hXj4jA2Qk+iSGNVGM2h84ROGlMy0BQPCn/MxisijYSOccKPjs4D
9f/y6Ah4B6wrMro2C0MiliFc5s8nK1MCEG03J150H0NNM5RckvxUBCzoQt9l
fYbBe5xmEd2kBnwTCgg+qCBcsRLgErvZxGGktkjDEWvMW918zsDTQ0Oj3zFI
dcrQbBtDv2jsu+3DtPcy6ziuIuG4YAXygYxGE4kNNpyQDHkFdPabloEPbDh1
88Bz2Fhgx79FrF28+LkajPh5SL5YaPI8IMkhhOoIVSneErnQZh8NkzHaR3qH
AwyAKtZ70SPwWTAsC3WFawD1dJQZJWRM9T5UZfNlmpfLbmGW1q5pIMCGPBrE
UGaHp7pPJI8zxgjVRzKmLHAoXTgUu6mYZkU2z0YlmLo82I8jln8t7qYxtEur
k+I0AoYXOMfpiuY+h4nq5B/ko1s2FgTMcbQgZUlnyRwFXhwW/oTjQpJhL0dO
89FA+h0mQO/UtBiS2FUZEj0vp6siX2/aIeX4KuVYAnPEQow0IzpXNWK22zGM
VMHTkCXGJ14e752/e067IaHfHhx2xrB8rntnPRs4F96HOrAIi3pSf1oPeF9G
8Ubd6OzxGf3fmN1ZZPU/fn39+D3t8RFPhuT00jlN9240tbtkKUDfrLUDC2SG
eHW8HQqf1aPmXVLQwo3ZZbW120IO93QFY7vDqLFaeM3zsruXHqnoT0CCowbh
2vDcHanZxI5Wi6BIMIlzAt6KlilGFMfhxYHouQ3tqVlVME5lFufsauEQDv2h
9hyphBQOTjAYFMtETWlSgiwdlo6t3PozG4P9Q6PvtdAWAZmmm4vPTV5amjuZ
qq7XLYM/nJtcIRdCT3o6azM1pSZzMD+LV40Xt4SxIaKbhw6IgX29CeeJg1sb
UorsFqXhxTRW34ITSKzHTSZ+O3zEUwByEptnubRhRT5zTtYvLJPQypQXXnvB
BnGmh4xZjcewwn2YIxhE8kEPFqFbCr5U1wVMCjrzoksWnbhZuh0cQw1c9lj3
kv1ESTp8ThuiGCsnYrC8WIqaibgh5AUIsZgbAjYjEiMeeIUh3TzsxtlFEJ8U
ecOe+tTPLrXJLaNH1z+8u755NHY8UtK5deuD1xG7s4yJ+1/fpZ+96NQdQmqK
35Gp2xGsis+y+p0ZQ4IcRSH2J6HJoWihTiHcRsU2OoVv+qaM1+W3Dg9VC2AR
cX0fHZGMo98wPpa5J6mdWIqoxcbuvs8QYRcAbH2McGA96fiTPsc1LUIiZOlm
5TLayZ5A7x+30KvRdjVLVaimutrVOfabeLeqrTQRcUdjjPxz12+ufnp79u6H
8SsBLuJ8J2xN/y0eg0A1wSHKfmd8I+hmSa/aqUBhYGPJfZF9YstCqKubHvm+
WIs0TbXI2fvknLh2JHqButmtHu7smfSqUmnL2xDqZ1mMCPv+9jQBU04f8DJa
TrWWmzMX6T9I8etYdLjIUqXzdL7J1PomJ+ltnqWDkYhIWCSpREqIMo8rRQ0u
1DARewuy9Yv8m9hnBwx7nkvx7xw6CocRKbDZ/Z78akX/oH3IFqae807y6enZ
4hXRfQJ8SbID7H9f2IoZVSP1zCA9Xw/HJMXTh0g6jTTsGVd/eDYvAMZg67EX
Lr2oSKYNei7nhG5gDMDfVOX8pM04cLGivXjDCJ2lo+MxHHJFR6jccLA8lvt2
I60CcJao7FHRhgHwAO97QVgpOwV2oEMWjieFKM6M68qu6fhgc4CFo7SC10Yn
Y+cfHxAtap65wGnLRrifdMbGVAKTHW48xQDO2iMany2ADsE++0nfv9XAMR0d
CcmcAtn8ouh5kyyynXMPvVSD0EfqekTOy13XNnxOeQfs4NgljZL5PYA8GTqC
HHayAUooQLtIF/3j8RYbMG8onTx1NG6+hRmkeMPtULMv2+zTgd3MAUexV7yW
tSYczuqaWCsdqXbO5g34DIoOn49dtBkhMRBm4oAcdgFaVGclxmCorJdmZ0g6
lgtn7wGIQG4Ry9n5ie0RBzvtgMr0AepDugpcW7SRFgWTkS/6GoddQT+mX+3s
