From 1963e71c9dbc2a563513ab9fa25b2606f71b7779 Mon Sep 17 00:00:00 2001
From: Pawel Kowalik <2063440-pawel-kow@users.noreply.gitlab.com>
Date: Mon, 22 Jul 2024 06:39:54 +0000
Subject: [PATCH] RELEASE: draft-kowalik-regext-domainconnect-00

---
 .devcontainer/Dockerfile                      |   17 +-
 .devcontainer/bin/md2rfc                      |   34 +
 .devcontainer/devcontainer.json               |    3 +-
 .vscode/settings.json                         |    1 -
 ...draft-kowalik-regext-domainconnect-00.adoc |  273 +-
 ...t-kowalik-regext-domainconnect-00.err.html |  137 +
 ...draft-kowalik-regext-domainconnect-00.html | 3339 +++++++++--------
 ...ft-kowalik-regext-domainconnect-00.rfc.xml | 1214 +++---
 ... draft-kowalik-regext-domainconnect-00.txt | 2616 +++++++------
 9 files changed, 4056 insertions(+), 3578 deletions(-)
 create mode 100644 .devcontainer/bin/md2rfc
 rename draft-domain-connect-04.adoc => draft-kowalik-regext-domainconnect-00.adoc (91%)
 create mode 100644 draft-kowalik-regext-domainconnect-00.err.html
 rename draft-domain-connect-04.html => draft-kowalik-regext-domainconnect-00.html (59%)
 rename draft-domain-connect-04.rfc.xml => draft-kowalik-regext-domainconnect-00.rfc.xml (64%)
 rename draft-domain-connect-04.txt => draft-kowalik-regext-domainconnect-00.txt (62%)

diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
index 04ee5c7..baea413 100644
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -1,4 +1,13 @@
-FROM docker.io/paulej/rfctools
-RUN sudo dnf -y update && sudo dnf -y install git ruby ruby-devel
-RUN bash -c "curl -L https://raw.githubusercontent.com/metanorma/metanorma-linux-setup/master/centos.sh | bash" && \
-    curl -L https://raw.githubusercontent.com/metanorma/metanorma-linux-setup/master/install-gems.sh | bash
+FROM ghcr.io/ietf-tools/xml2rfc-base:latest
+
+RUN apt-get -y update && apt-get -y install curl && apt-get -y clean
+
+RUN bash -c curl -L https://raw.githubusercontent.com/metanorma/metanorma-linux-setup/master/ubuntu.sh | bash && curl -L https://raw.githubusercontent.com/metanorma/metanorma-linux-setup/master/install-gems.sh | bash
+
+# Put the md2rfc script in place
+COPY bin/md2rfc /usr/bin/
+
+RUN apt-get -y update && apt-get -y install git nano default-jre && apt-get -y clean
+
+# Specify the working directory when a container is started
+WORKDIR /rfc
\ No newline at end of file
diff --git a/.devcontainer/bin/md2rfc b/.devcontainer/bin/md2rfc
new file mode 100644
index 0000000..5130eb8
--- /dev/null
+++ b/.devcontainer/bin/md2rfc
@@ -0,0 +1,34 @@
+#!/bin/bash
+#
+# This script will invoke mmark to convert markdown to xml2rfc format,
+# then it will invoke xml2rfc to produce an outout text file
+#
+# One may specify one or more markdown files (with the .md extension).
+#
+
+# Ensure that at least one file was specified
+if [ $# -eq 0 ] ; then
+    echo "usage: md2rfc <draft_name.md> [<draft_name.md> ...]"
+    exit 1;
+fi
+
+# Loop through all of the specified .md files to produce .txt and .pdf files
+# as output
+while [ $# -gt 0 ] ; do
+    MDFILE=$1
+    shift
+    XMLFILE=$(echo $MDFILE | sed 's/\.md$/.xml/')
+    TXTFILE=$(echo $MDFILE | sed 's/\.md$/.txt/')
+    PDFFILE=$(echo $MDFILE | sed 's/\.md$/.pdf/')
+    HTMLFILE=$(echo $MDFILE | sed 's/\.md$/.html/')
+
+    if [ x"$MDFILE" == x"$XMLFILE" ] ; then
+        echo "Error: $MDFILE is not a .md file"
+        exit 1
+    else
+        mmark "$MDFILE" > "$XMLFILE" && \
+          xml2rfc --v3 --text "$XMLFILE" -o "$TXTFILE" && \
+          xml2rfc --v3 --pdf "$XMLFILE" -o "$PDFFILE" && \
+          xml2rfc --v3 --html "$XMLFILE" -o "$HTMLFILE"
+    fi
+done
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index 85e04d6..c0d25d3 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -15,7 +15,8 @@
         "eamodio.gitlens",
         "donjayamanne.githistory",
         "asciidoctor.asciidoctor-vscode",
-        "Gruntfuggly.todo-tree"
+        "Gruntfuggly.todo-tree",
+        "ms-azuretools.vscode-docker"
     ],
 
     // Use 'forwardPorts' to make a list of ports inside the container available locally.
diff --git a/.vscode/settings.json b/.vscode/settings.json
index 92117ba..aa697e4 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,4 +1,3 @@
 {
-    "asciidoc.antora.enableAntoraSupport": true,
     "editor.wordWrap": "wordWrapColumn"
 }
\ No newline at end of file
diff --git a/draft-domain-connect-04.adoc b/draft-kowalik-regext-domainconnect-00.adoc
similarity index 91%
rename from draft-domain-connect-04.adoc
rename to draft-kowalik-regext-domainconnect-00.adoc
index e34bdf3..b253fba 100644
--- a/draft-domain-connect-04.adoc
+++ b/draft-kowalik-regext-domainconnect-00.adoc
@@ -1,33 +1,29 @@
-= Domain Connect API - Communications between DNS Provider and Services
+= Domain Connect Protocol - DNS provisioning between Services and DNS Providers
 :mn-document-class: ietf
 :mn-output-extensions: rfc,txt,html
 :doctype: internet-draft
 :abbrev: Domain Connect
 :intended-series: standard
-:submission-type: ad-sponsored
-:docnumber: draft-kowalik-art-domainconnect-04
+:submission-type: IETF
+:docnumber: draft-kowalik-regext-domainconnect-00
 :status: informational
 :ipr: trust200902
 :area: Applications and Real-Time
-:workgroup: Registration Protocols Extensions?
+:workgroup: Registration Protocols Extensions
 :keyword: dns
-:revdate: 2024-07-19-
-
+:revdate: 2024-07-19
 :givenname: Pawel
 :surname: Kowalik
 :email: pawel.kowalik@denic.de
 :affiliation: DENIC eG
-:street: 
-:city: 
-:region: 
-:code: 
+:street: Theodor-Stern-Kai 1
+:city: Frankfurt am Main
+:code: 60596
 :country: DE
 :contributor-uri: https://denic.de
-
 :givenname_2: Arnold
 :surname_2: Blinn
 :email_2: arnold@arnoldblinn.com
-
 :givenname_3: Jody
 :surname_3: Kolker
 :email_3: jkolker@godaddy.com
@@ -38,14 +34,16 @@
 :code_3: 85260
 :country_3: US
 :contributor-uri_3: https://www.godaddy.com
-
 :givenname_4: Sami
 :surname_4: Kerola
 :email_4: kerolasa@cloudflare.com
-:affiliation_4: Cloudflare
+:affiliation_4: Cloudflare, Inc.
+:street_4: 101 Townsend St
+:city_4: San Francisco
+:region_4: CA
+:code_4: 94107
 :country_4: US
 :contributor-uri_4: https://cloudflare.com
-
 :specversion: 2.2
 :revnumber: 63
 :source-highlighter: prettify
@@ -56,7 +54,8 @@
 :toc: auto
 :toclevels: 4
 
-This document provides information related to the Domain Connect API that was built to support communications between DNS Providers and Service Providers (hosting, social, email, hardware, etc.).
+
+This document provides specification of the Domain Connect Protocol that was built to support DNS configuration provisioning between Service Providers (hosting, social, email, hardware, etc.) and DNS Providers.
 
 == Introduction
 
@@ -78,7 +77,7 @@ direct manipulation of individual DNS records.
 [glossary]
 [toc=exclude]
 :sectnums!:
-=== Terminology
+== Terminology
 
 The key words "*MUST*", "*MUST NOT*", "*REQUIRED*", "*SHALL*", "*SHALL NOT*", "*SHOULD*", "*SHOULD NOT*", "*RECOMMENDED*", "*NOT RECOMMENDED*", "*MAY*", and "*OPTIONAL*" in this document are to be interpreted as described in BCP 14 <<RFC2119>> <<RFC8174>> when, and only when, they appear in all capitals, as shown here.
 
@@ -143,32 +142,19 @@ and control of the settings being changed to enable a service. And the
 system is more secure as templates are controlled and contained.
 
 == End User Flows
+=== General information
+To attach a domain name to a service provided by a Service Provider, the customer would first enter their domain name.
 
-To attach a domain name to a service provided by a Service Provider, the
-customer would first enter their domain name.
-
-Instead of relying on examination of the nameservers and mapping these
-to DNS Providers, DNS Provider discovery is handled through simple
-records in DNS and an API. The Service Provider queries for a specific
-record in the zone that returns a REST endpoint to initiate the
-protocol. When this endpoint is called, a Domain Connect compliant DNS Provider returns
-information about that domain and how to configure it using Domain
-Connect.
+Instead of relying on examination of the nameservers and mapping these to DNS Providers, DNS Provider discovery is handled through simple records in DNS and an API. The Service Provider queries for a specific record in the zone that returns a REST endpoint to initiate the protocol. When this endpoint is called, a Domain Connect compliant DNS Provider returns information about that domain and how to configure it using Domain Connect.
 
 To apply the changes to DNS, there are two use cases. The
-first is a synchronous web flow, and the second is an asynchronous flow
-using oAuth and an API.
+first is a synchronous web flow, and the second is an asynchronous flow using OAuth and an API.
 
-It is noted that a DNS Provider may choose to only implement one
-of the flows. As a matter of practice many Service Providers are based
-on the synchronous flow, with only a handful of them based on the
-asynchronous oAuth flow. So many DNS providers may opt to only implement
-the synchronous flow.
+It is noted that a DNS Provider may choose to only implement one of the flows. As a matter of practice many Service Providers are based on the synchronous flow, with only a handful of them based on the asynchronous OAuth flow. So many DNS providers may opt to only implement the synchronous flow.
 
-It is also be noted that individual services may work with the
-synchronous flow only, the asynchronous flow only, or with both.
+It is also be noted that individual services may work with the synchronous flow only, the asynchronous flow only, or with both.
 
-==== The Synchronous Flow
+=== The Synchronous Flow
 
 This flow is tailored for the Service Provider that requires a one time
 synchronous change to DNS.
@@ -288,8 +274,7 @@ after the changes are applied. If invoked in place, the user must be navigated b
 to the Service Provider after the changes are applied.
 
 === The Asynchronous Flow
-
-The asynchronous oAuth flow is tailored for the Service Provider that
+The asynchronous OAuth flow is tailored for the Service Provider that
 wishes to make changes to DNS asynchronously with respect to the user
 interaction, or wishes to make multiple or additional changes to DNS
 over time.
@@ -429,8 +414,6 @@ authoritative. This does not indicate the authoritative nameservers; for this th
 would be queried.
 |=======================================================================
 
-As an example, the JSON returned by this call might contain.
-
 [source,json]
 ----
 {
@@ -442,8 +425,10 @@ As an example, the JSON returned by this call might contain.
     "urlAPI": "https://api.domainconnect.virtucondomains.example",
     "width": 750,
     "height": 750,
-    "urlControlPanel": "https://domaincontrolpanel.virtucondomains.example/?domain=%domain%",
-    "nameServers": ["ns01.virtucondomainsdns.example", "ns02.virtucondomainsdns.example"]
+    "urlControlPanel": "https://domaincontrolpanel.virtucondomains.ex
+    ample/?domain=%domain%",
+    "nameServers": ["ns01.virtucondomainsdns.example", "ns02.virtucon
+    domainsdns.example"]
 }
 ----
 
@@ -486,7 +471,7 @@ discovery are in the form of URLs.
 The first set of endpoints are for the UX that the Service Provider
 links to. These are for the synchronous flow where the user can click
 to grant consent and have changes applied, and for the
-asynchronous oAuth flow where the user can grant consent for
+asynchronous OAuth flow where the user can grant consent for
 OAuth access.
 
 The second set of endpoints are for the REST API.
@@ -517,7 +502,8 @@ the JSON payload during DNS Provider discovery.
 ----
 GET
 
-{urlAPI}/v2/domainTemplates/providers/{providerId}/services/{serviceId}
+{urlAPI}/v2/domainTemplates/providers/{providerId}/services
+/{serviceId}
 ----
 
 This URL is be used by the Service Provider to determine if the DNS
@@ -547,12 +533,13 @@ call was successful. The response OPTIONALLY contains the version or template.
 |=======================================================================
 
 ==== Apply Template
-
+===== Apply Template URL
 [source]
 ----
 GET
 
-{urlSyncUX}/v2/domainTemplates/providers/{providerId}/services/{serviceId}/apply?[properties]
+{urlSyncUX}/v2/domainTemplates/providers/{providerId}/services
+/{serviceId}/apply?[properties]
 ----
 
 This is the URL where the user is sent to apply a template to a domain they own.
@@ -561,7 +548,6 @@ It is called from the Service Provider to start the synchronous Domain Connect P
 This URL can be called in one of two ways.
 
 ===== New Browser Window
-
 The first is through a new browser tab or in a popup browser window.
 The DNS Provider signs the user
 in if necessary, verifies domain ownership, and asks for confirmation
@@ -587,7 +573,7 @@ passed back as state= on the redirect_uri.
 If authorization could not be obtained or an error has occurred, the
 parameter error= must be appended. For consistency with the asynchronous
 OAuth flows the valid values for the error parameter will be as
-specified in OAuth 2.0 RFC 6749 (4.1.2.1. Error Response - "error"
+specified in OAuth 2.0 <<RFC6749>> (4.1.2.1. Error Response - "error"
 parameter). Valid values are: invalid_request, unauthorized_client,
 access_denied, unsupported_response_type, invalid_scope, server_error,
 and temporarily_unavailable.
@@ -692,7 +678,9 @@ An example query string:
 ----
 GET
 
-https://web-connect.dnsprovider.example/v2/domainTemplates/providers/exampleservice.example/services/template1/apply?domain=example.com&IP=192.168.42.42&RANDOMTEXT=shm%3A1542108821%3AHello
+https://web-connect.dnsprovider.example/v2/domainTemplates/providers/
+exampleservice.example/services/template1/apply?domain=example.com
+&IP=192.168.42.42&RANDOMTEXT=shm%3A1542108821%3AHello
 ----
 
 This call indicates that the Service Provider wishes to connect the
@@ -702,7 +690,7 @@ owned by them (template1). In this example, there are two variables in this
 template, "IP" and "RANDOMTEXT". These variables are passed as name/value pairs.
 
 ==== Security Considerations
-
+===== Risk of phishing with open template parameters
 By applying a template with parameters there is a security
 consideration that must be taken into account.
 
@@ -714,8 +702,7 @@ this link, they would land on the DNS Provider site to confirm the
 change. To the user, this would appear to be a valid request to
 configure the domain. Yet the IP would be hijacking the service.
 
-Not all templates have this problem. But when they do, there are several
-options.
+Not all templates have this problem. But when they do, there are several options.
 
 ===== Disable Synchronous
 
@@ -733,12 +720,12 @@ properly URL encoded and of the form:
 
 [source]
 ----
-sig=V2te9zWMU7G3plxBTsmYSJTvn2vzMvNwAjWQ%2BwTe91DxuJhdVf4cVc4vZBYfEYV7u5
-d7PzTO7se7OrkhyiB7TpoJJW1yB5qHR7HKM5SZldUsdtg5%2B1SzEtIX0Uq8b2mCmQF%2FuJ
-GXpqCyFrEajvpTM7fFKPk1kuctmtkjV7%2BATcvNPLWY7KyE4%2Bqc8jpfN61cP5l8iA4krA
-a3%2BfTro5cmWR8YUJ5yrnRs6KT4b5D71HFvOUk0sGEUddUUlsyRQKRHUFN6HjEya50YDHfZ
-JlYHkHlK0xX6Yqeii9QZ2I35U9eJbSvZGQko5beqviWFXdsVDbvd3DYcbSHgJq9%2FXoMTTw
-%3D%3D
+sig=V2te9zWMU7G3plxBTsmYSJTvn2vzMvNwAjWQ%2BwTe91DxuJhdVf4cVc4vZBYfEYV
+7u5d7PzTO7se7OrkhyiB7TpoJJW1yB5qHR7HKM5SZldUsdtg5%2B1SzEtIX0Uq8b2mCmQ
+F%2FuJGXpqCyFrEajvpTM7fFKPk1kuctmtkjV7%2BATcvNPLWY7KyE4%2Bqc8jpfN61cP
+5l8iA4krAa3%2BfTro5cmWR8YUJ5yrnRs6KT4b5D71HFvOUk0sGEUddUUlsyRQKRHUFN6
+HjEya50YDHfZJlYHkHlK0xX6Yqeii9QZ2I35U9eJbSvZGQko5beqviWFXdsVDbvd3DYcb
+SHgJq9%2FXoMTTw%3D%3D
 ----
 
 The Service Provider generates this signature using a private key. As indicated,
@@ -763,12 +750,12 @@ records may exist for the DNS TXT query. For example, a public key of:
 [source]
 .Example public key (line breaks are there for brevity)
 ----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA18SgvpmeasN4BHkkv0SBjAzIc4gr
-YLjiAXRtNiBUiGUDMeTzQrKTsWvy9NuxU1dIHCZy9o1CrKNg5EzLIZLNyMfI6qiXnM+HMd4b
-yp97zs/3D39Q8iR5poubQcRaGozWx8yQpG0OcVdmEVcTfyR/XSEWC5u16EBNvRnNAOAvZYUd
-WqVyQvXsjnxQot8KcK0QP8iHpoL/1dbdRy2opRPQ2FdZpovUgknybq/6FkeDtW7uCQ6Mvu4Q
-xcUa3+WP9nYHKtgWip/eFxpeb+qLvcLHf1h0JXtxLVdyy6OLk3f2JRYUX2ZZVDvG3biTpeJz
-6iRzjGg6MfGxXZHjI8weDjXrJwIDAQAB
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA18SgvpmeasN4BHkkv0SBjAzIc
+4grYLjiAXRtNiBUiGUDMeTzQrKTsWvy9NuxU1dIHCZy9o1CrKNg5EzLIZLNyMfI6qiXnM
++HMd4byp97zs/3D39Q8iR5poubQcRaGozWx8yQpG0OcVdmEVcTfyR/XSEWC5u16EBNvRn
+NAOAvZYUdWqVyQvXsjnxQot8KcK0QP8iHpoL/1dbdRy2opRPQ2FdZpovUgknybq/6FkeD
+tW7uCQ6Mvu4QxcUa3+WP9nYHKtgWip/eFxpeb+qLvcLHf1h0JXtxLVdyy6OLk3f2JRYUX
+2ZZVDvG3biTpeJz6iRzjGg6MfGxXZHjI8weDjXrJwIDAQAB
 ----
 
 may contain several TXT records. The records would be of the form:
@@ -776,13 +763,13 @@ may contain several TXT records. The records would be of the form:
 [source]
 .Example public key broken down into DNS records (line breaks are there for brevity)
 ----
-p=1,a=RS256,d=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA18SgvpmeasN4BH
-kkv0SBjAzIc4grYLjiAXRtNiBUiGUDMeTzQrKTsWvy9NuxU1dIHCZy9o1CrKNg5EzLIZLNyM
-fI6qiXnM+HMd4byp97zs/3D39Q8iR5poubQcRaGozWx8yQpG0OcVdmEVcTfy
+p=1,a=RS256,d=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA18SgvpmeasN
+4BHkkv0SBjAzIc4grYLjiAXRtNiBUiGUDMeTzQrKTsWvy9NuxU1dIHCZy9o1CrKNg5EzL
+IZLNyMfI6qiXnM+HMd4byp97zs/3D39Q8iR5poubQcRaGozWx8yQpG0OcVdmEVcTfy
 
-p=2,a=RS256,d=R/XSEWC5u16EBNvRnNAOAvZYUdWqVyQvXsjnxQot8KcK0QP8iHpoL/1dbd
-Ry2opRPQ2FdZpovUgknybq/6FkeDtW7uCQ6Mvu4QxcUa3+WP9nYHKtgWip/eFxpeb+qLvcLH
-f1h0JXtxLVdyy6OLk3f2JRYUX2ZZVDvG3biTpeJz6iRzjGg6MfGxXZHjI8
+p=2,a=RS256,d=R/XSEWC5u16EBNvRnNAOAvZYUdWqVyQvXsjnxQot8KcK0QP8iHpoL/1
+dbdRy2opRPQ2FdZpovUgknybq/6FkeDtW7uCQ6Mvu4QxcUa3+WP9nYHKtgWip/eFxpeb+
+qLvcLHf1h0JXtxLVdyy6OLk3f2JRYUX2ZZVDvG3biTpeJz6iRzjGg6MfGxXZHjI8
 
 p=3,a=RS256,d=weDjXrJwIDAQAB
 
@@ -877,7 +864,7 @@ url in the browser. As such it is recommend that enablement of a service
 be based on verification of changes to DNS.
 
 === Asynchronous Flow: OAuth
-
+==== General information
 Using the OAuth flow is a more advanced use case needed by Service
 Providers that have more complex configurations that may require
 multiple steps and/or are asynchronous from the user’s interaction.
@@ -971,7 +958,7 @@ authorization code will be appended to this URI as a query parameter of
 
 Similar to the synchronous flow, upon error the DNS provider may append
 an error code as query parameter "error". These errors are also from the
-oAuth 2.0 RFC 6749 (4.1.2.1. Error Response - "error" parameter). Valid
+OAuth 2.0 <<RFC6749>> (4.1.2.1. Error Response - "error" parameter). Valid
 values include: invalid_request, unauthorized_client, access_denied,
 unsupported_response_type, invalid_scope, server_error, and
 temporarilly_unavailable. An OPTIONAL error_description suitable for
@@ -1044,7 +1031,7 @@ template required for conflict detection. This includes variables used in hosts
 data in certain TXT records.
 |=======================================================================
 
-==== oAuth Flow: Requesting an Access Token
+==== OAuth Flow: Requesting an Access Token
 
 [source]
 ----
@@ -1054,7 +1041,7 @@ POST
 ----
 
 Once authorization has been granted, the Service Provider must use the
-Authorization Code provided to request an Access Token. The oAuth
+Authorization Code provided to request an Access Token. The OAuth
 specification recommends that the Authorization Code be a short lived
 token, and a reasonable recommended setting is ten minutes. As such this
 exchange needs to be completed before that time has expired or the
@@ -1074,7 +1061,7 @@ user could create a domain that returns a false __domainconnect_ TXT record, and
 subsequently a JSON call to their own server for the API end point. By doing so, they
 could then run Domain Connect on their domain and retrieve the secret.
 
-As such the urlAPI used for oAuth by the Service Provider should be maintained per DNS
+As such the urlAPI used for OAuth by the Service Provider should be maintained per DNS
 Provider and not the value retrieved during discovery.
 
 The following table describes the POST parameters that must be included in the
@@ -1187,7 +1174,8 @@ value vs. the value returned during discovery here as well.
 ----
 POST
 
-{urlAPI}/v2/domainTemplates/providers/{providerId}/services/{serviceId}/apply?[properties]
+{urlAPI}/v2/domainTemplates/providers/{providerId}/services
+/{serviceId}/apply?[properties]
 ----
 
 The primary function of the API is to apply a template to a customer
@@ -1288,7 +1276,9 @@ passed as name/value pairs.
 ----
 POST
 
-https://connect.dnsprovider.example/v2/domainTemplates/providers/exampleservice.example/services/template1/apply?IP=192.0.2.42&RANDOMTEXT=shm%3A1542108821%3AHello&force=1
+https://connect.dnsprovider.example/v2/domainTemplates/providers/
+exampleservice.example/services/template1/apply?IP=192.0.2.42
+&RANDOMTEXT=shm%3A1542108821%3AHello&force=1
 ----
 
 The API must validate the access token, and that the domain belongs to
@@ -1378,7 +1368,8 @@ Implementation of this call is OPTIONAL. If not supported a 501 MUST be returned
 ----
 POST
 
-{urlAPI}/v2/domainTemplates/providers/{providerId}/services/{serviceId}/revert?domain={domain}&host={host}
+{urlAPI}/v2/domainTemplates/providers/{providerId}/services
+/{serviceId}/revert?domain={domain}&host={host}
 ----
 
 This API allows the removal of a template from a customer domain/host
@@ -1396,7 +1387,8 @@ An example query string might look like:
 ----
 POST
 
-https://connect.dnsprovider.example/v2/domainTemplates/providers/exampleservice.example/services/template1/revert?domain=example.com
+https://connect.dnsprovider.example/v2/domainTemplates/providers
+/exampleservice.example/services/template1/revert?domain=example.com
 ----
 
 Allowed parameters:
@@ -1432,8 +1424,7 @@ Response codes Success, Authorization, and Errors are identical to
 above with the addition of the 501 code.
 
 ==== OAuth Flow: Revoking access
-
-Like all oAuth flows, the user may revoke the access at any time using
+Like all OAuth flows, the user may revoke the access at any time using
 UX at the DNS Provider site. As such the Service Provider needs to be
 aware that their access to the API may be denied.
 