NIjkE9VbokAEaal9oWMip6bjNF22IbtSTquVXUJzPM5kXrSq1tjNrWL+Rrje
od7OKf8DnhHx2rMtkQABXMKqk/4Rskj/HIROhY2yiz1qQvdGvd5sUXu+Fk62
XAJFOwds3uRG3UH0foYGdlbLnLaa5CaEqdnOzZK/tathBncElAmBN83c6Qr2
v3FqP6uEgoPu69CC1g3v1PwdOPPXJDF7YlTiR4yIhaNoHZF9yDoFc7Wu22Qb
5djyqXt1z0rkSELyD8t9eBtzFt1iXu5I5qsOeM3kl3CY2DgLUxLxq0nMB6C9
Py0cRLg1KomkcIWMF5qK0giMZMqqW29SS1fikYYwScZWBwLaNTtjaOEEVNiu
rWphJXObIZ4vqxSuixDKhXV8LCp1lmCPB+yL5jFTBpMRcSFhUsyENGEGM6/v
CHfgSo0z52QRGgMlyNATTSRh1beH/4lWumVxyhN3wC30Z0fLuL4v0Ib5ykGG
X1lDPmw33BPgcME3TIbELEAeLUNy5TSq2JtnTF5CGYbVHft36EgW1Z6zpzSe
4F4gkoVUK9EmFw4aAA02OBagn/leHdwkXRtRHyTgialGc1Pma6RFJcHJJ1FO
yIPlzlB+kZwjze0DTayIiNzynDomWhZKlqMctL0bD1xeBR9uszLfdYWsIG+i
GAMtBfmQgCHVKqvhjcn5zJOMAdLAmh7LevroBAcHOZ11ztqBuJ/rgorE8QUy
fVarKU8CzvjpQpKmXSZjkC4cSk5VKddnr/FN8uuvcQ7358/jg1gJB7MBb6y2
s3FY9j3YKKw4Se1rmOVYDXBmsxGMwqEhzDbV2TaIvJoSAMvaatUcZ4XlTtPV
KyRLjlg/OAAeekMFfifeR9GM1fq0xJHxjIpRZGFywOIf0kuHvH/i2HYzINeE
mJE7dnJv/qflYGikI4lG749SDZyPbPhIIgZeo4mcy2rJqyudqFRrzCzHs+RH
Dk0Eb2LBihSVJj2y9K+bI1ZDnm1g6APTMELYZmtzGIcStdEhBao5gJDbLZSQ
zJ+UhgORN7H2Ske6WP3tmAFBFkQyYORJ8CLwl5HVAmhkla/qRGR4iiPSKpGG
NX0fSDgrNrL+RRVo9sahbUc2W+DePswyHE8E9kkMRXhLshKDvZpYm9Lmuahx
CbSNwsBZRKRBD9YwwcrhHzOVLHFSzl0gGMrJl3AcR2mAawOTu3VAwh7KwO/L
JOJMxbztk9r7MsQ9MIgb+mZ2L5UCDjZnLtyjJhXjS1ZCtAIaj4MisjYHrzku
0Q+kBEpQwfdYwnvgCKGs7sUHgrW34qMlg6JesvSu2/3D+9EPj5FioOk5b0hA
nv/RONwu2WptEPvEmyRPQY842dw2HNEFmg8ms0Zew8mk+aqX7G9jUpwfj8Mj
2rdniHCAvwW/sKtaqUcCS1ipCRYiL+JlALCMBVPN9y5OpQ+zGeXjG7sq1wS4
NhhmrExlZw+GE7/GfQwOB3YIcbHzdDQ5P8hIyp6m6TPZ6DQKKm2VpEINnZcN
fC7/mTRH2fa5k0GNIvJRIB9lto3svCZvHMKTBo4qyU4qPyKdTT17IilWXaEZ
4/Pqk2fY92c37KVc0V7d0eFqJuzzS+dZAW9B3RBscQmMmA9tok0XgnwTLxxR
w/s+YafAGyk2kmIhXZamx2yrprUi3DKU3fmsNuGhC4LX6gg+VOi+BGIQMtsT
zSF3K5EBgsEd94qiWcIZeYZDHGyo3xmxXa2bVfUvx7GK1bRXKSG6LFJhSfCU
5M1V5a3Vqi75qF93MFHEysJhGooGGhH6J16EOGc17AyQSx/b/DjHhYQwNNvY
lr1dq5HUyA65FB9Cdy4V0NX7NA7I5Qi1Dqf12E4HoKVi2cYl+1W3+ZKzTMqA
d5BzVkL+tUg1wsqs6UY8KlXxjWiZAUkEDODTFp/OjnHWOSXfDaJJ4yTMyqV/
0p2FYeaxfCNOe7O0/IFUr+PZEODwwbymN8nxjD3NgXdMIDOnKXIht/U33JOe
7lLCyYwxBdxbmmoDCe+CG/QZwzYMGOQksBd9h5jtrYlcOUSobwLN7ZwClX1a
9BqG4+wJoEOZ0sh6r6WuScDSuGdoqz/fuxaiedFbBNZpvJNzDOAEtwndzl6N
3GcqEzDUPyHkSqTY5iUZo41NuCQsTb8ThT0UAhcx5vK+BW9hPOtqm/WCMMIB
zX1BmxTu60IzsayXA+MF4QpbEKfoGQUo6zpbBlpEnJMCqZ3MPJn9LcwWf3ov
42E6bl88L2VhADAvQ//toVtGzQOyz9I0ktrifepr7sEJO3WuZw9D/aVsjmeK
jIwIp79M8OnJ4aez2WwsmXik7dq2YBRfVgwCEMboIUeOUzBSJxYhq6r1bB56
/2LIyuO80di1Wr6IQNkzgSU6xKKLh9R1/JVwQaWYbDy0pFwcaBqrTx6gF8/l
bL2usUnAE+rKiSY8CUdRsdUEysGnB/POKXA8sEMi7aZbFZBNU7yJK5/OvgC9
cup5DHMkA3omUVmGYE5EBw4Iq5DSE5cNGKwlgJQ251xGEiHEJTNhirglSwCX
BzLK+uvGgBrAjxhKYF1sHPBWD82LNbG8PqQ7ZvAwXJ/wnJTp2d3EalM8tzQH
IvU8y4v8Lif9zfBX0BKQbxO+Fo1HLFoGJNsLjoHpoqzJEpm2ijBJeIrdAAER
HMDX5QF6Oqgp/m77lLIA55EjZ3a94fCtBynLisngIw0xKf4NY/WkjxKoxi6X
YCMNwROanKMaToVCJUtlB5Z3ymA8X9DH5QKH2WpY0EHtTmROs38HdQkYTyOu
GsooTZBYH1Z8MSj3TiHA8aW5lYIczo1W0sEtJDmrQZL1z5JkHQdnex051Hti
IZZW6YrW9anbUqnhxuCs1nZTY28qPmRB8rxNDokrcrima254Q5jWQZgkOTry
WDCaLD/S0JEHBY6OfO63/6KxBY0JfWJBiWaIgYJHKDs88mAzD2Ubw+mjTXV3
BLuSFuG+YtwuhanMppmkMXhwKrhKECkn37IBN88aGoUtGESBfX1uQULJh7vv
T+9WmH0tTkr62Q/wlNsouVjcdo8Vc99VXKzs/W0aAJ+HKdAvHf4QMmNXR1fj
xBV0P0ioibrhMUZYIo1BLqJBmJbxJnJYk08/Nsd4Dxcn2YXA37uyHXrz7sRR
INaGS3C5tleKLZn6BxqTy1ZdYRDbqMv8Fu3Bin7pQcJ1Kc53FPNuBgtkiiT3
PSfXSU4SJ6yBJhB5tfR4StpwhwJ3M4350ZidnLSAqzBwyHDiEUiY1JKzLvU1
EF7B7OU8kCiZcgpRKvm2JIVa1wdAjWj+pQSAtQDAu0cxUV5PUAoMSUvcm28t
UyXe7pqxVcKp+KkPXmuGBx0odD2YG/pbHdac8y5BFROU0tnoHHZ1y25pRit5
GZSy1lrJy8FILXbh3yQEWekjNLTrV78DQb9KzdaIJz6o6+a8uNLOKln4ViWy
6CL/iEQyNmWkmDQIkCutc8h7TvKpSSJz0qrqOm8FR5X8E6al1n9obX+rVT+Q
PfB1So58xgnxTqjcVots3hXA5QMdE2IPwkGTA6LGRhx+JYcUSxLS7O9BQHfv
4lcamBXpc2VlQKw6fuCFa47tcTp1TUemmrEVdUAcSOnSQG8j4UaEkhq2KmlO
c+OKCqMj+1ACc1zS5I21ac+FarMhprUpmLPc5/3cc9X4qFY7pgPEGI1FiZhn
mks4JFc0ZQ+HjrNpF6yBSTliqnGIoJesfEKE/NlXK/5NItZayi4Ryj4Ml0E0
1ANZN0lNzhzg4rDe0yB5yiGeHfPx8vUiPQvR2/Z1WOGqIQqe5XioJN1jN8FZ
MH4kRZVrrBlJ2n9KVN4E2d/olHl+6aGWpFgH6R6WlE+JlGg71GmV0SEtb6Kk
UMROEEvO2CeyKKoFfKSEQRHoBcXVZxREdw4ojgyAfL2hVV9mdSMoW9bnFj2J
I1Co3qYv74iqQfKM8FBcRn4QzGm0l8DVU7vkU1rydRuERyLGsVEc50npbT3N
CrrnkI3YTNDqK0ae//mv/658JPHyqATFV8xbpxjSd52HI7ZuFvB+M58BwHIH
ulv2eEhMit/GBQGn1se+0BI1Gv7qeEq7zPpFiCyig6GRMBCXhKUuSXsp+YyE
MpHv8/7HmzcvcbbBU3TyDkOU4npFGPITywF2Bbr4s6CTBCIhKDZjW0bVbqDg