@@ -1475,7 +1466,7 @@ A template is defined as a standard JSON data structure containing the following
 |String
 |serviceId
 |(REQUIRED) The name or identifier of the template.
-This is used in URLs to identify the template. It is also used in the scope parameter for oAuth. It must not contain space characters, and must be URL friendly.
+This is used in URLs to identify the template. It is also used in the scope parameter for OAuth. It must not contain space characters, and must be URL friendly.
 
 |*Service Name*
 |String
@@ -1618,28 +1609,20 @@ Each record will contain the following elements.
 
 |*Type*
 |enum
-|type|
-(REQUIRED) Describes the type of record in DNS, or the operation impacting DNS.
+|type
+|(REQUIRED) Describes the type of record in DNS, or the operation impacting DNS. +
 
-Valid values include: A, AAAA, CNAME, MX, TXT, SRV, or SPFM
+Valid values include: A, AAAA, CNAME, MX, TXT, SRV, or SPFM +
 
-For each type, additional fields would be REQUIRED.
-
-A: host, pointsTo, TTL
-
-AAAA: host, pointsTo, TTL
-
-CNAME: host, pointsTo, TTL (host must not be null or @ unless `hostRequired` is defined `true` for the template)
-
-NS: host, pointsTo, TTL (host must not be null or @ unless `hostRequired` is defined `true` for the template)
-
-TXT: host, data, TTL, txtConflictMatchingMode, txtConflictMatchingPrefix
-
-MX: host, pointsTo, TTL, priority
-
-SRV: name, target, TTL, priority, protocol, service, weight, port
-
-SPFM: host, spfRules
+For each type, additional fields would be REQUIRED. +
+* A: host, pointsTo, TTL +
+* AAAA: host, pointsTo, TTL +
+* CNAME: host, pointsTo, TTL (host must not be null or @ unless `hostRequired` is defined `true` for the template) +
+* NS: host, pointsTo, TTL (host must not be null or @ unless `hostRequired` is defined `true` for the template) +
+* TXT: host, data, TTL, txtConflict-MatchingMode, txtConflict-MatchingPrefix +
+* MX: host, pointsTo, TTL, priority +
+* SRV: name, target, TTL, priority, protocol, service, weight, port +
+* SPFM: host, spfRules +
 
 |*Group Id*
 |String
@@ -1653,47 +1636,47 @@ not contain variables.
 |essential
 |(OPTIONAL)
 This parameter indicates how the record is treated during conflict detection with
-existing templates.
+existing templates. +
 
-If the DNS Provider is not implementing applied template state in DNS this is ignored.
+If the DNS Provider is not implementing applied template state in DNS this is ignored. +
 
-Always (default) - record MUST be applied and kept with the template
+Always (default) - record MUST be applied and kept with the template +
 
 OnApply - record MUST be applied but can be later removed without dropping the whole
-template
+template +
 
 |*Host*
 |String
 |host
 |
-(REQUIRED) The host for A, AAAA, CNAME, NS, TXT, and MX values.
+(REQUIRED) The host for A, AAAA, CNAME, NS, TXT, and MX values. +
 
-This value is relative to the applied host and domain, unless trailed by a ".".
+This value is relative to the applied host and domain, unless trailed by a ".". +
 
 A value of empty or @ indicates the root of the applied host and domain. In other words
-"[host.]example.com.".
+"[host.]example.com.". +
 
 This value should not contain variables unless absolutely necessary. This is discussed
-below.
+below. +
 
 |*Name*
 |String
 |name
-|The name for the SRV record.
+|The name for the SRV record. +
 
 This value is relative to the applied host and domain. A value of empty or @ indicates
-the root of the applied host and domain.
+the root of the applied host and domain. +
 
 This value should not contain variables unless absolutely necessary. This is discussed
-below.
+below. +
 
 |[[pointsto-record]]*Points To*
 |String
 |pointsTo
 |
-The pointsTo location for A, AAAA, CNAME, NS and MX records.
+The pointsTo location for A, AAAA, CNAME, NS and MX records. +
 
-A value of empty or @ indicates the host and domain name being applied or [host.]example.com
+A value of empty or @ indicates the host and domain name being applied or [host.]example.com +
 
 |*TTL*
 |Int
@@ -1718,7 +1701,7 @@ None, All, or Prefix. The default value is None. <<record-types-conflicts, See b
 |*TXT Conflict Matching Prefix*
 |String
 |txtConflictMatchingPrefix
-|The prefix to detect conflicts when txtConflictMatchingMode is "Prefix". This
+|The prefix to detect conflicts when txtConflict-MatchingMode is "Prefix". This
 must not contain variables. <<record-types-conflicts, See below>>.
 
 |*Priority*
@@ -2091,7 +2074,8 @@ although is often inconsistent with the modifier.
 If a customer installed Mailer1 and Newsletter1, their combined SPF record ought to be something like:
 
 ----
-v=spf1 include:spf.mailer1.example include:_spf.newsletter.example ~all
+v=spf1 include:spf.mailer1.example include:_spf.newsletter.example
+ ~all
 ----
 
 We combined the two rules, and in this case picked the least restrictive all modifier.
@@ -2103,7 +2087,8 @@ The challenge with SPF records and Domain Connect is that an individual service
 One solution to this problem is to merge all related records. At the highest level, this means taking everything between the “v=spf1” and the “all” from each of the records and merging them together, terminating with hard-coded modifier on _all_ at the end.  For an SPF record to fulfill it's purpose of protection against malicious email delivery, Domain Connect advises a fixed modifier _"~"_ advising lower rating of the messages from other sources not specified in SPF. This setup offers a reasonable level of protection of mail delivery, on the other side does not reject the message in case forwarding facility is in place.
 
 ----
-@ TXT v=spf1 include:spf.mailer1.example include:_spf.newsletter.example ~all
+@ TXT v=spf1 include:spf.mailer1.example include:_spf.newsletter.exam
+ple ~all
 ----
 
 The other would be to write intermediate records, and reference these locally.
@@ -2139,7 +2124,7 @@ Some DNS Providers may decide not to support the SPFM record. The following alte
 
 [[repository-and-integrity]]
 === Public Template Repository
-
+==== General information
 The Public Template Repository is an open accessible location where Service Providers
 MAY publish their Service Templates in the format specified in this specification.
 DNS Providers MAY support all of the published templates, just a subset or none of them according
@@ -2214,16 +2199,13 @@ One exception is the domain/host name. This is because a fully qualified domain
 The values for providerId/serviceId in the template and passed through URIs in the path or query string are case sensitive. Different rules apply to the file naming in the <<repository-file-names-requirements, Public Template Repository>>.
 
 == Extensions/Exclusions
-
-Additional record types and/or extensions to records in the template can
-be implemented on a per DNS Provider basis. However, care should be
-taken when defining extensions so as to not conflict with other
+=== General information
+Additional record types and/or extensions to records in the template can be implemented on a per DNS Provider basis. However, care should be taken when defining extensions so as to not conflict with other
 protocols and standards. Certain record names are reserved for use in
-DNS for protocols like DNSSEC (DNSKEY, RRSIG) at the registry level.
+DNS for protocols like DNSSEC (DNSKEY, RRSIG) <<RFC9364>> at the registry level.
 
 Defining these OPTIONAL extensions in an open manner as part of this
-specification is done to provide consistency. The following are the initial
-OPTIONAL extensions a DNS Provider/Service Provider may support.
+specification is done to provide consistency. The following are the initial OPTIONAL extensions a DNS Provider/Service Provider may support.
 
 === APEXCNAME
 
@@ -2297,11 +2279,11 @@ The authors wish to thank the following persons for their feedback and suggestio
 
 - Roger Carney of GoDaddy Inc.
 - Chris Ambler of GoDaddy Inc.
-- Jody Kolker of GoDaddy Inc.
 
 == Change History
 === Change from 03 to 04
-   Version synchronized with 2.2 version rev. 66 of the public Domain Connect specification.
+   Version synchronized with 2.2 version rev. 66 of the public Domain 
+   Connect specification.
 
 === Change from 02 to 03
 
@@ -2328,12 +2310,14 @@ The authors wish to thank the following persons for their feedback and suggestio
 == Normative References
 
 * [[[RFC2119,RFC 2119]]]
+* [[[RFC7208,RFC 7208]]]
+* [[[RFC6749,RFC 6749]]]
 
 [bibliography]
 == Informative References
 
 * [[[RFC8174,RFC 8174]]]
-* [[[RFC7208,RFC 7208]]]
+* [[[RFC9364,RFC 9364]]]
 
 [appendix]
 == Examples
@@ -2348,7 +2332,7 @@ The authors wish to thank the following persons for their feedback and suggestio
     "serviceName": "Wordpress by example.com",
     "version": 1,
     "logoUrl": "https://www.example.com/images/billthecat.jpg",
-    "description": "This connects your domain to our super cool web hosting",
+    "description": "This connects your domain to our web hosting",
     "records": [
         {
             "type": "A",
@@ -2437,8 +2421,8 @@ Consider a DNS Zone before a template application:
 ----
 $ORIGIN example.com.
 
-@ 3600 IN SOA ns11.example.net. support.example.net. 2017050817 7200 1800
-1209600 3600
+@ 3600 IN SOA ns11.example.net. support.example.net. 2017050817 7200
+1800 1209600 3600
 @ 3600 IN NS ns11.example.net.
 @ 3600 IN NS ns12.example.net.
 @ 3600 IN A 192.0.2.1
@@ -2482,14 +2466,15 @@ The following DNS Zone should be generated after the template is applied:
 ----
 $ORIGIN example.com.
 
-@ 3600 IN SOA ns11.example.net. support.example.net. 2017050920 7200 1800
-1209600 3600
+@ 3600 IN SOA ns11.example.net. support.example.net. 2017050920 7200
+1800 1209600 3600
 @ 3600 IN NS ns11.example.net.
 @ 3600 IN NS ns12.example.net.
 @ 1800 IN A 203.0.113.2
 @ 3600 IN MX 10 mx1.example.net.
 @ 3600 IN MX 10 mx2.example.net.
-@ 1800 IN TXT "v=spf1 a include:spf.example.org include:spf.hoster.example ~all"
+@ 1800 IN TXT "v=spf1 a include:spf.example.org include:spf.hoster.ex
+ample ~all"
 www 1800 IN A 203.0.113.2
 ----
 
@@ -2503,8 +2488,8 @@ Consider a DNS Zone before a template application:
 ----
 $ORIGIN example.com.
 
-@ 3600 IN SOA ns11.example.net. support.example.net. 2017050817 7200 1800
-1209600 3600
+@ 3600 IN SOA ns11.example.net. support.example.net. 2017050817 7200
+1800 1209600 3600
 @ 3600 IN NS ns11.example.net.
 @ 3600 IN NS ns12.example.net.
 ----
@@ -2542,8 +2527,8 @@ Expected result in the DNS Zone
 ----
 $ORIGIN example.com.
 
-@ 3600 IN SOA ns11.example.net. support.example.net. 2017050817 7200 1800
-1209600 3600
+@ 3600 IN SOA ns11.example.net. support.example.net. 2017050817 7200
+1800 1209600 3600
 @ 3600 IN NS ns11.example.net.
 @ 3600 IN NS ns12.example.net.
 @ 3600 IN MX 10 mx1.example.net.
@@ -2570,11 +2555,13 @@ Expected result in the DNS Zone
 ----
 $ORIGIN example.com.
 
-@ 3600 IN SOA ns11.example.net. support.example.net. 2017050817 7200 1800
-1209600 3600
+@ 3600 IN SOA ns11.example.net. support.example.net. 2017050817 7200
+1800 1209600 3600
 @ 3600 IN NS ns11.example.net.
 @ 3600 IN NS ns12.example.net.
 @ 3600 IN MX 10 mx1.example.net.
 @ 3600 IN MX 10 mx2.example.net.
-@ 3600 IN TXT "v=spf1 a include:spf.example.net include:_spf.newsletter.example ~all"
+@ 3600 IN TXT "v=spf1 a include:spf.example.net include:_spf.newslett
+er.
+example ~all"
 ----
diff --git a/draft-kowalik-regext-domainconnect-00.err.html b/draft-kowalik-regext-domainconnect-00.err.html
new file mode 100644
index 0000000..7ef7cdf
--- /dev/null
+++ b/draft-kowalik-regext-domainconnect-00.err.html
@@ -0,0 +1,137 @@
+<html><head><title>./draft-kowalik-regext-domainconnect-00.err.html errors</title>
+<meta charset="UTF-8"/>
+<style> pre { white-space: pre-wrap; }
+thead th { font-weight: bold; background-color: aqua; }
+.severity0 { font-weight: bold; background-color: lightpink }
+.severity1 { font-weight: bold; }
+.severity2 { }
+.severity3 { font-style: italic; color: grey; }
+</style>
+        <style>
          .commit-tease,
          .user-profile-mini-avatar,
          .avatar,
          .vcard-details,
          .signup-prompt-bg {
            display: none !IMPORTANT;
          }
        </style>
         <script>
          document.addEventListener('DOMContentLoaded', function() {
            this.querySelectorAll('a').forEach(anchor => {
              anchor.addEventListener('click', e => {
                e.preventDefault();

                const redact = new URLSearchParams(window.location.search).get('redact');
                const hasExistingParams = anchor.href.includes('?');
                window.location.href = anchor.href + (hasExistingParams ? `&redact=${redact}` : `?redact=${redact}`);
              });
            });
          });
        </script>
 </head><body><h1>./draft-kowalik-regext-domainconnect-00.err.html errors</h1>
+<h2>Metanorma XML Syntax</h2>
+<table border="1">
+<thead><th width="5%">Line</th><th width="20%">ID</th>
+<th width="30%">Message</th><th width="40%">Context</th><th width="5%">Severity</th></thead>
+<tbody>
+<tr class="severity2">
+<td></td><th><code>XML Line 000004:54</code></th>
+<td>attribute "format" not allowed here; expected attribute "locale",​ "script" or "type"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 000006:56</code></th>
+<td>attribute "format" not allowed here; expected attribute "locale",​ "script" or "type"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 000029:75</code></th>
+<td>element "workgroup" not allowed here; expected the element end-tag or element "committee"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 000030:88</code></th>
+<td>attribute "obligation" not allowed here; expected attribute "language", "numbered", "removeInRFC", "script" or "toc"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 000033:77</code></th>
+<td>attribute "obligation" not allowed here; expected attribute "language", "numbered", "removeInRFC", "script" or "toc"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 000398:68</code></th>
+<td>attribute "lang" not allowed here; expected attribute "markers" or "number"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 001279:68</code></th>
+<td>attribute "lang" not allowed here; expected attribute "markers" or "number"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 001849:68</code></th>
+<td>attribute "lang" not allowed here; expected attribute "markers" or "number"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 001914:68</code></th>
+<td>attribute "lang" not allowed here; expected attribute "markers" or "number"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002257:79</code></th>
+<td>attribute "inline-header" not allowed here; expected attribute "language", "numbered", "obligation", "removeInRFC", "script" or "toc"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002261:68</code></th>
+<td>attribute "lang" not allowed here; expected attribute "markers" or "number"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002309:68</code></th>
+<td>attribute "lang" not allowed here; expected attribute "markers" or "number"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002328:68</code></th>
+<td>attribute "lang" not allowed here; expected attribute "markers" or "number"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002368:68</code></th>
+<td>attribute "lang" not allowed here; expected attribute "markers" or "number"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002420:68</code></th>
+<td>attribute "lang" not allowed here; expected attribute "markers" or "number"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002459:68</code></th>
+<td>attribute "lang" not allowed here; expected attribute "markers" or "number"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002486:40</code></th>
+<td>attribute "format" not allowed here; expected attribute "language", "locale" or "script"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002493:143</code></th>
+<td>attribute "format" not allowed here; expected attribute "language", "locale" or "script"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002495:28</code></th>
+<td>attribute "format" not allowed here; expected attribute "language", "locale",​ "script" or "type"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002497:28</code></th>
+<td>attribute "format" not allowed here; expected attribute "language", "locale",​ "script" or "type"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002499:28</code></th>
+<td>attribute "format" not allowed here; expected attribute "language", "locale",​ "script" or "type"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002502:40</code></th>
+<td>attribute "format" not allowed here; expected attribute "language", "locale" or "script"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002509:143</code></th>
+<td>attribute "format" not allowed here; expected attribute "language", "locale" or "script"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002512:28</code></th>
+<td>attribute "format" not allowed here; expected attribute "language", "locale",​ "script" or "type"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002514:28</code></th>
+<td>attribute "format" not allowed here; expected attribute "language", "locale",​ "script" or "type"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002517:40</code></th>
+<td>attribute "format" not allowed here; expected attribute "language", "locale" or "script"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002524:143</code></th>
+<td>attribute "format" not allowed here; expected attribute "language", "locale" or "script"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002526:28</code></th>
+<td>attribute "format" not allowed here; expected attribute "language", "locale",​ "script" or "type"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002528:28</code></th>
+<td>attribute "format" not allowed here; expected attribute "language", "locale",​ "script" or "type"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002532:40</code></th>
+<td>attribute "format" not allowed here; expected attribute "language", "locale" or "script"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002539:143</code></th>
+<td>attribute "format" not allowed here; expected attribute "language", "locale" or "script"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002540:94</code></th>
+<td>found attribute "format",​ but no attributes allowed here</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002542:28</code></th>
+<td>attribute "format" not allowed here; expected attribute "language", "locale",​ "script" or "type"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002544:28</code></th>
+<td>attribute "format" not allowed here; expected attribute "language", "locale",​ "script" or "type"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002546:28</code></th>
+<td>attribute "format" not allowed here; expected attribute "language", "locale",​ "script" or "type"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002548:40</code></th>
+<td>attribute "format" not allowed here; expected attribute "language", "locale" or "script"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002555:143</code></th>
+<td>attribute "format" not allowed here; expected attribute "language", "locale" or "script"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002557:28</code></th>
+<td>attribute "format" not allowed here; expected attribute "language", "locale",​ "script" or "type"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002559:28</code></th>
+<td>attribute "format" not allowed here; expected attribute "language", "locale",​ "script" or "type"</td><td><pre></pre></td><td>2</td></tr>
+<tr class="severity2">
+<td></td><th><code>XML Line 002561:28</code></th>
+<td>attribute "format" not allowed here; expected attribute "language", "locale",​ "script" or "type"</td><td><pre></pre></td><td>2</td></tr>
+</tbody></table>
+</body></html>
diff --git a/draft-domain-connect-04.html b/draft-kowalik-regext-domainconnect-00.html
similarity index 59%
rename from draft-domain-connect-04.html
rename to draft-kowalik-regext-domainconnect-00.html
index 236e536..20c37ec 100644
--- a/draft-domain-connect-04.html
+++ b/draft-kowalik-regext-domainconnect-00.html
@@ -4,37 +4,34 @@
 <meta charset="utf-8">
 <meta content="Common,Latin" name="scripts">
 <meta content="initial-scale=1.0" name="viewport">
-<title>Domain Connect API - Communications between DNS Provider and Services</title>
-<meta content="R Carney" name="author">
-<meta content="A Blinn" name="author">
+<title>Domain Connect Protocol - DNS provisioning between Services and DNS Providers</title>
 <meta content="P Kowalik" name="author">
+<meta content="A Blinn" name="author">
+<meta content="J Kolker" name="author">
+<meta content="S Kerola" name="author">
 <meta content="
-       This document provides information related to the Domain Connect API that was built to support communications between DNS Providers and Service Providers (hosting, social, email, hardware, etc.). 
+       This document provides specification of the Domain Connect Protocol that was built to support DNS configuration provisioning between Service Providers (hosting, social, email, hardware, etc.) and DNS Providers. 
     " name="description">
-<meta content="xml2rfc 3.12.4" name="generator">
-<meta content="draft-carney-regext-domainconnect-04" name="ietf.draft">
+<meta content="xml2rfc 3.22.0" name="generator">
+<meta content="draft-kowalik-regext-domainconnect-00" name="ietf.draft">
 <!-- Generator version information:
-  xml2rfc 3.12.4
-    Python 3.10.4
-    appdirs 1.4.4
-    ConfigArgParse 1.5.3
-    google-i18n-address 2.5.1
-    html5lib 1.1
+  xml2rfc 3.22.0
+    Python 3.10.12
+    ConfigArgParse 1.7
+    google-i18n-address 3.1.0
     intervaltree 3.1.0
-    Jinja2 2.11.3
-    kitchen 1.2.6
-    lxml 4.8.0
-    MarkupSafe 2.0.1
-    pycairo 1.20.1
-    pycountry 22.3.5
-    pyflakes 2.4.0
-    PyYAML 6.0
-    requests 2.27.1
-    setuptools 62.1.0
-    six 1.16.0
-    WeasyPrint 0.42.3
+    Jinja2 3.1.4
+    lxml 4.9.4
+    platformdirs 4.2.2
+    pycountry 24.6.1
+    pydyf 0.10.0
+    PyYAML 6.0.1
+    requests 2.32.3
+    setuptools 71.0.3
+    wcwidth 0.2.13
+    weasyprint 61.2
 -->
-<link href="/workspaces/spec/draft-domain-connect-04.rfc.xml" rel="alternate" type="application/rfc+xml">
+<link href="/workspaces/DomainConnect-spec/draft-kowalik-regext-domainconnect-00.rfc.xml" rel="alternate" type="application/rfc+xml">
 <link href="#copyright" rel="license">
 <style type="text/css">/*
 
@@ -44,7 +41,7 @@
   this can be consolidated so that style settings occur only in one place, but
   for now the contents of this file consists first of the initial CSS work as
   provided to the RFC Formatter (xml2rfc) work, followed by itemized and
-  commented changes found necssary during the development of the v3
+  commented changes found necessary during the development of the v3
   formatters.
 
 */
@@ -54,9 +51,14 @@
 @import url('https://fonts.googleapis.com/css?family=Noto+Serif'); /* Serif (print) */
 @import url('https://fonts.googleapis.com/css?family=Roboto+Mono'); /* Monospace */
 
+:root {
+  --font-sans: 'Noto Sans', Arial, Helvetica, sans-serif;
+  --font-serif: 'Noto Serif', 'Times', 'Times New Roman', serif;
+  --font-mono: 'Roboto Mono', Courier, 'Courier New', monospace;
+}
+
 @viewport {
   zoom: 1.0;
-  width: extend-to-zoom;
 }
 @-ms-viewport {
   width: extend-to-zoom;
@@ -71,9 +73,10 @@
   color: #222;
   background-color: #fff;
   font-size: 14px;
-  font-family: 'Noto Sans', Arial, Helvetica, sans-serif;
+  font-family: var(--font-sans);
   line-height: 1.6;
   scroll-behavior: smooth;
+  overflow-wrap: break-word;
 }
 .ears {
   display: none;
@@ -160,6 +163,15 @@
 svg {
   display: block;
 }
+svg[font-family~="serif" i], svg [font-family~="serif" i] {
+  font-family: var(--font-serif);
+}
+svg[font-family~="sans-serif" i], svg [font-family~="sans-serif" i] {
+  font-family: var(--font-sans);
+}
+svg[font-family~="monospace" i], svg [font-family~="monospace" i] {
+  font-family: var(--font-mono);
+}
 .alignCenter.art-text {
   background-color: #f9f9f9;
   border: 1px solid #eee;
@@ -174,11 +186,8 @@
   margin: 1em 0;
 }
 .alignCenter > *:first-child {
-  border: none;
-  /* this isn't optimal, but it's an existence proof.  PrinceXML doesn't
-     support flexbox yet.
-  */
   display: table;
+  border: none;
   margin: 0 auto;
 }
 
@@ -256,9 +265,9 @@
 } */
 
 /* Figures */
-tt, code, pre, code {
+tt, code, pre {
   background-color: #f9f9f9;
-  font-family: 'Roboto Mono', monospace;
+  font-family: var(--font-mono);
 }
 pre {
   border: 1px solid #eee;
@@ -298,11 +307,17 @@
   border-radius: 3px;
   margin: 1em 0;
 }
+blockquote > *:last-child {
+  margin-bottom: 0;
+}
 cite {
   display: block;
   text-align: right;
   font-style: italic;
 }
+.xref {
+  overflow-wrap: normal;
+}
 
 /* tables */
 table {
@@ -447,6 +462,10 @@
   margin-bottom: 1.25em;
 }
 
+.refSubseries {
+  margin-bottom: 1.25em;
+}
+
 .references .ascii {
   margin-bottom: 0.25em;
 }
@@ -495,7 +514,7 @@
   margin-left: 0;
 }
 address.vcard .label {
-  font-family: "Noto Sans",Arial,Helvetica,sans-serif;
+  font-family: var(--font-sans);
   margin: 0.5em 0;
 }
 address.vcard .type {
@@ -635,7 +654,6 @@
 /* pagination */
 @media print {
   body {
-
     width: 100%;
   }
   p {
@@ -658,6 +676,9 @@
   figure {
     overflow: scroll;
   }
+  .breakable pre {
+    break-inside: auto;
+  }
   h1, h2, h3, h4, h5, h6 {
     page-break-after: avoid;
   }
@@ -725,7 +746,7 @@
   size: A4;
   margin-bottom: 45mm;
   padding-top: 20px;
-  /* The follwing is commented out here, but set appropriately by in code, as
+  /* The following is commented out here, but set appropriately by in code, as
      the content depends on the document */
   /*
   @top-left {
@@ -825,12 +846,12 @@
 }
 
 /* prevent monospace from becoming overly large */
-tt, code, pre, code {
+tt, code, pre {
   font-size: 95%;
 }
 
 /* Fix the height/width aspect for ascii art*/
-pre.sourcecode,
+.sourcecode pre,
 .art-text pre {
   line-height: 1.12;
 }
@@ -866,7 +887,7 @@
   text-align: right;
 }
 
-/* Make the alternative author contact informatio look less like just another
+/* Make the alternative author contact information look less like just another
    author, and group it closer with the primary author contact information */
 .alternative-contact {
   margin: 0.5em 0 0.25em 0;
@@ -1048,6 +1069,7 @@
 /* Sourcecode margin in print, when there's no pilcrow */
 @media print {
   .artwork,
+  .artwork > pre,
   .sourcecode {
     margin-bottom: 1em;
   }
@@ -1060,15 +1082,18 @@
 ol.type-a { list-style-type: lower-alpha; }
 ol.type-A { list-style-type: upper-alpha; }
 ol.type-i { list-style-type: lower-roman; }
-ol.type-I { list-style-type: lower-roman; }
+ol.type-I { list-style-type: upper-roman; }
 /* Apply the print table and row borders in general, on request from the RPC,
-and increase the contrast between border and odd row background sligthtly */
+and increase the contrast between border and odd row background slightly */
 table {
   border: 1px solid #ddd;
 }
 td {
   border-top: 1px solid #ddd;
 }
+tr {
+  break-inside: avoid;
+}
 tr:nth-child(2n+1) > td {
   background-color: #f8f8f8;
 }
@@ -1119,7 +1144,7 @@
     break-before: auto;
   }
 }
-/* Text in compact lists should not get extra bottim margin space,
+/* Text in compact lists should not get extra bottom margin space,
    since that would makes the list not compact */
 ul.compact p, .ulCompact p,
 ol.compact p, .olCompact p {
@@ -1144,7 +1169,7 @@
 pre {
    margin-top: 0.5px;
 }
-/* Tweak the comact list text */
+/* Tweak the compact list text */
 ul.compact, .ulCompact,
 ol.compact, .olCompact,
 dl.compact, .dlCompact {
@@ -1162,7 +1187,7 @@
 dd > aside:first-child,
 dd > figure:first-child,
 dd > ol:first-child,
-dd > div:first-child > pre.sourcecode,
+dd > div.sourcecode:first-child,
 dd > table:first-child,
 dd > ul:first-child {
   clear: left;
@@ -1176,24 +1201,24 @@
   margin-bottom: 0.5em
 }
 /* Don't let p margin spill out from inside list items */
-li > p:last-of-type {
+li > p:last-of-type:only-child {
   margin-bottom: 0;
 }
 </style>
 <link href="rfc-local.css" rel="stylesheet" type="text/css">
 <script type="application/javascript">async function addMetadata(){try{const e=document.styleSheets[0].cssRules;for(let t=0;t<e.length;t++)if(/#identifiers/.exec(e[t].selectorText)){const a=e[t].cssText.replace("#identifiers","#external-updates");document.styleSheets[0].insertRule(a,document.styleSheets[0].cssRules.length)}}catch(e){console.log(e)}const e=document.getElementById("external-metadata");if(e)try{var t,a="",o=function(e){const t=document.getElementsByTagName("meta");for(let a=0;a<t.length;a++)if(t[a].getAttribute("name")===e)return t[a].getAttribute("content");return""}("rfc.number");if(o){t="https://www.rfc-editor.org/rfc/rfc"+o+".json";try{const e=await fetch(t);a=await e.json()}catch(e){t=document.URL.indexOf("html")>=0?document.URL.replace(/html$/,"json"):document.URL+".json";const o=await fetch(t);a=await o.json()}}if(!a)return;e.style.display="block";const s="",d="https://datatracker.ietf.org/doc",n="https://datatracker.ietf.org/ipr/search",c="https://www.rfc-editor.org/info",l=a.doc_id.toLowerCase(),i=a.doc_id.slice(0,3).toLowerCase(),f=a.doc_id.slice(3).replace(/^0+/,""),u={status:"Status",obsoletes:"Obsoletes",obsoleted_by:"Obsoleted By",updates:"Updates",updated_by:"Updated By",see_also:"See Also",errata_url:"Errata"};let h="<dl style='overflow:hidden' id='external-updates'>";["status","obsoletes","obsoleted_by","updates","updated_by","see_also","errata_url"].forEach(e=>{if("status"==e){a[e]=a[e].toLowerCase();var t=a[e].split(" "),o=t.length,w="",p=1;for(let e=0;e<o;e++)p<o?w=w+r(t[e])+" ":w+=r(t[e]),p++;a[e]=w}else if("obsoletes"==e||"obsoleted_by"==e||"updates"==e||"updated_by"==e){var g,m="",b=1;g=a[e].length;for(let t=0;t<g;t++)a[e][t]&&(a[e][t]=String(a[e][t]).toLowerCase(),m=b<g?m+"<a href='"+s+"/rfc/".concat(a[e][t])+"'>"+a[e][t].slice(3)+"</a>, ":m+"<a href='"+s+"/rfc/".concat(a[e][t])+"'>"+a[e][t].slice(3)+"</a>",b++);a[e]=m}else if("see_also"==e){var y,L="",C=1;y=a[e].length;for(let t=0;t<y;t++)if(a[e][t]){a[e][t]=String(a[e][t]);var _=a[e][t].slice(0,3),v=a[e][t].slice(3).replace(/^0+/,"");L=C<y?"RFC"!=_?L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+_+" "+v+"</a>, ":L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+v+"</a>, ":"RFC"!=_?L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+_+" "+v+"</a>":L+"<a href='"+s+"/info/"+_.toLowerCase().concat(v.toLowerCase())+"'>"+v+"</a>",C++}a[e]=L}else if("errata_url"==e){var R="";R=a[e]?R+"<a href='"+a[e]+"'>Errata exist</a> | <a href='"+d+"/"+l+"'>Datatracker</a>| <a href='"+n+"/?"+i+"="+f+"&submit="+i+"'>IPR</a> | <a href='"+c+"/"+l+"'>Info page</a>":"<a href='"+d+"/"+l+"'>Datatracker</a> | <a href='"+n+"/?"+i+"="+f+"&submit="+i+"'>IPR</a> | <a href='"+c+"/"+l+"'>Info page</a>",a[e]=R}""!=a[e]?"Errata"==u[e]?h+=`<dt>More info:</dt><dd>${a[e]}</dd>`:h+=`<dt>${u[e]}:</dt><dd>${a[e]}</dd>`:"Errata"==u[e]&&(h+=`<dt>More info:</dt><dd>${a[e]}</dd>`)}),h+="</dl>",e.innerHTML=h}catch(e){console.log(e)}else console.log("Could not locate metadata <div> element");function r(e){return e.charAt(0).toUpperCase()+e.slice(1)}}window.removeEventListener("load",addMetadata),window.addEventListener("load",addMetadata);</script>
         <style>
          .commit-tease,
          .user-profile-mini-avatar,
          .avatar,
          .vcard-details,
          .signup-prompt-bg {
            display: none !IMPORTANT;
          }
        </style>
         <script>
          document.addEventListener('DOMContentLoaded', function() {
            this.querySelectorAll('a').forEach(anchor => {
              anchor.addEventListener('click', e => {
                e.preventDefault();