X/p8SZYk+S+Bq5Wxik24o5nY8sDINg/MBoZf/GWzDYt7ElfiYqsL6ijENObZ
uRcduxdJAqBPy03R1S5qR+TRj2ZZpg7X+tJLURgXDhOGOuICOuKM3XNaDM19
FMhUR630QhLzYhVDxvu8YGetraAISqn5aQsWaMJSPSGFRvhLfIDhgmmQEEly
dQEelBhCr1VKhj9bL7S0rRPiJFzAVJhyjX1HgxoOT7VGo+fcRqm6O3TZSRnQ
sl/gMBPyQPK/HsKxHHDzvkcofHCQZBy/48pHkKfOmTpsxAR4WKildQlBkc2h
XKZB4ADgwsYgv47Yw/aS8p6CYD7850RTV8xOQmuLPcn/RVwSYKUCzlFuDVpL
1OCXxLCwCGtVoh4ODNYgwfXL7lnXBssEEfeqH+WyUQQBvhyQU83O0nHKoUT4
fTE9lyiWWuQx2OvH9YVgJ3IaupCRVy1lncfPnn/+PA7To5xf4ABByLElWmou
HtIZgRbZewDRxQwD/XZtC0YKy32hngzwx+HpQsAOvGJxRKtZ9i6ZqKjW+YLo
9SE+GPJL3TnVUwHO2VUowDdNkCLJSdIM7dZ1ddduuN2Tx0I0gF04i/IgFhzU
DlecsekPsA2tIPOCxBLCuUADSLkUiGthHP/Emt72sJ0KXlXhq3EPHRv9A/aa
CayOmEBGHeS3eyGlSgheZMDqqmucFipdxMmWYnHQ2CsAZ2WNpPLUR5IQKnXm
BvDUDyFegkzjllGKlxiHceWdgCv58vXZzRmqUGu7MfCWZQw4GKVgmLAVlcRm
uVWV5JEJ1Z5BRPVRiHV9IJkqkuX6y1wbi4mU8oaTU1XuBEsRoYhwrVkijcVz
CYFQNFeb5vbhYeltW1XpnOy7WZH5fBHXNCIQ9hEEI47zG+/S5cF7th0Fyh+f
gqx0clsxbpZBSRW6CEq6dWXdPJzc67umToOOPjpbZ7LzJjwHrGVwlC01VRqn
nrsU2PBpxjAmqkHm3H+IeJxtToK+G0jJY9QluAEqDJhs4vt7sTiFw7F1zMSp
dGWx5yQQ6Y6lHji4A9QLKzy3yvmYLqQUirkzr117BXj/Mpw9HBtXPAoBItY6
wCebib48qpa5aK44SRp2iGZtRq9+z2L61jg21n1yGkxqIVgtQwm4eUi9P1P6
K6L0G1ugSurPeq198LeXIv7e3HHGnKtqBcGRVgojQrolQbgUzvaNHAma1WIr
btjFxStWJ5c915qJIM73yBeh8SN8z1GmuUlckHTJssEbt6yvLZQIvSGat8+x
GsPvp4dgnktTQS5LDfr92PIb5xwyWY0ONa7XhahxEnFaBSXMUBEo5QLR4f5N
khdOcHLAeawdGJdhWsEzdlCWNAMpKur7lIezC6zzRpznUmQiMNeF9bnlTc0b
Lh6hCEBw01VRAI3z1HAQcBfXNCXZdp6vO3HCsDqzBZvWGSDEtGixlOQnI41d
jKCGg045nAITVPDFSRkX6jSks/F9iR532mfXOvmda8+nUqCSPmhnf4SF7Byq
zGgL7xLkDEw/8oCHDiffZrTSWL1PAYmbkUgOjw4Pd2FRdOzrY6dX4KbyDsZX
oY/TdrMTq5CbU94iR9pVIrjqpOCAeDYnUv3Vpq2MgiXzGRqnf01vlBHc3iiv
+G8O2OivNCSaakb/TZ8Fjfb+SkbXBBbeX9OLk0lKGA4/sF328C2+oZ+QOYBv
bIM9+uYpvnnGn3JHPfx4eso/x/8g3HPGJ4PL7Hog5ScttABjxR3o3jD31v3Q
j4ahmoNd9Ik8YRckZFrHRXzawurQ+y8bdk8rv6TXHMQWwxT5nP2UaL4oQbrm
HizOZmLiXCxBy02XVX0Yr9Oqt7x0WZk203+cHAAe13UmEJoQaYNtB7naPuMs
bMkwy0spNOB8MPXCr+hQNKx5OKib1QSTTc29XrWDkYJj+sFRROa0RSU2hBRC
Bf32gdJw8rAAhicy2A4w8Z9qk89Miqe1IxeP1eve0wtfRVKKjUnfv5itbQlE
uMI/y3Hwm3GLjSbdFdnCddhFM1ROy9ZAr9UwQW8nWFS8JtR72hosNZa0kF77
6aWR9/SVH1ULSrUraSfBbwaFWtzIao516ECr02AgGwREVhOxDEo4ynHUDkrR