                const redact = new URLSearchParams(window.location.search).get('redact');
                const hasExistingParams = anchor.href.includes('?');
                window.location.href = anchor.href + (hasExistingParams ? `&redact=${redact}` : `?redact=${redact}`);
              });
            });
          });
        </script>
 </head>
-<body>
+<body class="xml2rfc">
 <script src="metadata.min.js"></script>
 <table class="ears">
 <thead><tr>
 <td class="left">Internet-Draft</td>
 <td class="center">Domain Connect</td>
-<td class="right">April 2022</td>
+<td class="right">July 2024</td>
 </tr></thead>
 <tfoot><tr>
-<td class="left">Carney, et al.</td>
-<td class="center">Expires 29 October 2022</td>
+<td class="left">Kowalik, et al.</td>
+<td class="center">Expires 23 January 2025</td>
 <td class="right">[Page]</td>
 </tr></tfoot>
 </table>
@@ -1203,39 +1228,43 @@
 <dt class="label-workgroup">Workgroup:</dt>
 <dd class="workgroup">Registration Protocols Extensions</dd>
 <dt class="label-internet-draft">Internet-Draft:</dt>
-<dd class="internet-draft">draft-carney-regext-domainconnect-04</dd>
+<dd class="internet-draft">draft-kowalik-regext-domainconnect-00</dd>
 <dt class="label-">:</dt>
 <dd></dd>
 <dt class="label-published">Published:</dt>
 <dd class="published">
-<time datetime="2022-04-27" class="published">27 April 2022</time>
+<time datetime="2024-07-22" class="published">22 July 2024</time>
     </dd>
 <dt class="label-intended-status">Intended Status:</dt>
-<dd class="intended-status">Informational</dd>
+<dd class="intended-status">Standards Track</dd>
 <dt class="label-expires">Expires:</dt>
-<dd class="expires"><time datetime="2022-10-29">29 October 2022</time></dd>
+<dd class="expires"><time datetime="2025-01-23">23 January 2025</time></dd>
 <dt class="label-authors">Authors:</dt>
 <dd class="authors">
 <div class="author">
-      <div class="author-name">R. Carney</div>
-<div class="org">GoDaddy Inc.</div>
+      <div class="author-name">P. Kowalik</div>
+<div class="org">DENIC eG</div>
 </div>
 <div class="author">
       <div class="author-name">A. Blinn</div>
 </div>
 <div class="author">
-      <div class="author-name">P. Kowalik</div>
-<div class="org">IONOS SE</div>
+      <div class="author-name">J. Kolker</div>
+<div class="org">GoDaddy Inc.</div>
+</div>
+<div class="author">
+      <div class="author-name">S. Kerola</div>
+<div class="org">Cloudflare, Inc.</div>
 </div>
 </dd>
 </dl>
 </div>
-<h1 id="title">Domain Connect API - Communications between DNS Provider and Services</h1>
-<div id="_9e8f541d-a989-f79b-0a6d-541cd0d1d0fa">
+<h1 id="title">Domain Connect Protocol - DNS provisioning between Services and DNS Providers</h1>
+<div id="_bbb6f541-c0a4-2b23-a3c5-544269e5d60c">
 <section id="section-abstract">
       <h2 id="abstract"><a href="#abstract" class="selfRef">Abstract</a></h2>
-<div id="_3850d256-350d-bfb1-cb32-0d8dc21c4a5a">
-<p id="section-abstract-1">This document provides information related to the Domain Connect API that was built to support communications between DNS Providers and Service Providers (hosting, social, email, hardware, etc.).<a href="#section-abstract-1" class="pilcrow">¶</a></p>
+<div id="_49f78dd5-d0bd-d917-fcec-743e02b7db3b">
+<p id="section-abstract-1">This document provides specification of the Domain Connect Protocol that was built to support DNS configuration provisioning between Service Providers (hosting, social, email, hardware, etc.) and DNS Providers.<a href="#section-abstract-1" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
@@ -1258,7 +1287,7 @@ <h2 id="name-status-of-this-memo">
         time. It is inappropriate to use Internet-Drafts as reference
         material or to cite them other than as "work in progress."<a href="#section-boilerplate.1-3" class="pilcrow">¶</a></p>
 <p id="section-boilerplate.1-4">
-        This Internet-Draft will expire on 29 October 2022.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p>
+        This Internet-Draft will expire on 23 January 2025.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="copyright">
@@ -1267,7 +1296,7 @@ <h2 id="name-copyright-notice">
 <a href="#name-copyright-notice" class="section-name selfRef">Copyright Notice</a>
         </h2>
 <p id="section-boilerplate.2-1">
-            Copyright (c) 2022 IETF Trust and the persons identified as the
+            Copyright (c) 2024 IETF Trust and the persons identified as the
             document authors. All rights reserved.<a href="#section-boilerplate.2-1" class="pilcrow">¶</a></p>
 <p id="section-boilerplate.2-2">
             This document is subject to BCP 78 and the IETF Trust's Legal
@@ -1275,7 +1304,10 @@ <h2 id="name-copyright-notice">
             (<span><a href="https://trustee.ietf.org/license-info">https://trustee.ietf.org/license-info</a></span>) in effect on the date of
             publication of this document. Please review these documents
             carefully, as they describe your rights and restrictions with
-            respect to this document.<a href="#section-boilerplate.2-2" class="pilcrow">¶</a></p>
+            respect to this document. Code Components extracted from this
+            document must include Revised BSD License text as described in
+            Section 4.e of the Trust Legal Provisions and are provided without
+            warranty as described in the Revised BSD License.<a href="#section-boilerplate.2-2" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="toc">
@@ -1285,465 +1317,489 @@ <h2 id="name-copyright-notice">
         </h2>
 <nav class="toc"><ul class="compact toc ulBare ulEmpty">
 <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.1">
-            <p id="section-toc.1-1.1.1" class="keepWithNext"><a href="#section-1" class="xref">1</a>.  <a href="#name-introduction" class="xref">Introduction</a></p>
+            <p id="section-toc.1-1.1.1" class="keepWithNext"><a href="#section-1" class="auto internal xref">1</a>.  <a href="#name-acknowledgements" class="internal xref">Acknowledgements</a></p>
 </li>
           <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2">
-            <p id="section-toc.1-1.2.1"><a href="#section-2" class="xref">2</a>.  <a href="#name-protocol-design" class="xref">Protocol design</a></p>
+            <p id="section-toc.1-1.2.1" class="keepWithNext"><a href="#section-2" class="auto internal xref">2</a>.  <a href="#name-introduction" class="internal xref">Introduction</a></p>
+</li>
+          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3">
+            <p id="section-toc.1-1.3.1"><a href="#section-4" class="auto internal xref">4</a>.  <a href="#name-protocol-design" class="internal xref">Protocol design</a></p>
 <ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.1">
-                <p id="section-toc.1-1.2.2.1.1" class="keepWithNext"><a href="#section-2.1" class="xref">2.1</a>.  <a href="#name-templates" class="xref">Templates</a></p>
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.1">
+                <p id="section-toc.1-1.3.2.1.1" class="keepWithNext"><a href="#section-4.1" class="auto internal xref">4.1</a>.  <a href="#name-templates" class="internal xref">Templates</a></p>
+</li>
+            </ul>
 </li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.2">
-                <p id="section-toc.1-1.2.2.2.1"><a href="#section-2.2" class="xref">2.2</a>.  <a href="#name-end-user-flows" class="xref">End User Flows</a></p>
+          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4">
+            <p id="section-toc.1-1.4.1"><a href="#section-5" class="auto internal xref">5</a>.  <a href="#name-end-user-flows" class="internal xref">End User Flows</a></p>
 <ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.2.2.1">
-                    <p id="section-toc.1-1.2.2.2.2.1.1" class="keepWithNext"><a href="#section-2.2.1" class="xref">2.2.1</a>.  <a href="#name-the-synchronous-flow" class="xref">The Synchronous Flow</a></p>
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.1">
+                <p id="section-toc.1-1.4.2.1.1"><a href="#section-5.1" class="auto internal xref">5.1</a>.  <a href="#name-general-information" class="internal xref">General information</a></p>
 </li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.2.2.2">
-                    <p id="section-toc.1-1.2.2.2.2.2.1"><a href="#section-2.2.2" class="xref">2.2.2</a>.  <a href="#name-the-asynchronous-flow" class="xref">The Asynchronous Flow</a></p>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.2">
+                <p id="section-toc.1-1.4.2.2.1"><a href="#section-5.2" class="auto internal xref">5.2</a>.  <a href="#name-the-synchronous-flow" class="internal xref">The Synchronous Flow</a></p>
 </li>
-                </ul>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.3">
+                <p id="section-toc.1-1.4.2.3.1"><a href="#section-5.3" class="auto internal xref">5.3</a>.  <a href="#name-the-asynchronous-flow" class="internal xref">The Asynchronous Flow</a></p>
 </li>
             </ul>
 </li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3">
-            <p id="section-toc.1-1.3.1"><a href="#section-3" class="xref">3</a>.  <a href="#name-dns-provider-discovery" class="xref">DNS Provider Discovery</a></p>
+          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5">
+            <p id="section-toc.1-1.5.1"><a href="#section-6" class="auto internal xref">6</a>.  <a href="#name-dns-provider-discovery" class="internal xref">DNS Provider Discovery</a></p>
 </li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4">
-            <p id="section-toc.1-1.4.1"><a href="#section-4" class="xref">4</a>.  <a href="#name-applying-domain-connect" class="xref">Applying Domain Connect</a></p>
+          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6">
+            <p id="section-toc.1-1.6.1"><a href="#section-7" class="auto internal xref">7</a>.  <a href="#name-applying-domain-connect" class="internal xref">Applying Domain Connect</a></p>
 <ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.1">
-                <p id="section-toc.1-1.4.2.1.1"><a href="#section-4.1" class="xref">4.1</a>.  <a href="#name-endpoints" class="xref">Endpoints</a></p>
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.1">
+                <p id="section-toc.1-1.6.2.1.1"><a href="#section-7.1" class="auto internal xref">7.1</a>.  <a href="#name-endpoints" class="internal xref">Endpoints</a></p>
 </li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.2">
-                <p id="section-toc.1-1.4.2.2.1"><a href="#section-4.2" class="xref">4.2</a>.  <a href="#name-synchronous-flow" class="xref">Synchronous Flow</a></p>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.2">
+                <p id="section-toc.1-1.6.2.2.1"><a href="#section-7.2" class="auto internal xref">7.2</a>.  <a href="#name-synchronous-flow" class="internal xref">Synchronous Flow</a></p>
 <ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.2.2.1">
-                    <p id="section-toc.1-1.4.2.2.2.1.1"><a href="#section-4.2.1" class="xref">4.2.1</a>.  <a href="#name-query-supported-template" class="xref">Query Supported Template</a></p>
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.2.2.1">
+                    <p id="section-toc.1-1.6.2.2.2.1.1"><a href="#section-7.2.1" class="auto internal xref">7.2.1</a>.  <a href="#name-query-supported-template" class="internal xref">Query Supported Template</a></p>
 </li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.2.2.2">
-                    <p id="section-toc.1-1.4.2.2.2.2.1"><a href="#section-4.2.2" class="xref">4.2.2</a>.  <a href="#name-apply-template" class="xref">Apply Template</a></p>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.2.2.2">
+                    <p id="section-toc.1-1.6.2.2.2.2.1"><a href="#section-7.2.2" class="auto internal xref">7.2.2</a>.  <a href="#name-apply-template" class="internal xref">Apply Template</a></p>
 </li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.2.2.3">
-                    <p id="section-toc.1-1.4.2.2.2.3.1"><a href="#section-4.2.3" class="xref">4.2.3</a>.  <a href="#name-security-considerations" class="xref">Security Considerations</a></p>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.2.2.3">
+                    <p id="section-toc.1-1.6.2.2.2.3.1"><a href="#section-7.2.3" class="auto internal xref">7.2.3</a>.  <a href="#name-security-considerations" class="internal xref">Security Considerations</a></p>
 </li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.2.2.4">
-                    <p id="section-toc.1-1.4.2.2.2.4.1"><a href="#section-4.2.4" class="xref">4.2.4</a>.  <a href="#name-shared-templates" class="xref">Shared Templates</a></p>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.2.2.4">
+                    <p id="section-toc.1-1.6.2.2.2.4.1"><a href="#section-7.2.4" class="auto internal xref">7.2.4</a>.  <a href="#name-shared-templates" class="internal xref">Shared Templates</a></p>
 </li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.2.2.5">
-                    <p id="section-toc.1-1.4.2.2.2.5.1"><a href="#section-4.2.5" class="xref">4.2.5</a>.  <a href="#name-verification-of-changes" class="xref">Verification of Changes</a></p>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.2.2.5">
+                    <p id="section-toc.1-1.6.2.2.2.5.1"><a href="#section-7.2.5" class="auto internal xref">7.2.5</a>.  <a href="#name-verification-of-changes" class="internal xref">Verification of Changes</a></p>
 </li>
                 </ul>
 </li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.3">
-                <p id="section-toc.1-1.4.2.3.1"><a href="#section-4.3" class="xref">4.3</a>.  <a href="#name-asynchronous-flow-oauth" class="xref">Asynchronous Flow: OAuth</a></p>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.3">
+                <p id="section-toc.1-1.6.2.3.1"><a href="#section-7.3" class="auto internal xref">7.3</a>.  <a href="#name-asynchronous-flow-oauth" class="internal xref">Asynchronous Flow: OAuth</a></p>
 <ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.3.2.1">
-                    <p id="section-toc.1-1.4.2.3.2.1.1"><a href="#section-4.3.1" class="xref">4.3.1</a>.  <a href="#name-oauth-flow-setup" class="xref">OAuth Flow: Setup</a></p>
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.3.2.1">
+                    <p id="section-toc.1-1.6.2.3.2.1.1"><a href="#section-7.3.1" class="auto internal xref">7.3.1</a>.  <a href="#name-general-information-2" class="internal xref">General information</a></p>
 </li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.3.2.2">
-                    <p id="section-toc.1-1.4.2.3.2.2.1"><a href="#section-4.3.2" class="xref">4.3.2</a>.  <a href="#name-oauth-flow-getting-an-autho" class="xref">OAuth Flow: Getting an Authorization Code</a></p>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.3.2.2">
+                    <p id="section-toc.1-1.6.2.3.2.2.1"><a href="#section-7.3.2" class="auto internal xref">7.3.2</a>.  <a href="#name-oauth-flow-setup" class="internal xref">OAuth Flow: Setup</a></p>
 </li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.3.2.3">
-                    <p id="section-toc.1-1.4.2.3.2.3.1"><a href="#section-4.3.3" class="xref">4.3.3</a>.  <a href="#name-oauth-flow-requesting-an-ac" class="xref">oAuth Flow: Requesting an Access Token</a></p>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.3.2.3">
+                    <p id="section-toc.1-1.6.2.3.2.3.1"><a href="#section-7.3.3" class="auto internal xref">7.3.3</a>.  <a href="#name-oauth-flow-getting-an-autho" class="internal xref">OAuth Flow: Getting an Authorization Code</a></p>
 </li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.3.2.4">
-                    <p id="section-toc.1-1.4.2.3.2.4.1"><a href="#section-4.3.4" class="xref">4.3.4</a>.  <a href="#name-oauth-flow-making-requests-" class="xref">OAuth Flow: Making Requests with Access Tokens</a></p>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.3.2.4">
+                    <p id="section-toc.1-1.6.2.3.2.4.1"><a href="#section-7.3.4" class="auto internal xref">7.3.4</a>.  <a href="#name-oauth-flow-requesting-an-ac" class="internal xref">OAuth Flow: Requesting an Access Token</a></p>
 </li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.3.2.5">
-                    <p id="section-toc.1-1.4.2.3.2.5.1"><a href="#section-4.3.5" class="xref">4.3.5</a>.  <a href="#name-oauth-flow-apply-template-t" class="xref">OAuth Flow: Apply Template to Domain.</a></p>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.3.2.5">
+                    <p id="section-toc.1-1.6.2.3.2.5.1"><a href="#section-7.3.5" class="auto internal xref">7.3.5</a>.  <a href="#name-oauth-flow-making-requests-" class="internal xref">OAuth Flow: Making Requests with Access Tokens</a></p>
 </li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.3.2.6">
-                    <p id="section-toc.1-1.4.2.3.2.6.1"><a href="#section-4.3.6" class="xref">4.3.6</a>.  <a href="#name-oauth-flow-revert-template" class="xref">OAuth Flow: Revert Template</a></p>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.3.2.6">
+                    <p id="section-toc.1-1.6.2.3.2.6.1"><a href="#section-7.3.6" class="auto internal xref">7.3.6</a>.  <a href="#name-oauth-flow-apply-template-t" class="internal xref">OAuth Flow: Apply Template to Domain.</a></p>
 </li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.3.2.7">
-                    <p id="section-toc.1-1.4.2.3.2.7.1"><a href="#section-4.3.7" class="xref">4.3.7</a>.  <a href="#name-oauth-flow-revoking-access" class="xref">OAuth Flow: Revoking access</a></p>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.3.2.7">
+                    <p id="section-toc.1-1.6.2.3.2.7.1"><a href="#section-7.3.7" class="auto internal xref">7.3.7</a>.  <a href="#name-oauth-flow-revert-template" class="internal xref">OAuth Flow: Revert Template</a></p>
+</li>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.3.2.8">
+                    <p id="section-toc.1-1.6.2.3.2.8.1"><a href="#section-7.3.8" class="auto internal xref">7.3.8</a>.  <a href="#name-oauth-flow-revoking-access" class="internal xref">OAuth Flow: Revoking access</a></p>
 </li>
                 </ul>
 </li>
             </ul>
 </li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5">
-            <p id="section-toc.1-1.5.1"><a href="#section-5" class="xref">5</a>.  <a href="#name-domain-connect-objects-and-" class="xref">Domain Connect Objects and Templates</a></p>
+          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7">
+            <p id="section-toc.1-1.7.1"><a href="#section-8" class="auto internal xref">8</a>.  <a href="#name-domain-connect-objects-and-" class="internal xref">Domain Connect Objects and Templates</a></p>
 <ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.1">
-                <p id="section-toc.1-1.5.2.1.1"><a href="#section-5.1" class="xref">5.1</a>.  <a href="#name-template-versioning" class="xref">Template Versioning</a></p>
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.1">
+                <p id="section-toc.1-1.7.2.1.1"><a href="#section-8.1" class="auto internal xref">8.1</a>.  <a href="#name-template-versioning" class="internal xref">Template Versioning</a></p>
 </li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.2">
-                <p id="section-toc.1-1.5.2.2.1"><a href="#section-5.2" class="xref">5.2</a>.  <a href="#name-template-definition" class="xref">Template Definition</a></p>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.2">
+                <p id="section-toc.1-1.7.2.2.1"><a href="#section-8.2" class="auto internal xref">8.2</a>.  <a href="#name-template-definition" class="internal xref">Template Definition</a></p>
 </li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.3">
-                <p id="section-toc.1-1.5.2.3.1"><a href="#section-5.3" class="xref">5.3</a>.  <a href="#name-template-record" class="xref">Template Record</a></p>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.3">
+                <p id="section-toc.1-1.7.2.3.1"><a href="#section-8.3" class="auto internal xref">8.3</a>.  <a href="#name-template-record" class="internal xref">Template Record</a></p>
 </li>
             </ul>
 </li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6">
-            <p id="section-toc.1-1.6.1"><a href="#section-6" class="xref">6</a>.  <a href="#name-template-considerations" class="xref">Template Considerations</a></p>
+          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8">
+            <p id="section-toc.1-1.8.1"><a href="#section-9" class="auto internal xref">9</a>.  <a href="#name-template-considerations" class="internal xref">Template Considerations</a></p>
 <ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.1">
-                <p id="section-toc.1-1.6.2.1.1"><a href="#section-6.1" class="xref">6.1</a>.  <a href="#name-template-state-in-dns" class="xref">Template State in DNS</a></p>
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.1">
+                <p id="section-toc.1-1.8.2.1.1"><a href="#section-9.1" class="auto internal xref">9.1</a>.  <a href="#name-template-state-in-dns" class="internal xref">Template State in DNS</a></p>
 </li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.2">
-                <p id="section-toc.1-1.6.2.2.1"><a href="#section-6.2" class="xref">6.2</a>.  <a href="#name-disclosure-of-changes-and-c" class="xref">Disclosure of Changes and Conflicts</a></p>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.2">
+                <p id="section-toc.1-1.8.2.2.1"><a href="#section-9.2" class="auto internal xref">9.2</a>.  <a href="#name-disclosure-of-changes-and-c" class="internal xref">Disclosure of Changes and Conflicts</a></p>
 </li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.3">
-                <p id="section-toc.1-1.6.2.3.1"><a href="#section-6.3" class="xref">6.3</a>.  <a href="#name-record-types-and-conflicts" class="xref">Record Types and Conflicts</a></p>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.3">
+                <p id="section-toc.1-1.8.2.3.1"><a href="#section-9.3" class="auto internal xref">9.3</a>.  <a href="#name-record-types-and-conflicts" class="internal xref">Record Types and Conflicts</a></p>
 </li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.4">
-                <p id="section-toc.1-1.6.2.4.1"><a href="#section-6.4" class="xref">6.4</a>.  <a href="#name-apply-re-apply-and-multi-in" class="xref">Apply, Re-apply, and Multi-Instance</a></p>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.4">
+                <p id="section-toc.1-1.8.2.4.1"><a href="#section-9.4" class="auto internal xref">9.4</a>.  <a href="#name-apply-re-apply-and-multi-in" class="internal xref">Apply, Re-apply, and Multi-Instance</a></p>
 </li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.5">
-                <p id="section-toc.1-1.6.2.5.1"><a href="#section-6.5" class="xref">6.5</a>.  <a href="#name-non-essential-records" class="xref">Non-essential records</a></p>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.5">
+                <p id="section-toc.1-1.8.2.5.1"><a href="#section-9.5" class="auto internal xref">9.5</a>.  <a href="#name-non-essential-records" class="internal xref">Non-essential records</a></p>
 </li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.6">
-                <p id="section-toc.1-1.6.2.6.1"><a href="#section-6.6" class="xref">6.6</a>.  <a href="#name-template-scope" class="xref">Template Scope</a></p>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.6">
+                <p id="section-toc.1-1.8.2.6.1"><a href="#section-9.6" class="auto internal xref">9.6</a>.  <a href="#name-template-scope" class="internal xref">Template Scope</a></p>
 </li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.7">
-                <p id="section-toc.1-1.6.2.7.1"><a href="#section-6.7" class="xref">6.7</a>.  <a href="#name-host-name-in-template" class="xref">Host/Name in Template</a></p>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.7">
+                <p id="section-toc.1-1.8.2.7.1"><a href="#section-9.7" class="auto internal xref">9.7</a>.  <a href="#name-host-name-in-template" class="internal xref">Host/Name in Template</a></p>
 </li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.8">
-                <p id="section-toc.1-1.6.2.8.1"><a href="#section-6.8" class="xref">6.8</a>.  <a href="#name-pointsto-in-template" class="xref">PointsTo in Template</a></p>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.8">
+                <p id="section-toc.1-1.8.2.8.1"><a href="#section-9.8" class="auto internal xref">9.8</a>.  <a href="#name-pointsto-in-template" class="internal xref">PointsTo in Template</a></p>
 </li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.9">
-                <p id="section-toc.1-1.6.2.9.1"><a href="#section-6.9" class="xref">6.9</a>.  <a href="#name-variables" class="xref">Variables</a></p>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.9">
+                <p id="section-toc.1-1.8.2.9.1"><a href="#section-9.9" class="auto internal xref">9.9</a>.  <a href="#name-variables" class="internal xref">Variables</a></p>
 <ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.9.2.1">
-                    <p id="section-toc.1-1.6.2.9.2.1.1"><a href="#section-6.9.1" class="xref">6.9.1</a>.  <a href="#name-variables-and-host-name-in-" class="xref">Variables and Host/Name in Template</a></p>
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.9.2.1">
+                    <p id="section-toc.1-1.8.2.9.2.1.1"><a href="#section-9.9.1" class="auto internal xref">9.9.1</a>.  <a href="#name-variables-and-host-name-in-" class="internal xref">Variables and Host/Name in Template</a></p>
 </li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.9.2.2">
-                    <p id="section-toc.1-1.6.2.9.2.2.1"><a href="#section-6.9.2" class="xref">6.9.2</a>.  <a href="#name-variable-values" class="xref">Variable Values</a></p>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.9.2.2">
+                    <p id="section-toc.1-1.8.2.9.2.2.1"><a href="#section-9.9.2" class="auto internal xref">9.9.2</a>.  <a href="#name-variable-values" class="internal xref">Variable Values</a></p>
 </li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.9.2.3">
-                    <p id="section-toc.1-1.6.2.9.2.3.1"><a href="#section-6.9.3" class="xref">6.9.3</a>.  <a href="#name-variables-and-security" class="xref">Variables and Security</a></p>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.9.2.3">
+                    <p id="section-toc.1-1.8.2.9.2.3.1"><a href="#section-9.9.3" class="auto internal xref">9.9.3</a>.  <a href="#name-variables-and-security" class="internal xref">Variables and Security</a></p>
 </li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.9.2.4">
-                    <p id="section-toc.1-1.6.2.9.2.4.1"><a href="#section-6.9.4" class="xref">6.9.4</a>.  <a href="#name-variable-examples" class="xref">Variable Examples</a></p>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.9.2.4">
+                    <p id="section-toc.1-1.8.2.9.2.4.1"><a href="#section-9.9.4" class="auto internal xref">9.9.4</a>.  <a href="#name-variable-examples" class="internal xref">Variable Examples</a></p>
 </li>
                 </ul>
 </li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.10">
-                <p id="section-toc.1-1.6.2.10.1"><a href="#section-6.10" class="xref">6.10</a>. <a href="#name-spf-txt-record" class="xref">SPF TXT Record</a></p>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.10">
+                <p id="section-toc.1-1.8.2.10.1"><a href="#section-9.10" class="auto internal xref">9.10</a>. <a href="#name-spf-txt-record" class="internal xref">SPF TXT Record</a></p>
 <ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.10.2.1">
-                    <p id="section-toc.1-1.6.2.10.2.1.1"><a href="#section-6.10.1" class="xref">6.10.1</a>.  <a href="#name-what-is-spf" class="xref">What is SPF?</a></p>
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.10.2.1">
+                    <p id="section-toc.1-1.8.2.10.2.1.1"><a href="#section-9.10.1" class="auto internal xref">9.10.1</a>.  <a href="#name-what-is-spf" class="internal xref">What is SPF?</a></p>
 </li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.10.2.2">
-                    <p id="section-toc.1-1.6.2.10.2.2.1"><a href="#section-6.10.2" class="xref">6.10.2</a>.  <a href="#name-multiple-services" class="xref">Multiple Services</a></p>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.10.2.2">
+                    <p id="section-toc.1-1.8.2.10.2.2.1"><a href="#section-9.10.2" class="auto internal xref">9.10.2</a>.  <a href="#name-multiple-services" class="internal xref">Multiple Services</a></p>
 </li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.10.2.3">
-                    <p id="section-toc.1-1.6.2.10.2.3.1"><a href="#section-6.10.3" class="xref">6.10.3</a>.  <a href="#name-spf-record-merging" class="xref">SPF Record Merging</a></p>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.10.2.3">
+                    <p id="section-toc.1-1.8.2.10.2.3.1"><a href="#section-9.10.3" class="auto internal xref">9.10.3</a>.  <a href="#name-spf-record-merging" class="internal xref">SPF Record Merging</a></p>
 </li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.10.2.4">
-                    <p id="section-toc.1-1.6.2.10.2.4.1"><a href="#section-6.10.4" class="xref">6.10.4</a>.  <a href="#name-alternatives" class="xref">Alternatives</a></p>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.10.2.4">
+                    <p id="section-toc.1-1.8.2.10.2.4.1"><a href="#section-9.10.4" class="auto internal xref">9.10.4</a>.  <a href="#name-alternatives" class="internal xref">Alternatives</a></p>
 </li>
                 </ul>
 </li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.11">
-                <p id="section-toc.1-1.6.2.11.1"><a href="#section-6.11" class="xref">6.11</a>. <a href="#name-public-template-repository" class="xref">Public Template Repository</a></p>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.11">
+                <p id="section-toc.1-1.8.2.11.1"><a href="#section-9.11" class="auto internal xref">9.11</a>. <a href="#name-public-template-repository" class="internal xref">Public Template Repository</a></p>
 <ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.11.2.1">
-                    <p id="section-toc.1-1.6.2.11.2.1.1"><a href="#section-6.11.1" class="xref">6.11.1</a>.  <a href="#name-repository-location" class="xref">Repository Location</a></p>
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.11.2.1">
+                    <p id="section-toc.1-1.8.2.11.2.1.1"><a href="#section-9.11.1" class="auto internal xref">9.11.1</a>.  <a href="#name-general-information-3" class="internal xref">General information</a></p>
 </li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.11.2.2">
-                    <p id="section-toc.1-1.6.2.11.2.2.1"><a href="#section-6.11.2" class="xref">6.11.2</a>.  <a href="#name-file-naming-requirements" class="xref">File naming requirements</a></p>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.11.2.2">
+                    <p id="section-toc.1-1.8.2.11.2.2.1"><a href="#section-9.11.2" class="auto internal xref">9.11.2</a>.  <a href="#name-repository-location" class="internal xref">Repository Location</a></p>
 </li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.11.2.3">
-                    <p id="section-toc.1-1.6.2.11.2.3.1"><a href="#section-6.11.3" class="xref">6.11.3</a>.  <a href="#name-template-integrity" class="xref">Template Integrity</a></p>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.11.2.3">
+                    <p id="section-toc.1-1.8.2.11.2.3.1"><a href="#section-9.11.3" class="auto internal xref">9.11.3</a>.  <a href="#name-file-naming-requirements" class="internal xref">File naming requirements</a></p>
+</li>
+                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.11.2.4">
+                    <p id="section-toc.1-1.8.2.11.2.4.1"><a href="#section-9.11.4" class="auto internal xref">9.11.4</a>.  <a href="#name-template-integrity" class="internal xref">Template Integrity</a></p>
 </li>
                 </ul>
 </li>
             </ul>
 </li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7">
-            <p id="section-toc.1-1.7.1"><a href="#section-7" class="xref">7</a>.  <a href="#name-general-considerations" class="xref">General considerations</a></p>
+          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9">
+            <p id="section-toc.1-1.9.1"><a href="#section-10" class="auto internal xref">10</a>. <a href="#name-general-considerations" class="internal xref">General considerations</a></p>
 <ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.1">
-                <p id="section-toc.1-1.7.2.1.1"><a href="#section-7.1" class="xref">7.1</a>.  <a href="#name-onboarding" class="xref">Onboarding</a></p>
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.1">
+                <p id="section-toc.1-1.9.2.1.1"><a href="#section-10.1" class="auto internal xref">10.1</a>.  <a href="#name-onboarding" class="internal xref">Onboarding</a></p>
 </li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.2">
-                <p id="section-toc.1-1.7.2.2.1"><a href="#section-7.2" class="xref">7.2</a>.  <a href="#name-case-sensitivity" class="xref">Case Sensitivity</a></p>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.2">
+                <p id="section-toc.1-1.9.2.2.1"><a href="#section-10.2" class="auto internal xref">10.2</a>.  <a href="#name-case-sensitivity" class="internal xref">Case Sensitivity</a></p>
 </li>
             </ul>
 </li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8">
-            <p id="section-toc.1-1.8.1"><a href="#section-8" class="xref">8</a>.  <a href="#name-extensions-exclusions" class="xref">Extensions/Exclusions</a></p>
+          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10">
+            <p id="section-toc.1-1.10.1"><a href="#section-11" class="auto internal xref">11</a>. <a href="#name-extensions-exclusions" class="internal xref">Extensions/Exclusions</a></p>
 <ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.1">
-                <p id="section-toc.1-1.8.2.1.1"><a href="#section-8.1" class="xref">8.1</a>.  <a href="#name-apexcname" class="xref">APEXCNAME</a></p>
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10.2.1">
+                <p id="section-toc.1-1.10.2.1.1"><a href="#section-11.1" class="auto internal xref">11.1</a>.  <a href="#name-general-information-4" class="internal xref">General information</a></p>
 </li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.2">
-                <p id="section-toc.1-1.8.2.2.1"><a href="#section-8.2" class="xref">8.2</a>.  <a href="#name-redirection" class="xref">Redirection</a></p>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10.2.2">
+                <p id="section-toc.1-1.10.2.2.1"><a href="#section-11.2" class="auto internal xref">11.2</a>.  <a href="#name-apexcname" class="internal xref">APEXCNAME</a></p>
 </li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.3">
-                <p id="section-toc.1-1.8.2.3.1"><a href="#section-8.3" class="xref">8.3</a>.  <a href="#name-nameservers" class="xref">Nameservers</a></p>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10.2.3">
+                <p id="section-toc.1-1.10.2.3.1"><a href="#section-11.3" class="auto internal xref">11.3</a>.  <a href="#name-redirection" class="internal xref">Redirection</a></p>
 </li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.4">
-                <p id="section-toc.1-1.8.2.4.1"><a href="#section-8.4" class="xref">8.4</a>.  <a href="#name-ds-dnssec" class="xref">DS (DNSSEC)</a></p>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10.2.4">
+                <p id="section-toc.1-1.10.2.4.1"><a href="#section-11.4" class="auto internal xref">11.4</a>.  <a href="#name-nameservers" class="internal xref">Nameservers</a></p>
 </li>
-            </ul>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10.2.5">
+                <p id="section-toc.1-1.10.2.5.1"><a href="#section-11.5" class="auto internal xref">11.5</a>.  <a href="#name-ds-dnssec" class="internal xref">DS (DNSSEC)</a></p>
 </li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9">
-            <p id="section-toc.1-1.9.1"><a href="#section-9" class="xref">9</a>.  <a href="#name-iana-considerations" class="xref">IANA Considerations</a></p>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10">
-            <p id="section-toc.1-1.10.1"><a href="#section-10" class="xref">10</a>. <a href="#name-acknowledgments" class="xref">Acknowledgments</a></p>
+            </ul>
 </li>
           <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.11">
-            <p id="section-toc.1-1.11.1"><a href="#section-11" class="xref">11</a>. <a href="#name-change-history" class="xref">Change History</a></p>
+            <p id="section-toc.1-1.11.1"><a href="#section-12" class="auto internal xref">12</a>. <a href="#name-iana-considerations" class="internal xref">IANA Considerations</a></p>
+</li>
+          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.12">
+            <p id="section-toc.1-1.12.1"><a href="#section-13" class="auto internal xref">13</a>. <a href="#name-change-history" class="internal xref">Change History</a></p>
 <ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.11.2.1">
-                <p id="section-toc.1-1.11.2.1.1"><a href="#section-11.1" class="xref">11.1</a>.  <a href="#name-change-from-03-to-04" class="xref">Change from 03 to 04</a></p>
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.12.2.1">
+                <p id="section-toc.1-1.12.2.1.1"><a href="#section-13.1" class="auto internal xref">13.1</a>.  <a href="#name-change-from-03-to-04" class="internal xref">Change from 03 to 04</a></p>
 </li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.11.2.2">
-                <p id="section-toc.1-1.11.2.2.1"><a href="#section-11.2" class="xref">11.2</a>.  <a href="#name-change-from-02-to-03" class="xref">Change from 02 to 03</a></p>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.12.2.2">
+                <p id="section-toc.1-1.12.2.2.1"><a href="#section-13.2" class="auto internal xref">13.2</a>.  <a href="#name-change-from-02-to-03" class="internal xref">Change from 02 to 03</a></p>
 </li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.11.2.3">
-                <p id="section-toc.1-1.11.2.3.1"><a href="#section-11.3" class="xref">11.3</a>.  <a href="#name-change-from-01-to-02" class="xref">Change from 01 to 02</a></p>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.12.2.3">
+                <p id="section-toc.1-1.12.2.3.1"><a href="#section-13.3" class="auto internal xref">13.3</a>.  <a href="#name-change-from-01-to-02" class="internal xref">Change from 01 to 02</a></p>
 </li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.11.2.4">
-                <p id="section-toc.1-1.11.2.4.1"><a href="#section-11.4" class="xref">11.4</a>.  <a href="#name-change-from-00-to-01" class="xref">Change from 00 to 01</a></p>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.12.2.4">
+                <p id="section-toc.1-1.12.2.4.1"><a href="#section-13.4" class="auto internal xref">13.4</a>.  <a href="#name-change-from-00-to-01" class="internal xref">Change from 00 to 01</a></p>
 </li>
             </ul>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.12">
-            <p id="section-toc.1-1.12.1"><a href="#section-12" class="xref">12</a>. <a href="#name-normative-references" class="xref">Normative References</a></p>
 </li>
           <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13">
-            <p id="section-toc.1-1.13.1"><a href="#section-13" class="xref">13</a>. <a href="#name-informative-references" class="xref">Informative References</a></p>
+            <p id="section-toc.1-1.13.1"><a href="#section-14" class="auto internal xref">14</a>. <a href="#name-normative-references" class="internal xref">Normative References</a></p>
 </li>
           <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.14">
-            <p id="section-toc.1-1.14.1"><a href="#appendix-A" class="xref">Appendix A</a>.  <a href="#name-examples" class="xref">Examples</a></p>
+            <p id="section-toc.1-1.14.1"><a href="#section-15" class="auto internal xref">15</a>. <a href="#name-informative-references" class="internal xref">Informative References</a></p>
+</li>
+          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.15">
+            <p id="section-toc.1-1.15.1"><a href="#appendix-A" class="auto internal xref">Appendix A</a>.  <a href="#name-examples" class="internal xref">Examples</a></p>
 <ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.14.2.1">
-                <p id="section-toc.1-1.14.2.1.1"><a href="#appendix-A.1" class="xref">A.1</a>.  <a href="#name-example-template" class="xref">Example Template</a></p>
+<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.15.2.1">
+                <p id="section-toc.1-1.15.2.1.1"><a href="#appendix-A.1" class="auto internal xref">A.1</a>.  <a href="#name-example-template" class="internal xref">Example Template</a></p>
 </li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.14.2.2">
-                <p id="section-toc.1-1.14.2.2.1"><a href="#appendix-A.2" class="xref">A.2</a>.  <a href="#name-example-records-single-stat" class="xref">Example Records: Single static host record</a></p>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.15.2.2">
+                <p id="section-toc.1-1.15.2.2.1"><a href="#appendix-A.2" class="auto internal xref">A.2</a>.  <a href="#name-example-records-single-stat" class="internal xref">Example Records: Single static host record</a></p>
 </li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.14.2.3">
-                <p id="section-toc.1-1.14.2.3.1"><a href="#appendix-A.3" class="xref">A.3</a>.  <a href="#name-example-records-single-vari" class="xref">Example Records: Single variable host record for A</a></p>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.15.2.3">
+                <p id="section-toc.1-1.15.2.3.1"><a href="#appendix-A.3" class="auto internal xref">A.3</a>.  <a href="#name-example-records-single-vari" class="internal xref">Example Records: Single variable host record for A</a></p>
 </li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.14.2.4">
-                <p id="section-toc.1-1.14.2.4.1"><a href="#appendix-A.4" class="xref">A.4</a>.  <a href="#name-example-dns-zone-merging" class="xref">Example: DNS Zone merging</a></p>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.15.2.4">
+                <p id="section-toc.1-1.15.2.4.1"><a href="#appendix-A.4" class="auto internal xref">A.4</a>.  <a href="#name-example-dns-zone-merging" class="internal xref">Example: DNS Zone merging</a></p>
 </li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.14.2.5">
-                <p id="section-toc.1-1.14.2.5.1"><a href="#appendix-A.5" class="xref">A.5</a>.  <a href="#name-example-spf-record-merging" class="xref">Example: SPF Record Merging</a></p>
+              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.15.2.5">
+                <p id="section-toc.1-1.15.2.5.1"><a href="#appendix-A.5" class="auto internal xref">A.5</a>.  <a href="#name-example-spf-record-merging" class="internal xref">Example: SPF Record Merging</a></p>
 </li>
             </ul>
 </li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.15">
-            <p id="section-toc.1-1.15.1"><a href="#appendix-B" class="xref"></a><a href="#name-authors-addresses" class="xref">Authors' Addresses</a></p>
+          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.16">
+            <p id="section-toc.1-1.16.1"><a href="#appendix-B" class="auto internal xref"></a><a href="#name-authors-addresses" class="internal xref">Authors' Addresses</a></p>
 </li>
         </ul>
 </nav>
 </section>
 </div>
-<div id="_introduction">
+<div id="_acknowledgments">
 <section id="section-1">
+      <h2 id="name-acknowledgements">
+<a href="#section-1" class="section-number selfRef">1. </a><a href="#name-acknowledgements" class="section-name selfRef">Acknowledgements</a>
+      </h2>
+<div id="_ce81cefb-fba9-f9e7-bc76-5b5ed343d11b">
+<p id="section-1-1">The authors wish to thank the following persons for their feedback and suggestions as well as for the previous work on the standard:<a href="#section-1-1" class="pilcrow">¶</a></p>
+</div>
+<ul class="normal">
+<li class="normal" id="section-1-2.1">Roger Carney of GoDaddy Inc.<a href="#section-1-2.1" class="pilcrow">¶</a>
+</li>
+        <li class="normal" id="section-1-2.2">Chris Ambler of GoDaddy Inc.<a href="#section-1-2.2" class="pilcrow">¶</a>
+</li>
+      </ul>
+</section>
+</div>
+<div id="_introduction">
+<section id="section-2">
       <h2 id="name-introduction">
-<a href="#section-1" class="section-number selfRef">1. </a><a href="#name-introduction" class="section-name selfRef">Introduction</a>
+<a href="#section-2" class="section-number selfRef">2. </a><a href="#name-introduction" class="section-name selfRef">Introduction</a>
       </h2>
 <div id="_fee13f8f-5eac-227c-11a9-e079a6fccf70">
-<p id="section-1-1">Configuring a service at a Service Provider to work with a domain has historically been a complex task that is difficult for users.<a href="#section-1-1" class="pilcrow">¶</a></p>
+<p id="section-2-1">Configuring a service at a Service Provider to work with a domain has historically been a complex task that is difficult for users.<a href="#section-2-1" class="pilcrow">¶</a></p>
 </div>
 <div id="_6cd25dd5-352f-35c6-a83b-5fefcf2e0ef3">
-<p id="section-1-2">Typically, a customer would try to configure their service by entering their domain name with the Service Provider. The Service Provider then used a number of techniques with mixed reliability to discover the DNS Provider. This might include DNS queries for nameservers, queries to whois, and mapping tables to determine the registrar or the company providing DNS.<a href="#section-1-2" class="pilcrow">¶</a></p>
+<p id="section-2-2">Typically, a customer would try to configure their service by entering their domain name with the Service Provider. The Service Provider then used a number of techniques with mixed reliability to discover the DNS Provider. This might include DNS queries for nameservers, queries to whois, and mapping tables to determine the registrar or the company providing DNS.<a href="#section-2-2" class="pilcrow">¶</a></p>
 </div>
 <div id="_d7d7106e-ae4e-7085-67de-05a03095da44">
-<p id="section-1-3">Once the Service Provider discovered the DNS Provider, they typically gave the customer instructions for proper configuration of DNS. This might include help text, screen shots, or even links to the appropriate tools.<a href="#section-1-3" class="pilcrow">¶</a></p>
+<p id="section-2-3">Once the Service Provider discovered the DNS Provider, they typically gave the customer instructions for proper configuration of DNS. This might include help text, screen shots, or even links to the appropriate tools.<a href="#section-2-3" class="pilcrow">¶</a></p>
 </div>
 <div id="_488d2764-49b0-27ab-acfb-918a0ce7d656">
-<p id="section-1-4">Discovery of the DNS Provider in this manner is unreliable, and providing instructions to users would present a number of technologies (DNS record types, TTLs, Hostnames, etc.) and processes they didn't understand. These instructions authored by the Service Provider often quickly become out of date, further confusing the issue for users.<a href="#section-1-4" class="pilcrow">¶</a></p>
+<p id="section-2-4">Discovery of the DNS Provider in this manner is unreliable, and providing instructions to users would present a number of technologies (DNS record types, TTLs, Hostnames, etc.) and processes they didn't understand. These instructions authored by the Service Provider often quickly become out of date, further confusing the issue for users.<a href="#section-2-4" class="pilcrow">¶</a></p>
 </div>
 <div id="_c34a8cfd-2818-64be-79f2-34bece8e2c8e">
-<p id="section-1-5">The goal of this specificatoin is to create a system where Service Providers can easily enable their applications/services to work with the domain names of their customers. This includes both discovery of the DNS Provider and subsequent modification of DNS.<a href="#section-1-5" class="pilcrow">¶</a></p>
+<p id="section-2-5">The goal of this specificatoin is to create a system where Service Providers can easily enable their applications/services to work with the domain names of their customers. This includes both discovery of the DNS Provider and subsequent modification of DNS.<a href="#section-2-5" class="pilcrow">¶</a></p>
 </div>
 <div id="_dd1a7699-1e73-d0c0-a830-4ae02b55b4b7">
-<p id="section-1-6">The system will be implemented using simple web based interactions and
+<p id="section-2-6">The system will be implemented using simple web based interactions and
 standard authentication protocols. The creation and modification of DNS
 settings will be done through the application of templates instead of
-direct manipulation of individual DNS records.<a href="#section-1-6" class="pilcrow">¶</a></p>
+direct manipulation of individual DNS records.<a href="#section-2-6" class="pilcrow">¶</a></p>
+</div>
+</section>
 </div>
 <div id="_terminology">
-<section id="section-1.1">
-        <h3 id="name-terminology">
-<a href="#section-1.1" class="section-number selfRef">1.1. </a><a href="#name-terminology" class="section-name selfRef">Terminology</a>
-        </h3>
-<div id="_582ca32c-029f-c0c9-4ed5-94d8e2bdcae7">
-<p id="section-1.1-1">The key words "<span class="bcp14">MUST</span>", "<span class="bcp14">MUST NOT</span>", "<span class="bcp14">REQUIRED</span>", "<span class="bcp14">SHALL</span>", "<span class="bcp14">SHALL NOT</span>", "<span class="bcp14">SHOULD</span>", "<span class="bcp14">SHOULD NOT</span>", "<span class="bcp14">RECOMMENDED</span>", "<strong>NOT RECOMMENDED</strong>", "<span class="bcp14">MAY</span>", and "<span class="bcp14">OPTIONAL</span>" in this document are to be interpreted as described in BCP 14 <span>[<a href="#RFC2119" class="xref">RFC2119</a>]</span> <span>[<a href="#RFC8174" class="xref">RFC8174</a>]</span> when, and only when, they appear in all capitals, as shown here.<a href="#section-1.1-1" class="pilcrow">¶</a></p>
-</div>
-<span class="break"></span><div id="_514fcafd-13b5-7ea7-a46a-b0aa358b294a">
-<dl class="dlParallel" id="section-1.1-2">
-          <dt id="section-1.1-2.1">Service Providers</dt>
-          <dd style="margin-left: 1.5em" id="section-1.1-2.2">
-            <div id="_68360823-ae9c-1563-2973-ea9b566f22ca">
-<p id="section-1.1-2.2.1">refers to entities that provide products and
+<section id="section-3">
+      <h2 id="name-terminology">
+<a href="#section-3" class="section-number selfRef">3. </a><a href="#name-terminology" class="section-name selfRef">Terminology</a>
+      </h2>
+<div id="_a400db07-6001-fa2c-7dfd-b9de825a052d">
+<p id="section-3-1">The key words "<span class="bcp14">MUST</span>", "<span class="bcp14">MUST NOT</span>", "<span class="bcp14">REQUIRED</span>", "<span class="bcp14">SHALL</span>", "<span class="bcp14">SHALL NOT</span>", "<span class="bcp14">SHOULD</span>", "<span class="bcp14">SHOULD NOT</span>", "<span class="bcp14">RECOMMENDED</span>", "<span class="bcp14">NOT RECOMMENDED</span>", "<span class="bcp14">MAY</span>", and "<span class="bcp14">OPTIONAL</span>" in this document are to be interpreted as described in BCP 14 <span>[<a href="#RFC2119" class="cite xref">RFC2119</a>]</span> <span>[<a href="#RFC8174" class="cite xref">RFC8174</a>]</span> when, and only when, they appear in all capitals, as shown here.<a href="#section-3-1" class="pilcrow">¶</a></p>
+</div>
+<span class="break"></span><div id="_a16328ee-e209-9cb0-806f-5a3acf08f689">
+<dl class="dlParallel" id="section-3-2">
+        <dt id="section-3-2.1">Service Providers</dt>
+        <dd style="margin-left: 1.5em" id="section-3-2.2">
+          <div id="_6e12534d-8f8c-b1a1-48b0-6ba5ae409f2f">
+<p id="section-3-2.2.1">refers to entities that provide products and
 services attached to domain names. Examples include web hosting
 providers (such as Wix or SquareSpace), email Service Providers (such as
 Microsoft or Google) and potentially even hardware manufacturers with
 DNS-enabled devices like home routers or automation controls (such as
-Linksys, Nest, and Philips).<a href="#section-1.1-2.2.1" class="pilcrow">¶</a></p>
+Linksys, Nest, and Philips).<a href="#section-3-2.2.1" class="pilcrow">¶</a></p>
 </div>
 </dd>
-          <dd class="break"></dd>
-<dt id="section-1.1-2.3">DNS Providers</dt>
-          <dd style="margin-left: 1.5em" id="section-1.1-2.4">
-            <div id="_63d2a4ae-b8a4-9504-b7bf-b30023ba42c1">
-<p id="section-1.1-2.4.1">refers to entities that provide DNS services such as
+        <dd class="break"></dd>
+<dt id="section-3-2.3">DNS Providers</dt>
+        <dd style="margin-left: 1.5em" id="section-3-2.4">
+          <div id="_d034bf44-f752-767b-fa1e-89af8d3a30d9">
+<p id="section-3-2.4.1">refers to entities that provide DNS services such as
 registrars (such as GoDaddy or 1and1) or standalone DNS services (like
-CloudFlare).<a href="#section-1.1-2.4.1" class="pilcrow">¶</a></p>
+Cloudflare).<a href="#section-3-2.4.1" class="pilcrow">¶</a></p>
 </div>
 </dd>
-          <dd class="break"></dd>
-<dt id="section-1.1-2.5">Registrar</dt>
-          <dd style="margin-left: 1.5em" id="section-1.1-2.6">
-            <div id="_16f48eeb-e908-666b-0095-f32de235d056">
-<p id="section-1.1-2.6.1">refers to entities that register domain names with registries.
+        <dd class="break"></dd>
+<dt id="section-3-2.5">Registrar</dt>
+        <dd style="margin-left: 1.5em" id="section-3-2.6">
+          <div id="_c49d07ef-1869-cabe-9a51-387e672697f9">
+<p id="section-3-2.6.1">refers to entities that register domain names with registries.
 It is noted that the DNS Provider and Registrar can be different entities for a
-given domain name and DNS Zone.<a href="#section-1.1-2.6.1" class="pilcrow">¶</a></p>
+given domain name and DNS Zone.<a href="#section-3-2.6.1" class="pilcrow">¶</a></p>
 </div>
 </dd>
-          <dd class="break"></dd>
-<dt id="section-1.1-2.7">Customer/User</dt>
-          <dd style="margin-left: 1.5em" id="section-1.1-2.8">
-            <div id="_f723ba01-964b-fb18-2604-3f02600ab55c">
-<p id="section-1.1-2.8.1">refers to the end-user of these services.<a href="#section-1.1-2.8.1" class="pilcrow">¶</a></p>
+        <dd class="break"></dd>
+<dt id="section-3-2.7">Customer/User</dt>
+        <dd style="margin-left: 1.5em" id="section-3-2.8">
+          <div id="_819355a2-a019-d415-2c5b-290ec34822dd">
+<p id="section-3-2.8.1">refers to the end-user of these services.<a href="#section-3-2.8.1" class="pilcrow">¶</a></p>
 </div>
 </dd>
-          <dd class="break"></dd>
-<dt id="section-1.1-2.9">Templates/Service Templates</dt>
-          <dd style="margin-left: 1.5em" id="section-1.1-2.10">
-            <div id="_63528c62-e25f-98e6-9f77-ad539bf7113f">
-<p id="section-1.1-2.10.1">refers to a file that describes a set of
-changes to DNS and domain functionality to enable a specific service.<a href="#section-1.1-2.10.1" class="pilcrow">¶</a></p>
+        <dd class="break"></dd>
+<dt id="section-3-2.9">Templates/Service Templates</dt>
+        <dd style="margin-left: 1.5em" id="section-3-2.10">
+          <div id="_7b3aef15-117b-1024-6d19-a72f03727ddf">
+<p id="section-3-2.10.1">refers to a file that describes a set of
+changes to DNS and domain functionality to enable a specific service.<a href="#section-3-2.10.1" class="pilcrow">¶</a></p>
 </div>
 </dd>
-          <dd class="break"></dd>
-<dt id="section-1.1-2.11">Public Template Repository</dt>
-          <dd style="margin-left: 1.5em" id="section-1.1-2.12">
-            <div id="_9889de01-0ecc-bd22-b20c-55ccfb1004f2">
-<p id="section-1.1-2.12.1">refers to a public repository of Templates
-in a standarised format (read more: <a href="#repository-and-integrity" class="xref">Section 6.11</a>).<a href="#section-1.1-2.12.1" class="pilcrow">¶</a></p>
+        <dd class="break"></dd>
+<dt id="section-3-2.11">Public Template Repository</dt>
+        <dd style="margin-left: 1.5em" id="section-3-2.12">
+          <div id="_eab5123d-6af0-edc9-043d-3e7b2f455ed7">
+<p id="section-3-2.12.1">refers to a public repository of Templates
+in a standarised format (read more: <a href="#repository-and-integrity" class="auto internal xref">Section 9.11</a>).<a href="#section-3-2.12.1" class="pilcrow">¶</a></p>
 </div>
 </dd>
-          <dd class="break"></dd>
-<dt id="section-1.1-2.13">Root Domain</dt>
-          <dd style="margin-left: 1.5em" id="section-1.1-2.14">
-            <div id="_5bc1d19a-d421-c968-1c14-047fde0a049d">
-<p id="section-1.1-2.14.1">refers to a registered domain (e.g. example.com or
-example.co.uk), or to a delegated zone in DNS.<a href="#section-1.1-2.14.1" class="pilcrow">¶</a></p>
+        <dd class="break"></dd>
+<dt id="section-3-2.13">Root Domain</dt>
+        <dd style="margin-left: 1.5em" id="section-3-2.14">
+          <div id="_3aef807b-1489-8cbe-011c-46afd589768d">
+<p id="section-3-2.14.1">refers to a registered domain (e.g. example.com or
+example.co.uk), or to a delegated zone in DNS.<a href="#section-3-2.14.1" class="pilcrow">¶</a></p>
 </div>
 </dd>
-          <dd class="break"></dd>
-<dt id="section-1.1-2.15">Sub Domain</dt>
-          <dd style="margin-left: 1.5em" id="section-1.1-2.16">
-            <div id="_bd86fbc8-d5db-fe51-5998-c6fd30cc9118">
-<p id="section-1.1-2.16.1">refers to a sub-domain of a root domain (e.g.
-sub.example.com or sub.example.co.uk).<a href="#section-1.1-2.16.1" class="pilcrow">¶</a></p>
+        <dd class="break"></dd>
+<dt id="section-3-2.15">Sub Domain</dt>
+        <dd style="margin-left: 1.5em" id="section-3-2.16">
+          <div id="_68baaa3f-8f82-981b-1b2c-a99a4a4c85fe">
+<p id="section-3-2.16.1">refers to a sub-domain of a root domain (e.g.
+sub.example.com or sub.example.co.uk).<a href="#section-3-2.16.1" class="pilcrow">¶</a></p>
 </div>
 </dd>
-        <dd class="break"></dd>
+      <dd class="break"></dd>
 </dl>
 </div>
 </section>
 </div>
-</section>
-</div>
 <div id="_protocol_design">
-<section id="section-2">
+<section id="section-4">
       <h2 id="name-protocol-design">
-<a href="#section-2" class="section-number selfRef">2. </a><a href="#name-protocol-design" class="section-name selfRef">Protocol design</a>
+<a href="#section-4" class="section-number selfRef">4. </a><a href="#name-protocol-design" class="section-name selfRef">Protocol design</a>
       </h2>
 <div id="_templates">
-<section id="section-2.1">
+<section id="section-4.1">
         <h3 id="name-templates">
-<a href="#section-2.1" class="section-number selfRef">2.1. </a><a href="#name-templates" class="section-name selfRef">Templates</a>
+<a href="#section-4.1" class="section-number selfRef">4.1. </a><a href="#name-templates" class="section-name selfRef">Templates</a>
         </h3>
-<div id="_e3c8781b-d140-8ebc-e0dd-fed41f68d5f5">
-<p id="section-2.1-1">Templates are core to Domain Connect, as they fully describe a service owned by
+<div id="_24885499-070b-90aa-2a17-edc766c6a584">
+<p id="section-4.1-1">Templates are core to Domain Connect, as they fully describe a service owned by
 a Service Provider and contain all of the information necessary to
-enable and operate/maintain the service in the form of a set of records.<a href="#section-2.1-1" class="pilcrow">¶</a></p>
+enable and operate/maintain the service in the form of a set of records.<a href="#section-4.1-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_db8e025d-df29-b89d-e12c-7f34c557fb38">
-<p id="section-2.1-2">The individual records in a template may be identified by a groupId. This allows for
+<div id="_e0abb55e-75fb-46ea-6036-663ba7cd3959">
+<p id="section-4.1-2">The individual records in a template may be identified by a groupId. This allows for
 the application of templates in different stages. For example, an email
 provider might first set a TXT record to verify the domain, and later
 set an MX record to configure email delivery. While done separately,
-both changes are fundamentally part of the same service.<a href="#section-2.1-2" class="pilcrow">¶</a></p>
+both changes are fundamentally part of the same service.<a href="#section-4.1-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_284413d9-6c65-5a46-d9cf-cf2542cace0a">
-<p id="section-2.1-3">Templates may also contain variable portions, as often values of data in
+<div id="_0fdb0d1f-7353-9a55-2fc2-db6c6caf5687">
+<p id="section-4.1-3">Templates may also contain variable portions, as often values of data in
 DNS change based on the implementation and/or user of the
 service (e.g. the IP address of a service, a customer id,
-etc.).<a href="#section-2.1-3" class="pilcrow">¶</a></p>
+etc.).<a href="#section-4.1-3" class="pilcrow">¶</a></p>
 </div>
-<div id="_4645bb85-a23d-dc9e-10ba-22dbc3896209">
-<p id="section-2.1-4">The template is defined by the Service Provider and manually onboarded with the DNS
+<div id="_1bedbd5c-1c60-c3a4-163c-06dcf08aacc6">
+<p id="section-4.1-4">The template is defined by the Service Provider and manually onboarded with the DNS
 Provider, according to a template definition published in
-the <span><a href="#repository-and-integrity" class="xref">Public Repository</a> (<a href="#repository-and-integrity" class="xref">Section 6.11</a>)</span> or agreed out-of-band between
-the Service Provider and the DNS Provider.<a href="#section-2.1-4" class="pilcrow">¶</a></p>
+the <span><a href="#repository-and-integrity" class="internal xref">Public Repository</a> (<a href="#repository-and-integrity" class="auto internal xref">Section 9.11</a>)</span> or agreed out-of-band between
+the Service Provider and the DNS Provider.<a href="#section-4.1-4" class="pilcrow">¶</a></p>
 </div>
-<div id="_7696fe61-b18a-942c-a033-77eb7caf686c">
-<p id="section-2.1-5">By basing the protocol on templates instead of DNS Records, several
+<div id="_963a389e-b996-5db6-699a-601198985abb">
+<p id="section-4.1-5">By basing the protocol on templates instead of DNS Records, several
 advantages are achieved. The DNS Provider has very explicit knowledge
 and control of the settings being changed to enable a service. And the
-system is more secure as templates are controlled and contained.<a href="#section-2.1-5" class="pilcrow">¶</a></p>
+system is more secure as templates are controlled and contained.<a href="#section-4.1-5" class="pilcrow">¶</a></p>
+</div>
+</section>
 </div>
 </section>
 </div>
 <div id="_end_user_flows">
-<section id="section-2.2">
-        <h3 id="name-end-user-flows">
-<a href="#section-2.2" class="section-number selfRef">2.2. </a><a href="#name-end-user-flows" class="section-name selfRef">End User Flows</a>
+<section id="section-5">
+      <h2 id="name-end-user-flows">
+<a href="#section-5" class="section-number selfRef">5. </a><a href="#name-end-user-flows" class="section-name selfRef">End User Flows</a>
+      </h2>
+<div id="_general_information">
+<section id="section-5.1">
+        <h3 id="name-general-information">
+<a href="#section-5.1" class="section-number selfRef">5.1. </a><a href="#name-general-information" class="section-name selfRef">General information</a>
         </h3>
-<div id="_4f1be81f-fc5d-1b05-2979-4a742aed0729">
-<p id="section-2.2-1">To attach a domain name to a service provided by a Service Provider, the
-customer would first enter their domain name.<a href="#section-2.2-1" class="pilcrow">¶</a></p>
-</div>
-<div id="_a4a46393-888e-90a4-568f-cefce7393adf">
-<p id="section-2.2-2">Instead of relying on examination of the nameservers and mapping these
-to DNS Providers, DNS Provider discovery is handled through simple
-records in DNS and an API. The Service Provider queries for a specific
-record in the zone that returns a REST endpoint to initiate the
-protocol. When this endpoint is called, a Domain Connect compliant DNS Provider returns
-information about that domain and how to configure it using Domain
-Connect.<a href="#section-2.2-2" class="pilcrow">¶</a></p>
-</div>
-<div id="_c8adf833-eef8-9ee8-2f45-cd76a7d8b9a9">
-<p id="section-2.2-3">To apply the changes to DNS, there are two use cases. The
-first is a synchronous web flow, and the second is an asynchronous flow
-using oAuth and an API.<a href="#section-2.2-3" class="pilcrow">¶</a></p>
-</div>
-<div id="_a471a25c-0f75-66e3-bd19-0d2559d64fb5">
-<p id="section-2.2-4">It is noted that a DNS Provider may choose to only implement one
-of the flows. As a matter of practice many Service Providers are based
-on the synchronous flow, with only a handful of them based on the
-asynchronous oAuth flow. So many DNS providers may opt to only implement
-the synchronous flow.<a href="#section-2.2-4" class="pilcrow">¶</a></p>
-</div>
-<div id="_a3213d55-d1a4-43ce-c85b-16355a5975e6">
-<p id="section-2.2-5">It is also be noted that individual services may work with the
-synchronous flow only, the asynchronous flow only, or with both.<a href="#section-2.2-5" class="pilcrow">¶</a></p>
+<div id="_aa7d03f5-ab86-8bd2-2154-e27cd7df93d7">
+<p id="section-5.1-1">To attach a domain name to a service provided by a Service Provider, the customer would first enter their domain name.<a href="#section-5.1-1" class="pilcrow">¶</a></p>
+</div>
+<div id="_67176c5c-038b-ef33-5259-15f9792e8d66">
+<p id="section-5.1-2">Instead of relying on examination of the nameservers and mapping these to DNS Providers, DNS Provider discovery is handled through simple records in DNS and an API. The Service Provider queries for a specific record in the zone that returns a REST endpoint to initiate the protocol. When this endpoint is called, a Domain Connect compliant DNS Provider returns information about that domain and how to configure it using Domain Connect.<a href="#section-5.1-2" class="pilcrow">¶</a></p>
+</div>
+<div id="_e3063abe-6fe7-d623-7705-8c78640d8469">
+<p id="section-5.1-3">To apply the changes to DNS, there are two use cases. The
+first is a synchronous web flow, and the second is an asynchronous flow using OAuth and an API.<a href="#section-5.1-3" class="pilcrow">¶</a></p>
+</div>
+<div id="_cc2d66fa-3544-0fbe-94c2-a8fb2b714ec7">
+<p id="section-5.1-4">It is noted that a DNS Provider may choose to only implement one of the flows. As a matter of practice many Service Providers are based on the synchronous flow, with only a handful of them based on the asynchronous OAuth flow. So many DNS providers may opt to only implement the synchronous flow.<a href="#section-5.1-4" class="pilcrow">¶</a></p>
+</div>
+<div id="_5e487085-cb4a-7fd3-407f-2df89f82cf20">
+<p id="section-5.1-5">It is also be noted that individual services may work with the synchronous flow only, the asynchronous flow only, or with both.<a href="#section-5.1-5" class="pilcrow">¶</a></p>
+</div>
+</section>
 </div>
 <div id="_the_synchronous_flow">
-<section id="section-2.2.1">
-          <h4 id="name-the-synchronous-flow">
-<a href="#section-2.2.1" class="section-number selfRef">2.2.1. </a><a href="#name-the-synchronous-flow" class="section-name selfRef">The Synchronous Flow</a>
-          </h4>
-<div id="_3095ae6a-c4c6-3e64-9ec9-ed192488c38b">
-<p id="section-2.2.1-1">This flow is tailored for the Service Provider that requires a one time
-synchronous change to DNS.<a href="#section-2.2.1-1" class="pilcrow">¶</a></p>
+<section id="section-5.2">
+        <h3 id="name-the-synchronous-flow">
+<a href="#section-5.2" class="section-number selfRef">5.2. </a><a href="#name-the-synchronous-flow" class="section-name selfRef">The Synchronous Flow</a>
+        </h3>
+<div id="_a172a05e-6623-97c8-ca7d-f575a15a7318">
+<p id="section-5.2-1">This flow is tailored for the Service Provider that requires a one time
+synchronous change to DNS.<a href="#section-5.2-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_d91b4f1f-90f2-072b-6e89-dfd1c5043ec8">
-<p id="section-2.2.1-2">The user first enters their domain name at the Service Provider
-website.<a href="#section-2.2.1-2" class="pilcrow">¶</a></p>
+<div id="_abddcc09-aa44-baf9-23ae-dfc3dd393853">
+<p id="section-5.2-2">The user first enters their domain name at the Service Provider
+website.<a href="#section-5.2-2" class="pilcrow">¶</a></p>
 </div>
-<span id="name-service-provider-domain-inp"></span><div id="_06a1945e-6e48-7fb8-d672-201a7cdc7afa">
+<span id="name-service-provider-domain-inp"></span><div id="_df779a35-ba62-d8b5-357b-d8e66166bc9e">
 <figure id="figure-1">
-            <div id="_98750cfe-c1aa-8c32-c82e-91909315b1bd">
-<div class="alignLeft art-ascii-art art-text artwork" id="section-2.2.1-3.1">
+          <div id="_45a7c018-7e4a-f3c3-a295-c17cb9eaee73">
+<div class="alignLeft art-ascii-art art-text artwork" id="section-5.2-3.1">
 <pre>+-----------------------------------------------+
-| http://acmewebsiteserviceprovider.com         |
+| https://acmewebsiteserviceprovider.example    |
 +-----------------------------------------------+
 | ACME Web Site Service Provider                |
 |                                               |
@@ -1763,19 +1819,19 @@ <h4 id="name-the-synchronous-flow">
 </div>
 <figcaption><a href="#figure-1" class="selfRef">Figure 1</a>:
 <a href="#name-service-provider-domain-inp" class="selfRef">Service Provider domain input</a>
-            </figcaption></figure>
+          </figcaption></figure>
 </div>
-<div id="_4d1b0adb-2179-bdd6-7fe2-45de996aefa5">
-<p id="section-2.2.1-4">After the Service Provider determines the DNS Provider using discovery,
+<div id="_9e4e5eeb-09d5-4365-782f-abc659f440ea">
+<p id="section-5.2-4">After the Service Provider determines the DNS Provider using discovery,
 the Service Provider should display a link to the user indicating
-that they can "Connect their Domain" to the service.<a href="#section-2.2.1-4" class="pilcrow">¶</a></p>
+that they can "Connect their Domain" to the service.<a href="#section-5.2-4" class="pilcrow">¶</a></p>
 </div>
-<span id="name-service-provider-displays-d"></span><div id="_94d405f7-b827-1bf0-af95-e93f69187ede">
+<span id="name-service-provider-displays-d"></span><div id="_b71a2a64-d06e-ae94-520f-a9938f78b978">
 <figure id="figure-2">
-            <div id="_0b818f4f-b25a-e9a0-f06c-a9ed4fcb2162">
-<div class="alignLeft art-ascii-art art-text artwork" id="section-2.2.1-5.1">
+          <div id="_06ba6d70-1a4d-8889-989f-7abfd1036452">
+<div class="alignLeft art-ascii-art art-text artwork" id="section-5.2-5.1">
 <pre>+-----------------------------------------------+
-| http://acmewebsiteserviceprovider.com         |
+| https://acmewebsiteserviceprovider.example    |
 +-----------------------------------------------+
 | ACME Web Site Service Provider                |
 |                                               |
@@ -1792,33 +1848,33 @@ <h4 id="name-the-synchronous-flow">
 </div>
 <figcaption><a href="#figure-2" class="selfRef">Figure 2</a>:
 <a href="#name-service-provider-displays-d" class="selfRef">Service Provider displays discovery results and offers setup with a DNS provider</a>
-            </figcaption></figure>
+          </figcaption></figure>
 </div>
-<div id="_a9a7a194-f8ba-e8dd-85cf-65598cb3c7d0">
-<p id="section-2.2.1-6">After clicking the link, the user is directed to a browser window on the
+<div id="_2a67c784-dd81-3a0f-0001-554056362380">
+<p id="section-5.2-6">After clicking the link, the user is directed to a browser window on the
 DNS Provider's site. This may be done in another tab or in a new
 browser window, but may also be an in place navigation with a return
 url. This link passes the domain name being modified, the service
 provider/template being enabled, and any additional parameters (variables)
-needed to apply the template and configure the service.<a href="#section-2.2.1-6" class="pilcrow">¶</a></p>
+needed to apply the template and configure the service.<a href="#section-5.2-6" class="pilcrow">¶</a></p>
 </div>
-<div id="_3f8e8fac-3afd-fa71-39bf-1148e494d61c">
-<p id="section-2.2.1-7">Once at the DNS Provider site, the user is asked to authenticate
-if necessary.<a href="#section-2.2.1-7" class="pilcrow">¶</a></p>
+<div id="_63d7b724-3c30-9556-60f6-fa435f60fd3a">
+<p id="section-5.2-7">Once at the DNS Provider site, the user is asked to authenticate
+if necessary.<a href="#section-5.2-7" class="pilcrow">¶</a></p>
 </div>
-<span id="name-dns-provider-user-authentic"></span><div id="_b4dae187-1a4d-1a8a-ae05-82675fe63638">
+<span id="name-dns-provider-user-authentic"></span><div id="_e035bf49-dd74-cdbf-aed7-2ee75c99478a">
 <figure id="figure-3">
-            <div id="_908e5e5d-06f6-fde3-68c3-598a9592e2ed">
-<div class="alignLeft art-ascii-art art-text artwork" id="section-2.2.1-8.1">
+          <div id="_294f976a-3fc4-fb1b-b597-986ef18a0bf6">
+<div class="alignLeft art-ascii-art art-text artwork" id="section-5.2-8.1">
 <pre>+-----------------------------------------------+
-| http://virtucondomains.com                    |
+| https://virtucondomains.example               |
 +-----------------------------------------------+
 | Virtucon Domains                              |
 |                                               |
 | Please sign in to Virtucon domains            |
 |                                               |
 |                 +-------------------------+   |
-| Login           |user@xyz.com             |   |
+| Login           |user@xyz.example         |   |
 |                 +-------------------------+   |
 |                                               |
 |                 +-------------------------+   |
@@ -1834,22 +1890,22 @@ <h4 id="name-the-synchronous-flow">
 </div>
 <figcaption><a href="#figure-3" class="selfRef">Figure 3</a>:
 <a href="#name-dns-provider-user-authentic" class="selfRef">DNS provider user authentication</a>
-            </figcaption></figure>
+          </figcaption></figure>
 </div>
-<div id="_f9f0779f-74fb-7e15-a32c-8a5e68fcc615">
-<p id="section-2.2.1-9">After authenticating at the DNS Provider, the DNS Provider must verify
+<div id="_f78d3c7c-1b9c-0cd9-05fa-b2ae59650032">
+<p id="section-5.2-9">After authenticating at the DNS Provider, the DNS Provider must verify
 the DNS zone of the domain name is controlled by the user. The DNS Provider must verify
 other parameters passed in are valid, and must prompt the user for consent to
 make the changes to DNS. The DNS Provider may also warn
 the user of services that would be disabled by applying this change to
-DNS.<a href="#section-2.2.1-9" class="pilcrow">¶</a></p>
+DNS.<a href="#section-5.2-9" class="pilcrow">¶</a></p>
 </div>
-<span id="name-user-authorization-at-the-d"></span><div id="_55ffbfc5-3e9e-d778-c325-053335be1b58">
+<span id="name-user-authorization-at-the-d"></span><div id="_9e3cacc5-872b-d059-f188-40bbdee8f8e6">
 <figure id="figure-4">
-            <div id="_2fcfccc1-6689-c894-2cad-022a2963d0da">
-<div class="alignLeft art-ascii-art art-text artwork" id="section-2.2.1-10.1">
+          <div id="_dd4b41a7-19aa-de49-6908-31e9bb600ec9">
+<div class="alignLeft art-ascii-art art-text artwork" id="section-5.2-10.1">
 <pre>+-----------------------------------------------+
-| http://virtucondomains.com                    |
+| https://virtucondomains.example               |
 +-----------------------------------------------+
 | Virtucon Domains                              |
 |                                               |
@@ -1867,110 +1923,111 @@ <h4 id="name-the-synchronous-flow">
 </div>
 <figcaption><a href="#figure-4" class="selfRef">Figure 4</a>:
 <a href="#name-user-authorization-at-the-d" class="selfRef">User authorization at the DNS provider of the DNS setup for ACME</a>
-            </figcaption></figure>
+          </figcaption></figure>
 </div>
-<div id="_743a51c8-dd2a-2bd7-ed27-2d4ab17280ec">
-<p id="section-2.2.1-11">Assuming the user grants this consent, the DNS changes are be applied.<a href="#section-2.2.1-11" class="pilcrow">¶</a></p>
+<div id="_07ffcc91-0deb-e703-8049-8ff49cbdae73">
+<p id="section-5.2-11">Assuming the user grants this consent, the DNS changes are be applied.<a href="#section-5.2-11" class="pilcrow">¶</a></p>
 </div>
-<div id="_cf40275e-7b32-4b74-609a-5f045fc24e8c">
-<p id="section-2.2.1-12">If invoked in a pop-up window or tab, the browser window should be closed
+<div id="_c171778f-f764-4e02-c6d5-843351386a2f">
+<p id="section-5.2-12">If invoked in a pop-up window or tab, the browser window should be closed
 after the changes are applied. If invoked in place, the user must be navigated back
-to the Service Provider after the changes are applied.<a href="#section-2.2.1-12" class="pilcrow">¶</a></p>
+to the Service Provider after the changes are applied.<a href="#section-5.2-12" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="_the_asynchronous_flow">
-<section id="section-2.2.2">
-          <h4 id="name-the-asynchronous-flow">
-<a href="#section-2.2.2" class="section-number selfRef">2.2.2. </a><a href="#name-the-asynchronous-flow" class="section-name selfRef">The Asynchronous Flow</a>
-          </h4>
-<div id="_300dd792-f9f7-b8d8-0258-fe3ff4af11a4">
-<p id="section-2.2.2-1">The asynchronous oAuth flow is tailored for the Service Provider that
+<section id="section-5.3">
+        <h3 id="name-the-asynchronous-flow">
+<a href="#section-5.3" class="section-number selfRef">5.3. </a><a href="#name-the-asynchronous-flow" class="section-name selfRef">The Asynchronous Flow</a>
+        </h3>
+<div id="_1ff3e2e7-40d0-8a6f-debc-e758fca26b32">
+<p id="section-5.3-1">The asynchronous OAuth flow is tailored for the Service Provider that
 wishes to make changes to DNS asynchronously with respect to the user
 interaction, or wishes to make multiple or additional changes to DNS
-over time.<a href="#section-2.2.2-1" class="pilcrow">¶</a></p>
+over time.<a href="#section-5.3-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_3e131d06-2429-8412-aed0-9c76171da454">
-<p id="section-2.2.2-2">The asynchronous flow begins similarly
+<div id="_5751993e-1492-387e-c711-362ded16227c">
+<p id="section-5.3-2">The asynchronous flow begins similarly
 to the synchronous flow. The Service Provider determines the
 DNS Provider and links to a consent dialog at the DNS Provider. Once at
 the DNS Provider the user signs in, control of the DNS zone for the domain is
-verified, and consent is granted.<a href="#section-2.2.2-2" class="pilcrow">¶</a></p>
+verified, and consent is granted.<a href="#section-5.3-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_c046ebc8-41c8-8772-5c7d-502dcfeb7199">
-<p id="section-2.2.2-3">Instead of applying the DNS changes on user consent, OAuth access is
+<div id="_c5ea83f1-dd1c-9a53-62d6-c81c5a247021">
+<p id="section-5.3-3">Instead of applying the DNS changes on user consent, OAuth access is
 granted to the Service Provider. An OAuth access code is generated and
 handed back to the Service Provider. The Service Provider then requests
-an access (bearer) token.<a href="#section-2.2.2-3" class="pilcrow">¶</a></p>
+an access (bearer) token.<a href="#section-5.3-3" class="pilcrow">¶</a></p>
 </div>
-<div id="_4f8adb7b-9646-97b6-91a7-138694f51a03">
-<p id="section-2.2.2-4">The permission granted in the OAuth token is a right for the Service
+<div id="_83ea585a-7bec-6d67-c92e-d31ef9a2d97a">
+<p id="section-5.3-4">The permission granted in the OAuth token is a right for the Service
 Provider to apply a requested template (or templates) to the specific
-domain (and specific subdomains) DNS under control of a specific user at the DNS Provider.<a href="#section-2.2.2-4" class="pilcrow">¶</a></p>
-</div>
-<div id="_9ab2008c-6e2f-7878-4e19-5098f5ee20a0">
-<p id="section-2.2.2-5">The Service Provider would later call the an API to apply a template
-using the access token.<a href="#section-2.2.2-5" class="pilcrow">¶</a></p>
+domain (and specific subdomains) DNS under control of a specific user at the DNS Provider.<a href="#section-5.3-4" class="pilcrow">¶</a></p>
 </div>
-<div id="_840e8196-c359-cc0c-9bba-0495d48827ff">
-<p id="section-2.2.2-6">Additional parameters must be passed as name/value pairs when applying
-the template.<a href="#section-2.2.2-6" class="pilcrow">¶</a></p>
+<div id="_517e544a-65db-e9d1-e5e3-0f36eb2d5344">
+<p id="section-5.3-5">The Service Provider would later call the API of the DNS provider to apply a template
+using the access token.<a href="#section-5.3-5" class="pilcrow">¶</a></p>
 </div>
-</section>
+<div id="_24f8c822-b6db-10ea-4393-acdde4a6e385">
+<p id="section-5.3-6">Additional parameters must be passed as name/value pairs when applying
+the template.<a href="#section-5.3-6" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 </section>
 </div>
 <div id="_dns_provider_discovery">
-<section id="section-3">
+<section id="section-6">
       <h2 id="name-dns-provider-discovery">
-<a href="#section-3" class="section-number selfRef">3. </a><a href="#name-dns-provider-discovery" class="section-name selfRef">DNS Provider Discovery</a>
+<a href="#section-6" class="section-number selfRef">6. </a><a href="#name-dns-provider-discovery" class="section-name selfRef">DNS Provider Discovery</a>
       </h2>
-<div id="_d3c8c9f8-786a-69d2-2435-235a97d8b4c9">
-<p id="section-3-1">To facilitate discovery of the DNS Provider from a domain name DNS is utilized. This is
-done by returning a TXT record for <em>_domainconnect</em> in the zone.<a href="#section-3-1" class="pilcrow">¶</a></p>
+<div id="_07fc1c2b-330c-f8d3-ba25-75c9267498c8">
+<p id="section-6-1">To facilitate discovery of the DNS Provider from a domain name DNS is utilized. This is
+done by returning a TXT record for <em>_domainconnect</em> in the zone.<a href="#section-6-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_a3fc9969-edac-c883-fda0-28fb0db66ae9">
-<p id="section-3-2">An example of the contents of this record:<a href="#section-3-2" class="pilcrow">¶</a></p>
+<div id="_e4f582c4-e872-2a04-3710-c55a6cb92b48">
+<p id="section-6-2">An example of the contents of this record:<a href="#section-6-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_3ef5b3e1-f8a1-9bec-cb5f-6f8cf9684fbc">
-<div id="section-3-3">
-<pre class="sourcecode">domainconnect.virtucondomains.com</pre><a href="#section-3-3" class="pilcrow">¶</a>
+<div id="_a75ab39d-e235-4ab6-6f63-cd506e7e9c77">
+<div class="sourcecode" id="section-6-3">
+<pre>domainconnect.virtucondomains.example</pre><a href="#section-6-3" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_a46cbb10-3ba4-1248-119a-2aefd63e7c70">
-<p id="section-3-4">As a practical matter of implementation, the DNS Provider may or may not
+<div id="_771b709a-abb5-0354-abe1-37ac307fc54a">
+<p id="section-6-4">As a practical matter of implementation, the DNS Provider may or may not
 contain a copy of this data in each and every zone. Instead, the DNS
 Provider must simply respond to the DNS query for the
-<em>_domainconnect</em> TXT record with the appropriate data.<a href="#section-3-4" class="pilcrow">¶</a></p>
+<em>_domainconnect</em> TXT record with the appropriate data.<a href="#section-6-4" class="pilcrow">¶</a></p>
 </div>
-<div id="_321d397c-ba7b-2798-7f2a-651b358b65e6">
-<p id="section-3-5">How this is implemented is up to the DNS Provider.<a href="#section-3-5" class="pilcrow">¶</a></p>
+<div id="_568d3c19-ee9e-16e9-ecd4-160ba92b11ba">
+<p id="section-6-5">How this is implemented is up to the DNS Provider.<a href="#section-6-5" class="pilcrow">¶</a></p>
 </div>
-<div id="_0920ea92-32a2-592c-4d66-5ed8f448fa94">
-<p id="section-3-6">For example, the DNS Provider may not store the data inside a TXT record
+<div id="_1b07a19a-ac4d-eb4a-63d7-20b8233b5fe3">
+<p id="section-6-6">For example, the DNS Provider may not store the data inside a TXT record
 for the domain, opting instead to put a CNAME in the zone and have the
 TXT record in the target of the CNAME. Another DNS Provider may simply
 respond with the appropriate records at the DNS layer without having the data in each
-zone.<a href="#section-3-6" class="pilcrow">¶</a></p>
+zone.<a href="#section-6-6" class="pilcrow">¶</a></p>
 </div>
-<div id="_fefad84a-8d61-244c-2462-af1f322500ed">
-<p id="section-3-7">The URL prefix returned is subsequently used by the Service Provider to
+<div id="_e824b454-f6ce-5e68-1701-e4f43c15c59c">
+<p id="section-6-7">The URL prefix returned is subsequently used by the Service Provider to
 determine the additional settings for using Domain Connect on this
-domain at the DNS Provider. This is done by calling a REST API.<a href="#section-3-7" class="pilcrow">¶</a></p>
+domain at the DNS Provider. This is done by calling a REST API.<a href="#section-6-7" class="pilcrow">¶</a></p>
 </div>
-<div id="_178b39d1-816c-91ed-fbcf-4f8ede4e99e5">
-<div id="section-3-8">
-<pre class="sourcecode">GET
+<div id="_6ebcca94-e032-7aef-885a-a5da80469f84">
+<div class="sourcecode" id="section-6-8">
+<pre>GET
 
-https://{_domainconnect}/v2/{domain}/settings</pre><a href="#section-3-8" class="pilcrow">¶</a>
+https://{_domainconnect}/v2/{domain}/settings</pre><a href="#section-6-8" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_269edbac-fcc1-e901-492b-621c207c7aa1">
-<p id="section-3-9">This must return a JSON structure containing the settings to use for Domain Connect on the domain name (passed in on the path) at the DNS Provider. This JSON structure must contain the following fields unless otherwise specified.<a href="#section-3-9" class="pilcrow">¶</a></p>
+<div id="_9c072851-4349-4a2b-560e-b656bd0dbcae">
+<p id="section-6-9">This must return a JSON structure containing the settings to use for
+Domain Connect on the domain name (passed in on the path) at the DNS
+Provider. This JSON structure must contain the following fields unless
+otherwise specified.<a href="#section-6-9" class="pilcrow">¶</a></p>
 </div>
-<span id="name-properties-of-the-settings-"></span><div id="_b5e0ca4f-3a9c-a28e-2ebd-6cd0b4cdf583">
+<span id="name-properties-of-the-settings-"></span><div id="_99a8adea-5cd2-3c08-b2f9-44d236d1d60d">
 <table class="center" id="table-1">
         <caption>
 <a href="#table-1" class="selfRef">Table 1</a>:
@@ -1999,8 +2056,8 @@ <h2 id="name-dns-provider-discovery">
 </td>
             <td class="text-left" rowspan="1" colspan="1">providerId</td>
             <td class="text-left" rowspan="1" colspan="1">String</td>
-            <td class="text-left" rowspan="1" colspan="1">Unique identifier for the DNS Provider. To ensure non-coordinated uniqueness,
-this should be the domain name of the DNS Provider (e.g. virtucom.com).</td>
+            <td class="text-left" rowspan="1" colspan="1">(REQUIRED) Unique identifier for the DNS Provider. To ensure non-coordinated uniqueness,
+this should be the domain name of the DNS Provider (e.g. virtucom.example).</td>
           </tr>
           <tr>
             <td class="text-left" rowspan="1" colspan="1">
@@ -2008,7 +2065,7 @@ <h2 id="name-dns-provider-discovery">
 </td>
             <td class="text-left" rowspan="1" colspan="1">providerName</td>
             <td class="text-left" rowspan="1" colspan="1">String</td>
-            <td class="text-left" rowspan="1" colspan="1">The name of the DNS Provider.</td>
+            <td class="text-left" rowspan="1" colspan="1">(REQUIRED) The name of the DNS Provider.</td>
           </tr>
           <tr>
             <td class="text-left" rowspan="1" colspan="1">
@@ -2045,7 +2102,7 @@ <h2 id="name-dns-provider-discovery">
 </td>
             <td class="text-left" rowspan="1" colspan="1">urlAPI</td>
             <td class="text-left" rowspan="1" colspan="1">String</td>
-            <td class="text-left" rowspan="1" colspan="1">The URL Prefix for the REST API</td>
+            <td class="text-left" rowspan="1" colspan="1">(REQUIRED) The URL Prefix for the REST API</td>
           </tr>
           <tr>
             <td class="text-left" rowspan="1" colspan="1">
@@ -2091,41 +2148,40 @@ <h2 id="name-dns-provider-discovery">
         </tbody>
       </table>
 </div>
-<div id="_f36d4693-4fdf-cca9-9b3c-9d4f70016b34">
-<p id="section-3-11">As an example, the JSON returned by this call might contain.<a href="#section-3-11" class="pilcrow">¶</a></p>
-</div>
-<div id="_f1f69f26-9b32-945c-37ac-6d44554a9f9d">
-<div id="section-3-12">
-<pre class="lang-json sourcecode">{
-    "providerId": "virtucondomains.com",
+<div id="_ceb0bed3-9db8-341c-f625-654eae01baec">
+<div class="lang-json sourcecode" id="section-6-11">
+<pre>{
+    "providerId": "virtucondomains.example",
     "providerName": "Virtucon Domains",
     "providerDisplayName": "Virtucon Domains",
-    "urlSyncUX": "https://domainconnect.virtucondomains.com",
-    "urlAsyncUX": "https://domainconnect.virtucondomains.com",
-    "urlAPI": "https://api.domainconnect.virtucondomains.com",
+    "urlSyncUX": "https://domainconnect.virtucondomains.example",
+    "urlAsyncUX": "https://domainconnect.virtucondomains.example",
+    "urlAPI": "https://api.domainconnect.virtucondomains.example",
     "width": 750,
     "height": 750,
-    "urlControlPanel": "https://domaincontrolpanel.virtucondomains.com/?domain=%domain%",
-    "nameServers": ["ns01.virtucondomainsdns.com", "ns02.virtucondomainsdns.com"]
-}</pre><a href="#section-3-12" class="pilcrow">¶</a>
+    "urlControlPanel": "https://domaincontrolpanel.virtucondomains.ex
+    ample/?domain=%domain%",
+    "nameServers": ["ns01.virtucondomainsdns.example", "ns02.virtucon
+    domainsdns.example"]
+}</pre><a href="#section-6-11" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_0b822df8-0d4c-3b68-1394-d282c14a2ebf">
-<p id="section-3-13">Discovery must work on the root domain (zone) only. Bear in mind that
+<div id="_3f879246-e363-928b-60a5-31ec36882e03">
+<p id="section-6-12">Discovery must work on the root domain (zone) only. Bear in mind that
 zones can be delegated to other users, making this information valuable to
 Service Providers since DNS changes may be different for an apex zone vs.
-a sub-domain for an individual service.<a href="#section-3-13" class="pilcrow">¶</a></p>
+a sub-domain for an individual service.<a href="#section-6-12" class="pilcrow">¶</a></p>
 </div>
-<div id="_a9e1b6f6-d835-6340-2c6e-33b2e84dfe7c">
-<p id="section-3-14">The Service Provider must handle the condition when a query for the
+<div id="_ad145b7c-d3b0-3ded-8ea0-347ef87eec1d">
+<p id="section-6-13">The Service Provider must handle the condition when a query for the
 _domainconnect TXT record suceeds, but a call to query for the JSON fails.
 This can happen if the zone is hosted with another DNS Provider, but contains an
-incorrect _domainconnect TXT record.<a href="#section-3-14" class="pilcrow">¶</a></p>
+incorrect _domainconnect TXT record.<a href="#section-6-13" class="pilcrow">¶</a></p>
 </div>
-<div id="_d2f43cf8-d7be-e39b-ec43-073b0920de09">
-<p id="section-3-15">The DNS Provider must return a 404 if they do not contain the zone.<a href="#section-3-15" class="pilcrow">¶</a></p>
+<div id="_428f7bc7-d78b-fb0c-5ebe-cbc74d9af444">
+<p id="section-6-14">The DNS Provider must return a 404 if they do not contain the zone.<a href="#section-6-14" class="pilcrow">¶</a></p>
 </div>
-<span id="name-http-status-codes-for-the-s"></span><div id="_fc416094-c7e7-5e38-c65a-f4e39474c4c1">
+<span id="name-http-status-codes-for-the-s"></span><div id="_5051b19b-be1e-3ff6-5297-24459f8e6098">
 <table class="center" id="table-2">
         <caption>
 <a href="#table-2" class="selfRef">Table 2</a>:
@@ -2160,83 +2216,84 @@ <h2 id="name-dns-provider-discovery">
 </section>
 </div>
 <div id="_applying_domain_connect">
-<section id="section-4">
+<section id="section-7">
       <h2 id="name-applying-domain-connect">
-<a href="#section-4" class="section-number selfRef">4. </a><a href="#name-applying-domain-connect" class="section-name selfRef">Applying Domain Connect</a>
+<a href="#section-7" class="section-number selfRef">7. </a><a href="#name-applying-domain-connect" class="section-name selfRef">Applying Domain Connect</a>
       </h2>
 <div id="_endpoints">
-<section id="section-4.1">
+<section id="section-7.1">
         <h3 id="name-endpoints">
-<a href="#section-4.1" class="section-number selfRef">4.1. </a><a href="#name-endpoints" class="section-name selfRef">Endpoints</a>
+<a href="#section-7.1" class="section-number selfRef">7.1. </a><a href="#name-endpoints" class="section-name selfRef">Endpoints</a>
         </h3>
-<div id="_c4c654f9-5c03-cfb2-a4c2-b05a1c3ee45f">
-<p id="section-4.1-1">The Domain Connect endpoints returned in the JSON during
-discovery are in the form of URLs.<a href="#section-4.1-1" class="pilcrow">¶</a></p>
+<div id="_0a2fc914-ef53-a0ec-221f-73c1194594fb">
+<p id="section-7.1-1">The Domain Connect endpoints returned in the JSON during
+discovery are in the form of URLs.<a href="#section-7.1-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_3bef9b95-9179-35a4-54f8-4c90ed94c063">
-<p id="section-4.1-2">The first set of endpoints are for the UX that the Service Provider
+<div id="_19eef5e5-15c3-9345-74ab-e5de8ab057c8">
+<p id="section-7.1-2">The first set of endpoints are for the UX that the Service Provider
 links to. These are for the synchronous flow where the user can click
 to grant consent and have changes applied, and for the
-asynchronous oAuth flow where the user can grant consent for
-OAuth access.<a href="#section-4.1-2" class="pilcrow">¶</a></p>
+asynchronous OAuth flow where the user can grant consent for
+OAuth access.<a href="#section-7.1-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_998221ff-403e-e8c0-6abc-aed82c203fad">
-<p id="section-4.1-3">The second set of endpoints are for the REST API.<a href="#section-4.1-3" class="pilcrow">¶</a></p>
+<div id="_92ab93ea-5ec6-2421-ac33-b0e15797f047">
+<p id="section-7.1-3">The second set of endpoints are for the REST API.<a href="#section-7.1-3" class="pilcrow">¶</a></p>
 </div>
-<div id="_50fa891a-a680-951b-6d83-652305c88480">
-<p id="section-4.1-4">All endpoints begin with a root URL for the DNS Provider such as:<a href="#section-4.1-4" class="pilcrow">¶</a></p>
+<div id="_5969f1c6-a8ab-f4b6-2c0a-13eed456a299">
+<p id="section-7.1-4">All endpoints begin with a root URL for the DNS Provider such as:<a href="#section-7.1-4" class="pilcrow">¶</a></p>
 </div>
-<div id="_37130745-ce61-853a-b736-20468327eaa9">
-<div id="section-4.1-5">
-<pre class="sourcecode">https://connect.dnsprovider.com</pre><a href="#section-4.1-5" class="pilcrow">¶</a>
+<div id="_de0e3eee-c108-5d4a-e3f3-58153752d5d6">
+<div class="sourcecode" id="section-7.1-5">
+<pre>https://connect.dnsprovider.example</pre><a href="#section-7.1-5" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_5951c182-9094-2f47-312a-8b27438219c2">
-<p id="section-4.1-6">They may also include any prefix at the discretion of the DNS Provider.
-For example:<a href="#section-4.1-6" class="pilcrow">¶</a></p>
+<div id="_f0758586-474e-e0d6-d2c8-e43294bfaf92">
+<p id="section-7.1-6">They may also include any prefix at the discretion of the DNS Provider.
+For example:<a href="#section-7.1-6" class="pilcrow">¶</a></p>
 </div>
-<div id="_b40057ec-3e57-1190-ee5a-ce3ce8ddf281">
-<div id="section-4.1-7">
-<pre class="sourcecode">https://connect.dnsprovider.com/api</pre><a href="#section-4.1-7" class="pilcrow">¶</a>
+<div id="_aeaad295-d840-db70-2285-97bc4eabc4c2">
+<div class="sourcecode" id="section-7.1-7">
+<pre>https://connect.dnsprovider.example/api</pre><a href="#section-7.1-7" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_efb806d8-c05e-3439-c70f-1c0c342dafa3">
-<p id="section-4.1-8">The root URLs for the UX endpoints and the API endpoints are returned in
-the JSON payload during DNS Provider discovery.<a href="#section-4.1-8" class="pilcrow">¶</a></p>
+<div id="_fd665040-07a1-8d0b-cf2f-b92a0cb17b9e">
+<p id="section-7.1-8">The root URLs for the UX endpoints and the API endpoints are returned in
+the JSON payload during DNS Provider discovery.<a href="#section-7.1-8" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="_synchronous_flow">
-<section id="section-4.2">
+<section id="section-7.2">
         <h3 id="name-synchronous-flow">
-<a href="#section-4.2" class="section-number selfRef">4.2. </a><a href="#name-synchronous-flow" class="section-name selfRef">Synchronous Flow</a>
+<a href="#section-7.2" class="section-number selfRef">7.2. </a><a href="#name-synchronous-flow" class="section-name selfRef">Synchronous Flow</a>
         </h3>
 <div id="_query_supported_template">
-<section id="section-4.2.1">
+<section id="section-7.2.1">
           <h4 id="name-query-supported-template">
-<a href="#section-4.2.1" class="section-number selfRef">4.2.1. </a><a href="#name-query-supported-template" class="section-name selfRef">Query Supported Template</a>
+<a href="#section-7.2.1" class="section-number selfRef">7.2.1. </a><a href="#name-query-supported-template" class="section-name selfRef">Query Supported Template</a>
           </h4>
-<div id="_0a28c215-08c3-e81b-6bde-fca0bf73f281">
-<div id="section-4.2.1-1">
-<pre class="sourcecode">GET
+<div id="_34ffffe5-ae2c-cb51-60cd-9149540f4f6d">
+<div class="sourcecode" id="section-7.2.1-1">
+<pre>GET
 