5SuYuEceHlv9GNYI2zRwVr2yROuxgS+Gpbv4nQAifXm0g6O9qlhBIGFo8dxl
D4rZiQYDVxZb+C5GeuqlMbCrm3WgiSh+WIIDXg4QuTg9MnU1aZQMmztRH4Ud
Cxzt5ESzYJcow8krs2NS8cIIS7pHbLIV8Pk8Q9bAXdUVS+ECwMytdgFWb4or
SS72qCcjhpJWckpaLtIggJZDZbBx+AlNkt4CcAKOSIiLA8z94lV/UpxORRjN
obUEfRZslcGlple5G3FocosNxPRIjIDW2AJRLlMZ24otbJI1GBPNBmEs4Bwf
YX00TvxhWbpNVeHFaK+AxtgGfMjlpfHkIPoDbw0axLgM90dqNkxpLVN2uclO
49ogi6UQra2fr8nLEqNd2OGb80sXjckkmfUdtyrkJOHXqIX1KNgt04UN/YnS
l8NGdqJ6ou4APqRhfNAKTQs6ZZdteE1iKCX7MtivOMrGIi043YT3TVjXZv1P
ktFcf8LR2hUfk57sZL832JLdJpoVPVqM2fribhbaMn6RhWXzYSJTr5QyVNGa
PWDCNprXLoWKjp96DxMXtx2dTY/GUfS238eMpZ+LxCYD2og76ble93k53CeP
7RySionrD8076jjYouqwgFYzHkIwn3gU5otJtc3cMiaGdZZqLVoNbEgQgzRR
wvC2tzUo/gMAUlc696hDEFo8JkE/OuvRGSeSlymEe6XRdGj2XDqIhqSaSvje
mgVSIJcAyWdrzuX1PQn2VnYiIxSiAkn/A413wzZ48LR1O219kEtfj6FsjePp
xVdjpWtiYd7L9GzqAp4cx8Trp4uubV2YWTtnrOpsy7spIYmz6UmimUD09wtV
gK56n7FZmK0hoIyTq8QPNlVf3ERhVwDfwLy+XVSAvfCs7fZirTNePrxshWm9
ZbatkAxi2jtjgvzUPzQDFqGgnh57W/HMsjZUfpLQwwnMeWtTK6Sjjt0UzdaL
kifSOHmi8ZTiaSQ2L8PxcOgKDHfbZyjMjYeMcIMl5YFPgp+weRfaWMUlqw3k
ENhkCyzBHfxXXnkocrWag3O6uSiXbdagg6uH1RoulmENRDFX80nnKS4NhJpk
5q2IOnBEsEDSxn8k1IIeQYc4h7TQ0TvJQ7G04KaAZ6Q+jvHlf0XzQrWF1w38
n//1bPZ09hSdnP1FGP2w6s41l3QuPlVsaBjptJh1eKs29S2Lehcn9LCslolL
8NF13GQZUbDlm7rVBCBwi64ms2A1z3g1X82Op/jvE15R85Fdsj7WHQtH2yBT
M+mj1IvMBYWliF0qZbUT0ohfJF5diTxodjMXbB9EM2zfNy9lZYSTsRU50Day
qqZlvODWaXuVH2hdTrb4L4CUJGGK4WpCothImmq5efFUs5Lj2ROhLW4uxC/L
njNyPJGRcJ3h589T+zf2YSRyz46A+wzDqy1w4yB+JW5mcNIQhLFP44ZDHZOD
zkicsN/hnkN8l635fj5UOkrrDPU60+ptWYPEAtyouFMOT/JuoYaN1K37UuJc
yegwFDa2fY6/+AI6jMOf4hBx+3n5fMz797MiK2di8A7dWMQ70OJ3NHR8HWkP
DwIp9AUcXYUhMdM/quxgZXxsXaA2zSY+siRA72uPKjEmOWjcdxSePEBPW0sU
H6REz5DWH+7Fca1I38XFep7c5MAzMeB6HkyNDBsyBuS+H8gKhI13obcDsbGd
+azEo758OoIY045ETrSw3fTQRSUb2JZL12eTOxhqC05FMrarmXbU71fcuhR3
5xofuKrFdjWVWuqha16GPEwPVBiNX/G6HrxNxc4VMAQwKohH2ESCaJiwmYGG
s2ynAsDuYu9772j/TP2VRB1q132Rw/HaNT1IYHMhWzWaNYMf2Sim5H7fhubD
fX15VsQ9UU9s3rAVI/slKqYdDwbON0FSiNCqKLeGPjAxt5gf8GvFDqtbqHnB
z/0btoSth8IPLprGzBx057Np1U6tHnYm0ySPSdS/Cuk9XFAXFc/Bj+lzuYOD
qztj9yA9Ci8k8YkhR477jqISf5tZgG1CitSpYGcYVPiIQb+gqLN+V9Iwt4bj