-{urlAPI}/v2/domainTemplates/providers/{providerId}/services/{serviceId}</pre><a href="#section-4.2.1-1" class="pilcrow">¶</a>
+{urlAPI}/v2/domainTemplates/providers/{providerId}/services
+/{serviceId}</pre><a href="#section-7.2.1-1" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_fe310027-ae4e-a9df-eacb-c4632e88e04a">
-<p id="section-4.2.1-2">This URL is be used by the Service Provider to determine if the DNS
-Provider supports a specific template through the synchronous flow.<a href="#section-4.2.1-2" class="pilcrow">¶</a></p>
+<div id="_b0379ff3-f614-5033-2b46-5242803c7e36">
+<p id="section-7.2.1-2">This URL is be used by the Service Provider to determine if the DNS
+Provider supports a specific template through the synchronous flow.<a href="#section-7.2.1-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_dfc25f46-6bf7-f219-de9f-1ba00088b4d2">
-<p id="section-4.2.1-3">Returning a status of 200 without a body indicates the template is supported.
+<div id="_70cce8e4-a0fd-6331-eae0-1bd35c521864">
+<p id="section-7.2.1-3">Returning a status of 200 without a body indicates the template is supported.
 The DNS provider may decide to disclose the version of the template
-in a JSON object with field <em>version</em> (see: <span><a href="#template-definition" class="xref">version field</a> (<a href="#template-definition" class="xref">Section 5.2</a>)</span>)
-or the full JSON object of deployed template.<a href="#section-4.2.1-3" class="pilcrow">¶</a></p>
+in a JSON object with field <em>version</em> (see: <span><a href="#template-definition" class="internal xref">version field</a> (<a href="#template-definition" class="auto internal xref">Section 8.2</a>)</span>
+or the full JSON object of deployed template.<a href="#section-7.2.1-3" class="pilcrow">¶</a></p>
 </div>
-<div id="_a6de1417-edf2-4302-cacb-eb35cfbe6dcd">
-<p id="section-4.2.1-4">Returning a status of 404 indicates the template is not supported.<a href="#section-4.2.1-4" class="pilcrow">¶</a></p>
+<div id="_cf699c5b-61ba-bfd6-7b63-0bafcb377b06">
+<p id="section-7.2.1-4">Returning a status of 404 indicates the template is not supported.<a href="#section-7.2.1-4" class="pilcrow">¶</a></p>
 </div>
-<span id="name-https-status-codes-for-the-"></span><div id="_1c4f995c-3fed-5c2e-04a2-12483d0ae502">
+<span id="name-https-status-codes-for-the-"></span><div id="_a90da9e7-6d0a-ac81-cec9-ec8526f16ed7">
 <table class="center" id="table-3">
             <caption>
 <a href="#table-3" class="selfRef">Table 3</a>:
@@ -2271,118 +2328,126 @@ <h4 id="name-query-supported-template">
 </section>
 </div>
 <div id="_apply_template">
-<section id="section-4.2.2">
+<section id="section-7.2.2">
           <h4 id="name-apply-template">
-<a href="#section-4.2.2" class="section-number selfRef">4.2.2. </a><a href="#name-apply-template" class="section-name selfRef">Apply Template</a>
+<a href="#section-7.2.2" class="section-number selfRef">7.2.2. </a><a href="#name-apply-template" class="section-name selfRef">Apply Template</a>
           </h4>
-<div id="_33770b22-4c9a-6645-81fd-460f996d7abc">
-<div id="section-4.2.2-1">
-<pre class="sourcecode">GET
+<div id="_apply_template_url">
+<section id="section-7.2.2.1">
+            <h5 id="name-apply-template-url">
+<a href="#section-7.2.2.1" class="section-number selfRef">7.2.2.1. </a><a href="#name-apply-template-url" class="section-name selfRef">Apply Template URL</a>
+            </h5>
+<div id="_331c6b57-86ee-9804-338b-7efcb53f88b2">
+<div class="sourcecode" id="section-7.2.2.1-1">
+<pre>GET
 