/w9BqZO/H5R6OntOwANvH4JVmtvTm6d4vSzfYBMdxHLJRa3ZWXTkMyiiDB5J
NEEWD43glLlwUuNK2wd73f2hUbY4BFO0gtmxrkFqKGQJV1c+SB5ci8A3PUlS
QLAe7iNil+IFpHsbbjiWt0VvkvQn3+Y1TGBgwvFUALf2JSJz+dBMfC2MlTZC
NNF1fx8AFZdBOHjx5OQJQ5w/vv7x4uzde73cQGtNuKSIc+3Z463fFc3YYkVH
vZ6C8o3y7WU2/rKO34RJHgAfcpxsnHbUy0gb95ILYeDD2RFGOjRbIDls/KHZ
tswLPHcxnsQi8A1bOH9JkDGRvSgSfwVi7NaMejb+Vv1+PajWrVfNy8PJYZN9
tw9Vyercu6p95a49mmzV3aPsCDK443nEZcoDJ5QLvTjxHw56SdFT6eFxO79X
75lTJ/USStpFI3mKGQQthoFnzk3C+uo14syaV+HgSBXngNKcaF4xvhq/cipS
FLcmUmgSgHbc4TbJS6u5ewmE6chiIk51lfvuVEE2blyJPjUuo3r8pfrvLCip
ltPDtOLQkqDOwxxVso7UyHPtizjTlz4/ja+KUVCiMfvBQp7RxQmP5e7UG108
BQg+Y+cZ8kW4cDe8QOtQavpQGGcjJAwcJAonIQnOIZW0RX9wOTLp82cn3OJK
WvLZoO2O4EFFB6Uq77klzYe2DTNPZnNgk6hgOgj6BHUxWiMfVkP5it9ksNuA
qPbflEr6kJZ/+vfT8qdqbw3qeIingCBsBaivJG9NbZcoZT9DhR5Bt5wAvXvl
b9O03I4CN0rWDcF0cA/fyGLqnnAc1O3HsMEjdT7WpZ2S4h/RnJps7dP6xlgr
pwm7gIW/mApXNSw1U8Ml3orwcyqWb3IVLyCSdGmo4StkYvDgMsSkCzEMTdtr
T1eluhg7gonLEp7zzqhTU5uHq2tj4tp+uxANVw1bcToJ7qYczBzmBBxJ/6XP
+VlRLJJddo/D6XciDvFKpENeiYPqy0BBJfG0o4Wm7kYnT0VR9dc/XkbxcDfF
h/wWg8c1h1+WVA+TodBUCbk8S5nEqlzb451USwiDpI+avZm1mnObSV/IfXC3
A1ERzaeZw2yRN0aKD5r8Of7dsEG4JMiQsDEjCdBY/dW38CZJ7BBgmeq8WOIG
33U1pNlDhr0Y2bynXPWvTNk36cJ2avcytKa7szYZW5Dg7sINnNMu7Oq7BwVm
umYAemBj68iGjI6D1zxyQuzRQZvOcIv5BOoXfOK0OIAveLFoBCMfnhZ3s3CQ
mC9KPggqBrZq6mtWbFWEpFNIUqFzN9U+XUPy1uUyl+WXQpTfpOwk6dM1N9FY
IhE7kJ7iHvJawcGZ4CbB0ZXAEg8CiQwVWlonjGU8PLvQhxW/PHYp9gpkfIJY
cs9NrJze6N1lrpjK3g7nZjrhzr0ceXHFHEHPG9ehpH+apd9P3IyCozuJ509t
PWIrFtP0uouvffD06jfGTDI1jQKS+FoFkGFipWfP1za6eDYW2yejNSFJyNax
SZbOob6WmlUOKzpC96ohHsI7p/9vA0T9GId1ZTjS/wHCyKVp4KLh2hkLtkjb
AyLn84iDQGwIWGTl2CaqR601sKKeraGAkISCXCbLlwWDoliQa2QcxXD6sRta
Hn8acLFAC7d/DiL8fXHBYIDkAS195Y6HLMgKMMgdu0WSgK+tqw/rVeBeras5
TaXkxoNfGpM44VZksa+0SaQNuyUJ1x0UhSkQyYam0TCE83sc+qXtxZQfXl+C
ugfr/x3uAMW6LB0ZD6GwPLwqk7V3yJPqlhk9VCg9jt1yOy+ukzTQjLI/lrGw
0mq1msQFTq5USRvVBB3W0Yim75RXZWuVU3C/GNfH6v1g4jmM1W+cdpibSMs6
/T3QRsbfOWk9wloNHVZAS711V2oORWAJfrGJf3VP9ZdUT3bEcmiGM7GtcKqY
WDZ5I3Hly9wn7qEAU+weYK+ALeJJpN8NojKSBtzWvaoyqdpjD9kjjSG3uNDi
kQJHrcslluW7vkpf7N6/ECK6PN02O4iLwgbrwB7SH8/+HvrjmdrLiESeqhzW
8wRZZc1LSVt3KsTPj4vL/gmil8PoZ1pTdhbUlNEzgdy0huqgweyKvPWKB++H
t8VhQ7Zk6JOObEgt6TLLXCs6pBYHrbZTmz3GEWe26K0Fq8JhSAX03x/ar2Aa
Z7IOmHFqRoc1XIHVvPI1fe7sDRrlXHb0u3TR8xdfs1f8DW3w6MnYucNPX8DJ
P2IYToOevf+T7yVgEwmsHgvFgkdUP16GRq2vOYyQPQSS76HgC6sfMFk9I0pX
zN/AZsnoHk7XWffjxhbKqPNVtR+rFsI5rStY1Kt0tElyFRRWhj6jiAPYYEan
psUAT44ecJL83RTlod/8fi95G7WsCE4i1L3wKg5w3NjT8QvKkfXSl7DYdeIl
XP6LkXg4w3e2qVHjKra4Bpjha6ZzvJQ6E7+5NAO383qlERlLj1yinNx88Uir
spdI6GBFIRsnV49BYnc7HKjOBS3sjYQ+ThLYvnwfvT+cfetdptGzhn0DEr24
U3MFBrrKhJpaTyYRGNEWppXrZaD3tPoDFEcGLEDxZdZRDxOHwb9MXf8QdxSR
dA1EwqSBTrbArQzMPsLFrtJcDFfXDSMRDYx2GLBmH5MWdq75w6uApKaG7/DQ
G+MvTh9fPCcZxAmYEpa/O+yjZyswA5EC//SX1BE/pGef/249K+lX8OhO3AcC
w0/YJPj+zZ9IHCG8Orq6un73rcomEgP09fXYGilh+ha+C3Q1OEsXSqzRtN6r
LW02ZfGV2HwcYbH+Jfl5fC2DnDzu+RJdqBhcsnvQNCaqGXFSJEDN4Q4sqsbH
sjX1DCuSVR8/mYWBZi113mQNtrhY2DtCfGherVRWeeL9cmJNrneu1oKufZ3j
fZPRvLfIHB102kIMysTc25PU+gqiNEnHMu6OyHuoIhjn96n20yc+ty+auA3X
Nffn5dkrrR7Iy+NiXjeVpQ8IBIXlqS8sTwauUOm7XYKayIcs4p/0kcBSs1rT
H4mx674+wLXavLd3g/BA3b8KHbGE+EBG9fjwEiWGm6Tx1Qwd6jVa38yBBAiM
FbTm+8TKQW5e/m0KXAnVgyf3hhBUwePa872rBnNO6y3cZz1G0ztRIb9hLve9
W4Eh6pNdmelZmZJBjAgoUr+9KRzVnmlwWq4+H+rOHLQusNlxtgFLEl4O+9Hs
CVOhaFOq1mI8IbHT6BjygR6H+vRg6aoym1hvBA54a467LKpEr9QklJPr3ZYu
uUwvFRYFjfD5F5vDh8cBGnFZcRqKXLIivHj11CtM6cXlGTwZNHrJyv3e7Nlw
aPst+j/yF2225ntt8sZmQCc+aUyY2CoJx8iiN21jcG3rQ5x+8Yzzc/euo1/z
KrElxb/++t2btzdX7749eXJyOqWzd3N1dglPs4tWN1q04USIvQlRhIhr+yRv
0nrCL+5M8ZBu/+p36/YYsk/lfyM7WkzSCPJ78xQGNAphc3eVKOdfKChd9Bfp
Y57uQ5iyrkcO8ClShcVJd78v005e8saBPCzgCCbezya3rZFE8+533LSBL8+Y
DAaJSdtmOY66755RD0zw96k89WiO7Bx9Hd3Dis5atPclmT8QrbUt4/Jf7Ca6
BX6BNXuuE+3FXHteVARf354P24WWyRLnvvX7OBE16OzYkO04TjXUrkQ4ym2X
LE+5ZxRwn13mJNxFVoeDGa+/32ANoZMwpWZmZwpZkXeItFRn+rEZ5m8m9/b6
kWawoddpmQT3iMqpsRdVaRUuqSRvauDBs/t8MWyqBm18mHaEdUzt9c1ObreV
9zkP64F1zIqWDUiJlNljFkV6Q1UsLwtEnUUuQ/vEHZykkJDNbdKlYxvmkdvT
JcwXOFzRBAFFsPayzp43mZ7iO8ofut6THSQI+QlwU+OZJ66hcN9EEBkBsqRV
UVWurNwdLgWTX6xdeyqirxdsZrd4hvlLIc8oNE/hlE4ybX/oW8QNuaXVHa23
bMIqxW5gVXbhiSx4QiYYDTuJlwdv+Aa3Yo4unj+++Gpsm6x8WV+gRG4ACmrE
OTP86MjV45HKG+l+Q/W9QEFUY8YS8UVfDV+cGNzRGxmAJOHX1VCwJD2am30F
z97GdsULnRzoE3801KH1u5uby+vH1z+df2NvWwmeGklfhugmcD02rqVv6Cuw