-{urlSyncUX}/v2/domainTemplates/providers/{providerId}/services/{serviceId}/apply?[properties]</pre><a href="#section-4.2.2-1" class="pilcrow">¶</a>
+{urlSyncUX}/v2/domainTemplates/providers/{providerId}/services
+/{serviceId}/apply?[properties]</pre><a href="#section-7.2.2.1-1" class="pilcrow">¶</a>
+</div>
 </div>
+<div id="_3cabe7eb-a279-0cbe-eb45-6a02fb456019">
+<p id="section-7.2.2.1-2">This is the URL where the user is sent to apply a template to a domain they own.
+It is called from the Service Provider to start the synchronous Domain Connect Protocol.<a href="#section-7.2.2.1-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_bbcf394f-2d66-eceb-d5f4-62f9259e7655">
-<p id="section-4.2.2-2">This is the URL where the user is sent to apply a template to a domain they own.
-It is called from the Service Provider to start the synchronous Domain Connect Protocol.<a href="#section-4.2.2-2" class="pilcrow">¶</a></p>
+<div id="_8cc52f60-74ce-218c-b8fb-a9a2bee52b46">
+<p id="section-7.2.2.1-3">This URL can be called in one of two ways.<a href="#section-7.2.2.1-3" class="pilcrow">¶</a></p>
 </div>
-<div id="_c55582cd-427f-80bd-9474-937a40bf255e">
-<p id="section-4.2.2-3">This URL can be called in one of two ways.<a href="#section-4.2.2-3" class="pilcrow">¶</a></p>
+</section>
 </div>
 <div id="_new_browser_window">
-<section id="section-4.2.2.1">
+<section id="section-7.2.2.2">
             <h5 id="name-new-browser-window">
-<a href="#section-4.2.2.1" class="section-number selfRef">4.2.2.1. </a><a href="#name-new-browser-window" class="section-name selfRef">New Browser Window</a>
+<a href="#section-7.2.2.2" class="section-number selfRef">7.2.2.2. </a><a href="#name-new-browser-window" class="section-name selfRef">New Browser Window</a>
             </h5>
-<div id="_cd43ed2c-a022-81fa-f49f-c2096b0a8cda">
-<p id="section-4.2.2.1-1">The first is through a new browser tab or in a popup browser window.
+<div id="_03d065a5-898f-3194-d4f1-e4a44c49e713">
+<p id="section-7.2.2.2-1">The first is through a new browser tab or in a popup browser window.
 The DNS Provider signs the user
 in if necessary, verifies domain ownership, and asks for confirmation
 before application of the template. After application of the template,
-the DNS Provider should automatically close the browser tab or window.<a href="#section-4.2.2.1-1" class="pilcrow">¶</a></p>
+the DNS Provider should automatically close the browser tab or window.<a href="#section-7.2.2.2-1" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="_same_browser_window">
-<section id="section-4.2.2.2">
+<section id="section-7.2.2.3">
             <h5 id="name-same-browser-window">
-<a href="#section-4.2.2.2" class="section-number selfRef">4.2.2.2. </a><a href="#name-same-browser-window" class="section-name selfRef">Same Browser Window</a>
+<a href="#section-7.2.2.3" class="section-number selfRef">7.2.2.3. </a><a href="#name-same-browser-window" class="section-name selfRef">Same Browser Window</a>
             </h5>
-<div id="_2a6a1486-4358-cb8d-201d-66febc7fa644">
-<p id="section-4.2.2.2-1">The second is in the current browser tab/window. As above the DNS
+<div id="_947c872d-cf7b-ecae-bd27-bcf1acd33c13">
+<p id="section-7.2.2.3-1">The second is in the current browser tab/window. As above the DNS
 Provider signs the user in if necessary, verifies the user control of the DNS Zone for the domain,
 and asks for confirmation before application of the template. After
 application of the template (or cancellation by the user), the DNS
-Provider must redirect the browser to a return URL (redirect_uri).<a href="#section-4.2.2.2-1" class="pilcrow">¶</a></p>
+Provider must redirect the browser to a return URL (redirect_uri).<a href="#section-7.2.2.3-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_6581e4e0-658a-55ea-cbf9-eb125eadad7b">
-<p id="section-4.2.2.2-2">Several parameters must be appended to the end of this redirect_uri.<a href="#section-4.2.2.2-2" class="pilcrow">¶</a></p>
+<div id="_037589fd-ba4d-1fea-a97a-b1555f674d86">
+<p id="section-7.2.2.3-2">Several parameters must be appended to the end of this redirect_uri.<a href="#section-7.2.2.3-2" class="pilcrow">¶</a></p>
 </div>
 <ul class="normal">
-<li class="normal" id="section-4.2.2.2-3.1">
-                <div id="_3905efcd-87e9-0d9e-f248-95c1565a1d19">
-<p id="section-4.2.2.2-3.1.1">State<a href="#section-4.2.2.2-3.1.1" class="pilcrow">¶</a></p>
+<li class="normal" id="section-7.2.2.3-3.1">
+                <div id="_e95247db-0366-5999-b72d-e84e2aca6d61">
+<p id="section-7.2.2.3-3.1.1">State<a href="#section-7.2.2.3-3.1.1" class="pilcrow">¶</a></p>
 </div>
-<div id="_afd12b53-5a9d-44fe-3249-eee7fa4992d5">
-<p id="section-4.2.2.2-3.1.2">If a state parameter is passed in on the query string, this must be
-passed back as state= on the redirect_uri.<a href="#section-4.2.2.2-3.1.2" class="pilcrow">¶</a></p>
+<div id="_d24c7c09-e7d1-0c22-220e-219c2bdd82a9">
+<p id="section-7.2.2.3-3.1.2">If a state parameter is passed in on the query string, this must be
+passed back as state= on the redirect_uri.<a href="#section-7.2.2.3-3.1.2" class="pilcrow">¶</a></p>
 </div>
 </li>
-              <li class="normal" id="section-4.2.2.2-3.2">
-                <div id="_5b473933-d678-1e25-e03f-63bf68cd66c5">
-<p id="section-4.2.2.2-3.2.1">Error<a href="#section-4.2.2.2-3.2.1" class="pilcrow">¶</a></p>
+              <li class="normal" id="section-7.2.2.3-3.2">
+                <div id="_a9e208bb-9566-f29d-3fcc-6370a85121db">
+<p id="section-7.2.2.3-3.2.1">Error<a href="#section-7.2.2.3-3.2.1" class="pilcrow">¶</a></p>
 </div>
-<div id="_1d1dbd70-4cac-555c-30f9-4577a65723c1">
-<p id="section-4.2.2.2-3.2.2">If authorization could not be obtained or an error has occurred, the
+<div id="_63dfdd18-66fa-3e5e-1cb4-605d18d8615d">
+<p id="section-7.2.2.3-3.2.2">If authorization could not be obtained or an error has occurred, the
 parameter error= must be appended. For consistency with the asynchronous
 OAuth flows the valid values for the error parameter will be as
-specified in OAuth 2.0 RFC 6749 (4.1.2.1. Error Response - "error"
+specified in OAuth 2.0 <span>[<a href="#RFC6749" class="cite xref">RFC6749</a>]</span> (4.1.2.1. Error Response - "error"
 parameter). Valid values are: invalid_request, unauthorized_client,
 access_denied, unsupported_response_type, invalid_scope, server_error,
-and temporarily_unavailable.<a href="#section-4.2.2.2-3.2.2" class="pilcrow">¶</a></p>
+and temporarily_unavailable.<a href="#section-7.2.2.3-3.2.2" class="pilcrow">¶</a></p>
 </div>
 </li>
-              <li class="normal" id="section-4.2.2.2-3.3">
-                <div id="_19b94c38-370f-2226-6d45-1e5027266a93">
-<p id="section-4.2.2.2-3.3.1">Error Description<a href="#section-4.2.2.2-3.3.1" class="pilcrow">¶</a></p>
+              <li class="normal" id="section-7.2.2.3-3.3">
+                <div id="_8cc5a43a-de5b-2d75-20e3-6bbbf9539ec9">
+<p id="section-7.2.2.3-3.3.1">Error Description<a href="#section-7.2.2.3-3.3.1" class="pilcrow">¶</a></p>
 </div>
-<div id="_7705a0cb-ae65-c1be-0757-95dbda8e7bbd">
-<p id="section-4.2.2.2-3.3.2">When an error occurs, an OPTIONAL error description containing a
-developer focused error description may be returned.<a href="#section-4.2.2.2-3.3.2" class="pilcrow">¶</a></p>
+<div id="_3ba52e13-f11f-4c9a-0743-3d9fefe0ee66">
+<p id="section-7.2.2.3-3.3.2">When an error occurs, an OPTIONAL error description containing a
+developer focused error description may be returned.<a href="#section-7.2.2.3-3.3.2" class="pilcrow">¶</a></p>
 </div>
-<div id="_dd177438-7d3e-18ad-14cb-415aaa8dd361">
-<p id="section-4.2.2.2-3.3.3">Under normal
+<div id="_b4df9a29-5da4-28e5-4c63-b622cc45051c">
+<p id="section-7.2.2.3-3.3.3">Under normal
 operation the access_denied error can be returned for a number of
 reasons. For example, the user may not have access to the account that
 owns the domain. Even if they do and successfully sign-in, the account
-or the domain may be suspended.<a href="#section-4.2.2.2-3.3.3" class="pilcrow">¶</a></p>
+or the domain may be suspended.<a href="#section-7.2.2.3-3.3.3" class="pilcrow">¶</a></p>
 </div>
-<div id="_2e45f601-46b7-2c63-6243-4dbb32c24d6f">
-<p id="section-4.2.2.2-3.3.4">It is unlikely that the DNS Provider would want to leak this information
-to the Service Provider, and as such the description may be vague.<a href="#section-4.2.2.2-3.3.4" class="pilcrow">¶</a></p>
+<div id="_95894261-85ea-ff33-75ae-76a9008fbbd6">
+<p id="section-7.2.2.3-3.3.4">It is unlikely that the DNS Provider would want to leak this information
+to the Service Provider, and as such the description may be vague.<a href="#section-7.2.2.3-3.3.4" class="pilcrow">¶</a></p>
 </div>
-<div id="_58943aee-5e5c-6f41-b250-1093d54bb110">
-<p id="section-4.2.2.2-3.3.5">There is one piece of information that may be interesting to communicate
+<div id="_4c272b28-07c4-0598-5cd1-a8dacd7d5dcd">
+<p id="section-7.2.2.3-3.3.5">There is one piece of information that may be interesting to communicate
 to the Service Provider. This is when the end user decided to cancel the
 operation. If the DNS Provider wishes to communicate this to the
 Service Provider, when the error=access_denied the error_description may
 contain the prefix "user_cancel". Again, this is left to the discretion
-of the DNS Provider.<a href="#section-4.2.2.2-3.3.5" class="pilcrow">¶</a></p>
+of the DNS Provider.<a href="#section-7.2.2.3-3.3.5" class="pilcrow">¶</a></p>
 </div>
 </li>
             </ul>
-<div id="_eb3bf813-9537-ea84-e3ab-a9abdbf01255">
-<p id="section-4.2.2.2-4">To prevent an open redirect, unless the request is digitally signed the redirect_uri
-must be within the domains specified in the template in syncRedirectDomain.<a href="#section-4.2.2.2-4" class="pilcrow">¶</a></p>
+<div id="_5cf8b909-795a-297c-43f1-88c73d866bc5">
+<p id="section-7.2.2.3-4">To prevent an open redirect, unless the request is digitally signed the redirect_uri
+must be within the domains specified in the template in syncRedirectDomain.<a href="#section-7.2.2.3-4" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="_parametersproperties">
-<section id="section-4.2.2.3">
+<section id="section-7.2.2.4">
             <h5 id="name-parameters-properties">
-<a href="#section-4.2.2.3" class="section-number selfRef">4.2.2.3. </a><a href="#name-parameters-properties" class="section-name selfRef">Parameters/properties</a>
+<a href="#section-7.2.2.4" class="section-number selfRef">7.2.2.4. </a><a href="#name-parameters-properties" class="section-name selfRef">Parameters/properties</a>
             </h5>
-<span id="name-query-parameters-of-the-app"></span><div id="_5d7e1c9f-ba2b-4601-0613-b58dff2f1244">
+<span id="name-query-parameters-of-the-app"></span><div id="_e01f1eae-2447-cf75-a97d-5a4af3a0deba">
 <table class="center" id="table-4">
               <caption>
 <a href="#table-4" class="selfRef">Table 4</a>:
@@ -2401,7 +2466,7 @@ <h5 id="name-parameters-properties">
                     <strong>Domain</strong>
 </td>
                   <td class="text-left" rowspan="1" colspan="1">domain</td>
-                  <td class="text-left" rowspan="1" colspan="1">The domain name being configured. This is the root domain (the
+                  <td class="text-left" rowspan="1" colspan="1">(REQUIRED) The domain name being configured. This is the root domain (the
 registered domain or delegated zone).</td>
                 </tr>
                 <tr>
@@ -2436,7 +2501,7 @@ <h5 id="name-parameters-properties">
                     <strong>Name/Value Pairs</strong>
 </td>
                   <td class="text-left" rowspan="1" colspan="1">*</td>
-                  <td class="text-left" rowspan="1" colspan="1">Any key that will be used as a replacement for the "% surrounded" variables in the
+                  <td class="text-left" rowspan="1" colspan="1">(REQUIRED) Any key that will be used as a replacement for the "% surrounded" variables in the
 template. The name portion of this API call corresponds to
 the variable(s) specified in the template and the value corresponds to the value that will
 be used when applying the template.</td>
@@ -2478,350 +2543,386 @@ <h5 id="name-parameters-properties">
                   <td class="text-left" rowspan="1" colspan="1">sig</td>
                   <td class="text-left" rowspan="1" colspan="1">(OPTIONAL) A signature of the query string. See Security Considerations section below.</td>
                 </tr>
+                <tr>
+                  <td class="text-left" rowspan="1" colspan="1">
+                    <strong>Key</strong>
+</td>
+                  <td class="text-left" rowspan="1" colspan="1">key</td>
+                  <td class="text-left" rowspan="1" colspan="1">(OPTIONAL) A value containing the host in DNS where the public key for the signature can be
+obtained. The domain for this host is in the template in syncPubKeyDomain. See Security
+Considerations section below.</td>
+                </tr>
               </tbody>
             </table>
 </div>
-<div id="_d50ed220-6e57-2d16-3bba-db698b1725c9">
-<p id="section-4.2.2.3-2">An example query string:<a href="#section-4.2.2.3-2" class="pilcrow">¶</a></p>
+<div id="_9a806e23-7c47-60f6-6183-3444af8cb8a4">
+<p id="section-7.2.2.4-2">An example query string:<a href="#section-7.2.2.4-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_53973577-8f69-ae95-f4cc-30bc3008a171">
-<div id="section-4.2.2.3-3">
-<pre class="sourcecode">GET
+<div id="_173f8690-76b7-918e-4d4a-992eecece71e">
+<div class="sourcecode" id="section-7.2.2.4-3">
+<pre>GET
 