aQ2IfPn7W7TRCu8n7Qyx4xuOwu00Ib7m7kBXV3LU5L6QJHine5Wnur+g+Lyq
I2+Oz61P9NZ1lITKba18cckSrIqCYQYkAqNcsya9KlJ3B1DjZcIpgo9dp8lG
VYfvRS0xJU6TJ2Hdy7MnLTeY6QgtH7sp426MvZyGxAfc+cnh9z+NQuuHXoYk
9DKEaJttLLLIrKk2vu8Nz2eJEAfBPL38GTU9jkOPbGlGUMHr+8Jx+LTaJZzM
UHHspTZxr577oeKL3w0V1fFuwwbhpQfW4/fj5U26a0y3xB0IxJOCQpxrg3tn
ohTa8DK1/ZBdaM9YJJDTK9h05Z5Jag0hEShyFaLteKRH43dmwp0+Z1cEzvZj
PuY2Xz2u4BvMlfsb2KwfilC4Jn3RNRDhyOLT4v5GiGEjl7N6ei5IN9OAL6Md
8tQf9TZ1nAjACoTJitMSpFxnGVa6SQ6URCBc2zZt6JAM92oL+gL9ZnT15j4e
UZyVFXfZXm+wtvJIkZaGpcOmMfY0PRh3daebeO2RE52PAmHZxDdwq2QPZJdD
PXxWwxyuoP4u9KWFXc3CJJzUdcK5v0hMQ9LsYaiW+h5pRih9eXxdlu8O+OWJ
Yx9KBW4maC4QqHR3y6/eEe0vvZSQiCsPaJIRYYMHMtulNuCwyCs4iJqimFjP
2K7omtR1reK2Jflttthr1aB8P5R+xRgFXQM6DsWcx/k50ugLchR9AGznGie6
G/uYdtvAGVQ/YTLYrM+2p+S7VgLfo/h0q6JawyHkmohJhmrcWGGd7Zow63Po
Qu8YRSUZuvP51gvBrT/2VmVOlNWWfEitKMRNycNk2iktYWgYdqzi+5jp90vD
SnIlzXq+kSrSoPukdMvsml7OHG0X0iWu31z99Pbs3Q9aTekLcF3Ld5cJ0nZl
0AqZ8W5V5m1V26jeihQ/NzHnSyluGabxbVlNNE/X2MJtIOed3tLp0c6J8C9c
Ezeh1Zfrwx3wj04BK5sTPvqYzrMlN1yzF9FpiF7Ui+/WySUKr+yFSixGO2nI
zM9ZJ6m0yuFYPCfcylW+sGZ2DHDY4YlOUvRqE9AE076ML48nkVCX1o70xatc
PYyLo+UqQN9QFJP2CY/BBcpcSbXJJHHVSUvbYKaRPLV4A0OB19B70AvDz8c6
y7AdJSGJlk0t2FR+UyWz/5+JkaQTIu0KOsIFXOhbSi/rSlokSmw3G8rYoCVb
PyiqwETeqNYNJu56INtSdkBbvZ6Umy8snBcqbh4IeVYauZvFdZRAlw4QHR7R
5UtoaHd9PFewpVZ7WVJz17sBEgPkELYLyqOkvp171UoSPCetfux3PPIdcsRM
dN2xSfa9O3t/Niz3nMADrigr+aUW3qBFUIDLbJk60mWli4rvI2oNHuCJyYHp
4tpt1UT+ptULPv4hvVQB/vDM3AR8Jys7h0B/sKcBNr0cOZIzAY4h9dswl2g7
XCzLpaBab1gkcv3SZMN4MfbOOttX0s0MLgZfRSionC9KwqSkW12grHbwuvCL
YYyq5rY2mOsEqUYwShySb0U2sPKxAzlXn2rOgfR0NtxLjhoZpLPYFuBjKXxT
ZxTDh34vVVdwBWiOhk1diy1ii5VtBpdr7VuYJujwySl4YLkY6eEajq7fVTO3
zQlrg15E6FAnzeLQVseqU4a7BGFnPt+07ymWsnYhWF77NpzgOycWbHXrNvuU
b7utyPxpfHuB/c572rRqEXWvuruQr4mI4onLveYcSNeX6TBgoqI7Tb8jCYme
CH1fpNasctDKF+mNBhowStibBxyj9kM6U4uuirMsfNMCSct3US+p3Z0l164T
pe07TBRb5YV60R0PeJX+66/XlyfPp1eXVz++JXuChEYyN+uOb08C3KV3G+4k
xqzBHWh5/Wa7y2t7YUbJkFhhSXLYsmDJMmJu4bftKrcbqmO20DjJ5uhmZXNt
Xdu0T8Ccs3tFiu+xxCWZA6ncgav7LFEtYu+0Yu1qnURIEomfrg2nr+Yr4T1b
9JnkjcsRh99AGnVrP3wQgJ0d6Ng1S/4v4+OhxE27AAA=

-->

</rfc>