-https://web-connect.dnsprovider.com/v2/domainTemplates/providers/exampleservice.domainconnect.org/services/template1/apply?domain=example.com&amp;IP=192.168.42.42&amp;RANDOMTEXT=shm%3A1542108821%3AHello</pre><a href="#section-4.2.2.3-3" class="pilcrow">¶</a>
+https://web-connect.dnsprovider.example/v2/domainTemplates/providers/
+exampleservice.example/services/template1/apply?domain=example.com
+&amp;#x26;IP=192.168.42.42&amp;#x26;RANDOMTEXT=shm%3A1542108821%3AHello</pre><a href="#section-7.2.2.4-3" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_5c68532e-7807-6beb-e63e-dc68244159e3">
-<p id="section-4.2.2.3-4">This call indicates that the Service Provider wishes to connect the
+<div id="_4744d586-213d-43d5-9e96-bf5cc4772789">
+<p id="section-7.2.2.4-4">This call indicates that the Service Provider wishes to connect the
 domain example.com to the service using the template identified by the
-composite key of the provider (exampleservice.domainconnect.org) and the service template
+composite key of the provider (exampleservice.example) and the service template
 owned by them (template1). In this example, there are two variables in this
-template, "IP" and "RANDOMTEXT". These variables are passed as name/value pairs.<a href="#section-4.2.2.3-4" class="pilcrow">¶</a></p>
+template, "IP" and "RANDOMTEXT". These variables are passed as name/value pairs.<a href="#section-7.2.2.4-4" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 </section>
 </div>
 <div id="_security_considerations">
-<section id="section-4.2.3">
+<section id="section-7.2.3">
           <h4 id="name-security-considerations">
-<a href="#section-4.2.3" class="section-number selfRef">4.2.3. </a><a href="#name-security-considerations" class="section-name selfRef">Security Considerations</a>
+<a href="#section-7.2.3" class="section-number selfRef">7.2.3. </a><a href="#name-security-considerations" class="section-name selfRef">Security Considerations</a>
           </h4>
-<div id="_b5ffa64e-2f8e-11c6-60c5-c0e922e832c6">
-<p id="section-4.2.3-1">By applying a template with parameters there is a security
-consideration that must be taken into account.<a href="#section-4.2.3-1" class="pilcrow">¶</a></p>
+<div id="_risk_of_phishing_with_open_template_parameters">
+<section id="section-7.2.3.1">
+            <h5 id="name-risk-of-phishing-with-open-">
+<a href="#section-7.2.3.1" class="section-number selfRef">7.2.3.1. </a><a href="#name-risk-of-phishing-with-open-" class="section-name selfRef">Risk of phishing with open template parameters</a>
+            </h5>
+<div id="_e2e83458-bb64-e998-65f8-1ed84d533d59">
+<p id="section-7.2.3.1-1">By applying a template with parameters there is a security
+consideration that must be taken into account.<a href="#section-7.2.3.1-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_64b08d6f-4336-2606-aaac-3faf78d1a63f">
-<p id="section-4.2.3-2">Consider the template above where the IP address of the A record is
+<div id="_12444988-7410-7be6-6cd0-b9db33efe8f8">
+<p id="section-7.2.3.1-2">Consider the template above where the IP address of the A record is
 passed in through a variable. A bad actor could generate a URL with a
 malicious IP and phish users by sending out emails asking them to "re-configure" their
 service. If an end user is convinced to click on
 this link, they would land on the DNS Provider site to confirm the
 change. To the user, this would appear to be a valid request to
-configure the domain. Yet the IP would be hijacking the service.<a href="#section-4.2.3-2" class="pilcrow">¶</a></p>
+configure the domain. Yet the IP would be hijacking the service.<a href="#section-7.2.3.1-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_ecf60627-9937-5ea2-d35f-359f22742ffd">
-<p id="section-4.2.3-3">Not all templates have this problem. But when they do, there are several
-options.<a href="#section-4.2.3-3" class="pilcrow">¶</a></p>
+<div id="_e73be4f8-50c7-b643-fd70-62fd780f073c">
+<p id="section-7.2.3.1-3">Not all templates have this problem. But when they do, there are several options.<a href="#section-7.2.3.1-3" class="pilcrow">¶</a></p>
+</div>
+</section>
 </div>
 <div id="_disable_synchronous">
-<section id="section-4.2.3.1">
+<section id="section-7.2.3.2">
             <h5 id="name-disable-synchronous">
-<a href="#section-4.2.3.1" class="section-number selfRef">4.2.3.1. </a><a href="#name-disable-synchronous" class="section-name selfRef">Disable Synchronous</a>
+<a href="#section-7.2.3.2" class="section-number selfRef">7.2.3.2. </a><a href="#name-disable-synchronous" class="section-name selfRef">Disable Synchronous</a>
             </h5>
-<div id="_6b0da676-d046-d392-a4bf-b4774a6ad817">
-<p id="section-4.2.3.1-1">One option is to disable the synchronous flow and use
+<div id="_1ebc34b1-a670-5c77-c89a-b1eb52b25687">
+<p id="section-7.2.3.2-1">One option is to disable the synchronous flow and use
 asynchronous OAuth. This can be controlled with the syncBlock
 value from the template. However, as will be seen below OAuth has a higher
 implementation burden and requires onboarding between each Service and
-DNS Provider.<a href="#section-4.2.3.1-1" class="pilcrow">¶</a></p>
+DNS Provider.<a href="#section-7.2.3.2-1" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="_digitally_sign_requests">
-<section id="section-4.2.3.2">
+<section id="section-7.2.3.3">
             <h5 id="name-digitally-sign-requests">
-<a href="#section-4.2.3.2" class="section-number selfRef">4.2.3.2. </a><a href="#name-digitally-sign-requests" class="section-name selfRef">Digitally Sign Requests</a>
+<a href="#section-7.2.3.3" class="section-number selfRef">7.2.3.3. </a><a href="#name-digitally-sign-requests" class="section-name selfRef">Digitally Sign Requests</a>
             </h5>
-<div id="_a92c4f93-f3fa-e9c5-55ca-753a04b27eb9">
-<p id="section-4.2.3.2-1">Another option is to digitally sign the query string. A
+<div id="_2366a7ed-aba9-3738-10e9-61ddd458ad5f">
+<p id="section-7.2.3.3-1">Another option is to digitally sign the query string. A
 signature is appended as an additional query string parameter,
-properly URL encoded and of the form:<a href="#section-4.2.3.2-1" class="pilcrow">¶</a></p>
+properly URL encoded and of the form:<a href="#section-7.2.3.3-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_f887c8d7-f2ac-44fd-21b1-adceabb2d683">
-<div id="section-4.2.3.2-2">
-<pre class="sourcecode">sig=NLOQQm6ikGC2FlFvFZqIFNCZqlaC4B%2FQDwS6iCwIElMWhXMgRnRE17zhLtdLFieWkyqKa4I%2FOoFaAgd%2FAl%2ByzDd3sM2X1JVF5ELjTlj84jZ4KOEIdnbgkEeO%2FTkYRrPkwcmcHMwc4RuX%2Fqio8vKYxJaKLKeVGpUNSKo7zkq3XIRgyxoLSRKxmlSTHFAz4LvYXPWo6SHDoVcRvElWj18Um13sSXuX4KhtOLym2yImHpboEi4m2Ziigc%2BNHZE0VvHUR7wZgDaB01z8hFm5ATF%2B8swjandMRf2Lr4Syv4qTxMNT61r62EWFkt5t9nhxMgss6z4pfDVFZ3vYwSJDGuRpEQ%3D%3D</pre><a href="#section-4.2.3.2-2" class="pilcrow">¶</a>
+<div id="_457ddb8a-86a1-7101-d88a-4824ab5f1cbf">
+<div class="sourcecode" id="section-7.2.3.3-2">
+<pre>sig=V2te9zWMU7G3plxBTsmYSJTvn2vzMvNwAjWQ%2BwTe91DxuJhdVf4cVc4vZBYfEYV
+7u5d7PzTO7se7OrkhyiB7TpoJJW1yB5qHR7HKM5SZldUsdtg5%2B1SzEtIX0Uq8b2mCmQ
+F%2FuJGXpqCyFrEajvpTM7fFKPk1kuctmtkjV7%2BATcvNPLWY7KyE4%2Bqc8jpfN61cP
+5l8iA4krAa3%2BfTro5cmWR8YUJ5yrnRs6KT4b5D71HFvOUk0sGEUddUUlsyRQKRHUFN6
+HjEya50YDHfZJlYHkHlK0xX6Yqeii9QZ2I35U9eJbSvZGQko5beqviWFXdsVDbvd3DYcb
+SHgJq9%2FXoMTTw%3D%3D</pre><a href="#section-7.2.3.3-2" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_545edd0c-c448-f701-9788-801899a5c474">
-<p id="section-4.2.3.2-3">The Service Provider generates this signature using a private key. As indicated,
-this signature is generated from the query string properly URL encoded.<a href="#section-4.2.3.2-3" class="pilcrow">¶</a></p>
+<div id="_716cee1a-b67a-07e9-d177-03bde6fd98fb">
+<p id="section-7.2.3.3-3">The Service Provider generates this signature using a private key. As indicated,
+this signature is generated from the query string properly URL encoded.<a href="#section-7.2.3.3-3" class="pilcrow">¶</a></p>
 </div>
-<div id="_6cd4a20d-4e15-52c0-5d1e-eebfbe8a9169">
-<p id="section-4.2.3.2-4">The Service provider must publish their public key and place it in a DNS TXT
+<div id="_6d795ab7-5080-ef10-ea26-354a06e33dca">
+<p id="section-7.2.3.3-4">The Service provider must publish their public key and place it in a DNS TXT
 record in a domain specified in the template in <strong>syncPubKeyDomain</strong>. To allow for key
-rotation, the host name of the TXT record must be appended as another variable on the query string of the form:<a href="#section-4.2.3.2-4" class="pilcrow">¶</a></p>
+rotation, the host name of the TXT record must be appended as another variable on the query string of the form:<a href="#section-7.2.3.3-4" class="pilcrow">¶</a></p>
 </div>
-<div id="_7ff69049-7127-69df-276c-06b17523db68">
-<div id="section-4.2.3.2-5">
-<pre class="sourcecode">key=_dcpubkeyv1</pre><a href="#section-4.2.3.2-5" class="pilcrow">¶</a>
+<div id="_e19ff2e7-90c7-9c23-24f1-463f55b38642">
+<div class="sourcecode" id="section-7.2.3.3-5">
+<pre>key=_dcpubkeyv1</pre><a href="#section-7.2.3.3-5" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_c59a62a1-272b-acfc-3c7b-1ebec395de1d">
-<p id="section-4.2.3.2-6">This example indicates that the public key can be found by doing a DNS
+<div id="_83268fc4-9c1f-0ed8-7e7a-4f54becc23c0">
+<p id="section-7.2.3.3-6">This example indicates that the public key can be found by doing a DNS
 query for a TXT record called _dcpubkeyv1 in the domain specified in the
-syncPubKeyDomain from the template.<a href="#section-4.2.3.2-6" class="pilcrow">¶</a></p>
-</div>
-<div id="_0be3055f-642d-ae71-9c05-8405289ca882">
-<p id="section-4.2.3.2-7">To account for DNS Servers with limits to the size of a TXT record, multiple
-records may exist for the DNS TXT query. For example, a public key of:<a href="#section-4.2.3.2-7" class="pilcrow">¶</a></p>
-</div>
-<div id="_ad5585bd-7343-e6ec-5125-08b1e27ad878">
-<div id="section-4.2.3.2-8">
-<pre class="sourcecode">MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1dCqv7JEzUOfbhWKB9mTRsv3O9Vzy1Tz3UQlIDGpnVrTPBJDQTXUhxUMREEOBKo+rOjHZqfYnSmlkgu1dnBEO8bsELQL8GjS4zsjdA53gRk2SDxuzcB4fK+NCDfnRHut5nG0S3U4cq4DuGrMDFVBwxH1duTsqDNgIOOfNTsFcWSVXoSSTqCCMGbj8Vt51umDhWQAj06lf50qP2/jMNs2G+KTlk3dBHx3wtqYLvdcop1Tk5xBD64BPJ9uwm8KlDNHe+8O+cC9j04Ji8B2K0/PzAj90xnb8XJy/EM124hpT9lMgpHKBUvdeurJYweC6oP41gsTf5LrpjnyIy9j5FHPCQIDAQAB</pre><a href="#section-4.2.3.2-8" class="pilcrow">¶</a>
-</div>
-</div>
-<div id="_0e78abc8-5993-3e36-0279-054f726332af">
-<p id="section-4.2.3.2-9">may contain several TXT records. The records would be of the form:<a href="#section-4.2.3.2-9" class="pilcrow">¶</a></p>
-</div>
-<div id="_d9ae684a-3a96-832e-abfc-3e893cf50c3a">
-<div id="section-4.2.3.2-10">
-<pre class="sourcecode">p=1,a=RS256,t=x509,d=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1dCqv7JEzUOfbhWKB9mTRsv3O9Vzy1Tz3UQlIDGpnVrTPBJDQTXUhxUMREEOBKo+rOjHZqfYnSmlkgu1dn
-
-p=2,a=RS256,t=x509,d=BEO8bsELQL8GjS4zsjdA53gRk2SDxuzcB4fK+NCDfnRHut5nG0S3U4cq4DuGrMDFVBwxH1duTsqDNgIOOfNTsFcWSVXoSSTqCCMGbj8Vt51umDhWQAj06lf5
+syncPubKeyDomain from the template.<a href="#section-7.2.3.3-6" class="pilcrow">¶</a></p>
+</div>
+<div id="_cb9b7041-0411-9365-c8d7-df446ee7ba2f">
+<p id="section-7.2.3.3-7">To account for DNS Servers with limits to the size of a TXT record, multiple
+records may exist for the DNS TXT query. For example, a public key of:<a href="#section-7.2.3.3-7" class="pilcrow">¶</a></p>
+</div>
+<div id="_c803e2da-9ac1-d2ab-3f3b-f62e7a307931">
+<div class="sourcecode" id="section-7.2.3.3-8">
+<pre>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA18SgvpmeasN4BHkkv0SBjAzIc
+4grYLjiAXRtNiBUiGUDMeTzQrKTsWvy9NuxU1dIHCZy9o1CrKNg5EzLIZLNyMfI6qiXnM
++HMd4byp97zs/3D39Q8iR5poubQcRaGozWx8yQpG0OcVdmEVcTfyR/XSEWC5u16EBNvRn
+NAOAvZYUdWqVyQvXsjnxQot8KcK0QP8iHpoL/1dbdRy2opRPQ2FdZpovUgknybq/6FkeD
+tW7uCQ6Mvu4QxcUa3+WP9nYHKtgWip/eFxpeb+qLvcLHf1h0JXtxLVdyy6OLk3f2JRYUX
+2ZZVDvG3biTpeJz6iRzjGg6MfGxXZHjI8weDjXrJwIDAQAB</pre><a href="#section-7.2.3.3-8" class="pilcrow">¶</a>
+</div>
+</div>
+<div id="_d03a8b6b-6454-b06e-3655-c870933faf8d">
+<p id="section-7.2.3.3-9">may contain several TXT records. The records would be of the form:<a href="#section-7.2.3.3-9" class="pilcrow">¶</a></p>
+</div>
+<div id="_ea01e5de-7d2e-8f73-bd2e-0eb71daece52">
+<div class="sourcecode" id="section-7.2.3.3-10">
+<pre>p=1,a=RS256,d=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA18SgvpmeasN
+4BHkkv0SBjAzIc4grYLjiAXRtNiBUiGUDMeTzQrKTsWvy9NuxU1dIHCZy9o1CrKNg5EzL
+IZLNyMfI6qiXnM+HMd4byp97zs/3D39Q8iR5poubQcRaGozWx8yQpG0OcVdmEVcTfy
 
-p=3,a=RS256,t=x509,d=NCDfnRHut5nG0S3U4cq4DuGrMDFVBwxH1duTsqDNgIOOfNTsFcWSVXoSSTqCCMGbj8Vt51umDhWQAj06lf50qP2/jMNs2G+KTlk3dBHx3wtqYLvdcop1Tk5xBD64BPJ9
+p=2,a=RS256,d=R/XSEWC5u16EBNvRnNAOAvZYUdWqVyQvXsjnxQot8KcK0QP8iHpoL/1
+dbdRy2opRPQ2FdZpovUgknybq/6FkeDtW7uCQ6Mvu4QxcUa3+WP9nYHKtgWip/eFxpeb+
+qLvcLHf1h0JXtxLVdyy6OLk3f2JRYUX2ZZVDvG3biTpeJz6iRzjGg6MfGxXZHjI8
 
-p=4,a=RS256,t=x509,d=uwm8KlDNHe+8O+cC9j04Ji8B2K0/PzAj90xnb8XJy/EM124hpT9lMgpHKBUvdeurJYweC6oP41gsTf5LrpjnyIy9j5FHPCQIDAQAB</pre><a href="#section-4.2.3.2-10" class="pilcrow">¶</a>
+p=3,a=RS256,d=weDjXrJwIDAQAB</pre><a href="#section-7.2.3.3-10" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_9d048e03-20f6-043b-625a-e8ba10f80f24">
-<p id="section-4.2.3.2-11">Here the public key is broken into four records in DNS, and the data
+<div id="_b1c19488-868a-82c8-f640-7a947dc0bda9">
+<p id="section-7.2.3.3-11">Here the public key is broken into four records in DNS, and the data
 also indicates that the signing algorithm is an RSA Signature with
 SHA-256 using an x509 certificate. The value for "a" if omitted will be
-assumed to be RS256, and for "t" will be assumed to be x509.<a href="#section-4.2.3.2-11" class="pilcrow">¶</a></p>
+assumed to be RS256, and for "t" will be assumed to be x509.<a href="#section-7.2.3.3-11" class="pilcrow">¶</a></p>
 </div>
-<div id="_52e1936f-b94b-8843-e61a-c7b156547370">
-<p id="section-4.2.3.2-12">Note: The only algorithm currently supported is SHA-256 with x509 certificates. The values
-are placed here for future compatibility.<a href="#section-4.2.3.2-12" class="pilcrow">¶</a></p>
+<div id="_6e8212d0-9b0c-4f20-5f83-fcd8737853d9">
+<p id="section-7.2.3.3-12">Note: The only algorithm currently supported is SHA-256 with x509 certificates. The values
+are placed here for future compatibility.<a href="#section-7.2.3.3-12" class="pilcrow">¶</a></p>
 </div>
-<div id="_1ba53350-9fd0-9b6c-9fca-ad1215c01c75">
-<p id="section-4.2.3.2-13">The above data was generated for a query string:<a href="#section-4.2.3.2-13" class="pilcrow">¶</a></p>
+<div id="_eeb5e0fa-3eb2-fda0-6db0-4cdb7e48d4e7">
+<p id="section-7.2.3.3-13">The above data was generated for a query string:<a href="#section-7.2.3.3-13" class="pilcrow">¶</a></p>
 </div>
-<div id="_b4a6a834-e480-7ca9-e1a3-5ec9da9cf15b">
-<div id="section-4.2.3.2-14">
-<pre class="sourcecode">a=1&amp;b=2&amp;ip=10.10.10.10&amp;domain=foobar.com</pre><a href="#section-4.2.3.2-14" class="pilcrow">¶</a>
+<div id="_b51f963e-0897-94ef-0d06-4abbdc6732eb">
+<div class="sourcecode" id="section-7.2.3.3-14">
+<pre>a=1&amp;b=2&amp;ip=10.10.10.10&amp;domain=example.net</pre><a href="#section-7.2.3.3-14" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_64ac005a-94b4-d9ba-818e-0078a5ccec83">
-<p id="section-4.2.3.2-15">Signing the query string by the Service Provider is OPTIONAL. Not
+<div id="_84966b85-11b7-6b0d-2e7c-b195d65ad763">
+<p id="section-7.2.3.3-15">Signing the query string by the Service Provider is OPTIONAL. Not
 all Services Provider templates require or are able to provide this level of security.
 Presence of the <strong>syncPubKeyDomain</strong> in the template indicates that the template requires
-signature verification.<a href="#section-4.2.3.2-15" class="pilcrow">¶</a></p>
+signature verification.<a href="#section-7.2.3.3-15" class="pilcrow">¶</a></p>
 </div>
-<div id="_2e605f22-d4d7-8de9-ffa4-dffc40ab5604">
-<p id="section-4.2.3.2-16">Notes:<a href="#section-4.2.3.2-16" class="pilcrow">¶</a></p>
+<div id="_3c2c9bd0-459c-b1ce-7020-988b21668f5a">
+<p id="section-7.2.3.3-16">Notes:<a href="#section-7.2.3.3-16" class="pilcrow">¶</a></p>
 </div>
-<div id="_9dacabb3-28ea-01c9-2283-f3ec45bb5721">
-<p id="section-4.2.3.2-17">The digital signature will be generated on the full query string only,
-excluding the sig and key parameters. This is everything after the ?, except the sig and key values.<a href="#section-4.2.3.2-17" class="pilcrow">¶</a></p>
+<div id="_1db36654-973b-585a-4779-28d234a099b2">
+<p id="section-7.2.3.3-17">The digital signature will be generated on the full query string only,
+excluding the sig and key parameters. This is everything after the ?, except the sig and key values.<a href="#section-7.2.3.3-17" class="pilcrow">¶</a></p>
 </div>
-<div id="_c2939f47-ed58-dc0e-7ee8-2031a8349ba8">
-<p id="section-4.2.3.2-18">The values of each query string value key/value pair must be properly URL Encoded
-before the signature is generated.<a href="#section-4.2.3.2-18" class="pilcrow">¶</a></p>
+<div id="_8e7da9d3-3019-495b-33d5-cdbbf982f9d5">
+<p id="section-7.2.3.3-18">The values of each query string value key/value pair must be properly URL Encoded
+before the signature is generated.<a href="#section-7.2.3.3-18" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="_warnings">
-<section id="section-4.2.3.3">
+<section id="section-7.2.3.4">
             <h5 id="name-warnings">
-<a href="#section-4.2.3.3" class="section-number selfRef">4.2.3.3. </a><a href="#name-warnings" class="section-name selfRef">Warnings</a>
+<a href="#section-7.2.3.4" class="section-number selfRef">7.2.3.4. </a><a href="#name-warnings" class="section-name selfRef">Warnings</a>
             </h5>
-<div id="_a6705d26-00a4-0390-2024-8116e88c470a">
-<p id="section-4.2.3.3-1">Some applications aren't able to use OAuth and/or sign requests.<a href="#section-4.2.3.3-1" class="pilcrow">¶</a></p>
+<div id="_4aa33bd0-243e-6ada-ea1f-ef4961c6a5db">
+<p id="section-7.2.3.4-1">Some applications aren't able to use OAuth and/or sign requests.<a href="#section-7.2.3.4-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_f4f2165e-238f-ee3d-cedd-ac2d5612ae3b">
-<p id="section-4.2.3.3-2">If the template require variables, and OAuth and signing isn't available,
-the flag <strong>warnPhishing</strong> must be set to true in the template.<a href="#section-4.2.3.3-2" class="pilcrow">¶</a></p>
+<div id="_52ed745f-4b7c-5a18-384a-d0365d32a87d">
+<p id="section-7.2.3.4-2">If the template require variables, and OAuth and signing isn't available,
+the flag <strong>warnPhishing</strong> must be set to true in the template.<a href="#section-7.2.3.4-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_8107c438-cd7e-00f2-3107-bd738cd024d0">
-<p id="section-4.2.3.3-3">When set this indicates to the DNS Provider that they should display extra warnings to
+<div id="_d95461e9-dee9-e948-11b1-329c08af224e">
+<p id="section-7.2.3.4-3">When set this indicates to the DNS Provider that they should display extra warnings to
 the user to have them verify the link was/is from a reputable source before applying
-the template.<a href="#section-4.2.3.3-3" class="pilcrow">¶</a></p>
+the template.<a href="#section-7.2.3.4-3" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 </section>
 </div>
 <div id="_shared_templates">
-<section id="section-4.2.4">
+<section id="section-7.2.4">
           <h4 id="name-shared-templates">
-<a href="#section-4.2.4" class="section-number selfRef">4.2.4. </a><a href="#name-shared-templates" class="section-name selfRef">Shared Templates</a>
+<a href="#section-7.2.4" class="section-number selfRef">7.2.4. </a><a href="#name-shared-templates" class="section-name selfRef">Shared Templates</a>
           </h4>
-<div id="_30032395-6660-4311-7f72-1993c5966026">
-<p id="section-4.2.4-1">Some templates can be called by multiple companies, or be used for different purposes.<a href="#section-4.2.4-1" class="pilcrow">¶</a></p>
+<div id="_3349bcb1-0391-d73b-5881-133868886849">
+<p id="section-7.2.4-1">Some templates can be called by multiple companies, or be used for different purposes.<a href="#section-7.2.4-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_1c2a7b1f-4838-4c6c-f43b-fc0a20369c81">
-<p id="section-4.2.4-2">For example, most services are sold and provided by the same company. However, some
+<div id="_f32000d6-a5da-43f3-a0bb-47a9a7d079ab">
+<p id="section-7.2.4-2">For example, most services are sold and provided by the same company. However, some
 Service Providers have a reseller channel. This allows the service to be
 provided by the Service Provider, but sold through third parties.
-It is often this third party reseller that configures DNS.<a href="#section-4.2.4-2" class="pilcrow">¶</a></p>
+It is often this third party reseller that configures DNS.<a href="#section-7.2.4-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_4d651966-6d0e-eb44-e2a2-c6babbf08ecd">
-<p id="section-4.2.4-3">While each reseller could enable Domain Connect, this is inefficient for
+<div id="_f82210cc-ddc5-d07c-01d4-be6ecdf61cd4">
+<p id="section-7.2.4-3">While each reseller could enable Domain Connect, this is inefficient for
 the DNS Providers. Enabling a single template that is shared by multiple
-resellers would be more optimal.<a href="#section-4.2.4-3" class="pilcrow">¶</a></p>
+resellers would be more optimal.<a href="#section-7.2.4-3" class="pilcrow">¶</a></p>
 </div>
-<div id="_53187bb1-82b6-be96-05e0-1f674255ff80">
-<p id="section-4.2.4-4">As another example, some templates may be used for different purposes by the same company.<a href="#section-4.2.4-4" class="pilcrow">¶</a></p>
+<div id="_f01822d8-7fee-1764-93c7-3ce3b6743ab0">
+<p id="section-7.2.4-4">As another example, some templates may be used for different purposes by the same company.<a href="#section-7.2.4-4" class="pilcrow">¶</a></p>
 </div>
-<div id="_47baddea-70ea-02c7-544f-5e6ec0f0b3e9">
-<p id="section-4.2.4-5">To facilitate these use cases, the ability to pass in additional context for the display
+<div id="_1924be4e-1558-d5d6-8c9c-751e36570bb3">
+<p id="section-7.2.4-5">To facilitate these use cases, the ability to pass in additional context for the display
 of the providerName and serviceName is enabled. This is only allowed when the template enables the capability
-through the sharedProviderName and/or sharedServiceName flags.<a href="#section-4.2.4-5" class="pilcrow">¶</a></p>
+through the sharedProviderName and/or sharedServiceName flags.<a href="#section-7.2.4-5" class="pilcrow">¶</a></p>
 </div>
-<div id="_94266c2d-0afa-f9e5-e372-15931f9cd7e9">
-<p id="section-4.2.4-6">Note: The shared flag used to be used for this purpose, but has been deprecated.<a href="#section-4.2.4-6" class="pilcrow">¶</a></p>
+<div id="_ff09a0f3-6d9d-7269-30bb-8ba594a6fbaa">
+<p id="section-7.2.4-6">Note: The shared flag used to be used for this purpose, but has been deprecated.<a href="#section-7.2.4-6" class="pilcrow">¶</a></p>
 </div>
-<div id="_498c9e15-a875-240d-6e10-f1ce638c75fb">
-<p id="section-4.2.4-7">The exact message presented to the user is up to the DNS Provider. However it is recommended
+<div id="_a2a7c6aa-11e6-38da-ac13-9f6048c720df">
+<p id="section-7.2.4-7">The exact message presented to the user is up to the DNS Provider. However it is recommended
 that these fields be used to augment the display of the serviceName and providerName from the template,
-not replace it.<a href="#section-4.2.4-7" class="pilcrow">¶</a></p>
+not replace it.<a href="#section-7.2.4-7" class="pilcrow">¶</a></p>
 </div>
-<div id="_11caaf55-8f1a-d0f6-efd2-b1b78ecc1006">
-<p id="section-4.2.4-8">Note: When a Service Provider has a large reseller channel, it is highly
+<div id="_b3b0004d-67dc-774c-0549-60c8c6881cea">
+<p id="section-7.2.4-8">Note: When a Service Provider has a large reseller channel, it is highly
 recommended that the Service Provider creates an API for their resellers
 to ease the implementation of Domain Connect. There are elements of convenience in doing
 this around Domain Discovery and URL Formatting. But this would be required
-if the template required signatures.<a href="#section-4.2.4-8" class="pilcrow">¶</a></p>
+if the template required signatures.<a href="#section-7.2.4-8" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="_verification_of_changes">
-<section id="section-4.2.5">
+<section id="section-7.2.5">
           <h4 id="name-verification-of-changes">
-<a href="#section-4.2.5" class="section-number selfRef">4.2.5. </a><a href="#name-verification-of-changes" class="section-name selfRef">Verification of Changes</a>
+<a href="#section-7.2.5" class="section-number selfRef">7.2.5. </a><a href="#name-verification-of-changes" class="section-name selfRef">Verification of Changes</a>
           </h4>
-<div id="_4a1585c9-b89c-3e97-123a-7a9b57752176">
-<p id="section-4.2.5-1">There are circumstances where the Service Provider may wish to verify
+<div id="_aa0fd61f-5312-881f-ed33-0e1881963d93">
+<p id="section-7.2.5-1">There are circumstances where the Service Provider may wish to verify
 that the template was successfully applied. Without Domain Donnect, this
 typically involved the Service Provider querying DNS to see if the
-changes to DNS had been made.<a href="#section-4.2.5-1" class="pilcrow">¶</a></p>
+changes to DNS had been made.<a href="#section-7.2.5-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_e72d3679-0c65-85ef-89bc-f2dd753d757b">
-<p id="section-4.2.5-2">This same technique works with Domain Connect, and if necessary can be
+<div id="_0205ee00-4da1-2a9a-1551-27de33371bbc">
+<p id="section-7.2.5-2">This same technique works with Domain Connect, and if necessary can be
 triggered either manually on the Service Provider site or automatically
 upon page/window activation in the browser when the browser window for
-the DNS Provider is closed.<a href="#section-4.2.5-2" class="pilcrow">¶</a></p>
+the DNS Provider is closed.<a href="#section-7.2.5-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_80fddc90-0ffc-3a88-d122-6f33e931cc39">
-<p id="section-4.2.5-3">When the redirect_uri is used and an error is not present in the URI,
+<div id="_98a0a766-1076-c6ef-42d6-b299b36a3c64">
+<p id="section-7.2.5-3">When the redirect_uri is used and an error is not present in the URI,
 the Service Provider can not assume the changes were applied to DNS. While true in most
 circumstances, users can tamper with or alter the return
 url in the browser. As such it is recommend that enablement of a service
-be based on verification of changes to DNS.<a href="#section-4.2.5-3" class="pilcrow">¶</a></p>
+be based on verification of changes to DNS.<a href="#section-7.2.5-3" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 </section>
 </div>
 <div id="_asynchronous_flow_oauth">
-<section id="section-4.3">
+<section id="section-7.3">
         <h3 id="name-asynchronous-flow-oauth">
-<a href="#section-4.3" class="section-number selfRef">4.3. </a><a href="#name-asynchronous-flow-oauth" class="section-name selfRef">Asynchronous Flow: OAuth</a>
+<a href="#section-7.3" class="section-number selfRef">7.3. </a><a href="#name-asynchronous-flow-oauth" class="section-name selfRef">Asynchronous Flow: OAuth</a>
         </h3>
-<div id="_af44f74b-17dc-ee33-7d88-1f7e5d14140c">
-<p id="section-4.3-1">Using the OAuth flow is a more advanced use case needed by Service
+<div id="_general_information_2">
+<section id="section-7.3.1">
+          <h4 id="name-general-information-2">
+<a href="#section-7.3.1" class="section-number selfRef">7.3.1. </a><a href="#name-general-information-2" class="section-name selfRef">General information</a>
+          </h4>
+<div id="_698734b8-f258-3237-1039-046accee78e0">
+<p id="section-7.3.1-1">Using the OAuth flow is a more advanced use case needed by Service
 Providers that have more complex configurations that may require
-multiple steps and/or are asynchronous from the user's interaction.<a href="#section-4.3-1" class="pilcrow">¶</a></p>
+multiple steps and/or are asynchronous from the user's interaction.<a href="#section-7.3.1-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_4a62823f-1d3c-81fd-6252-37152fe7379b">
-<p id="section-4.3-2">Details of an OAuth implementation are beyond the scope of this
+<div id="_23aaec6b-0bbb-0f44-be60-46cd42e6460b">
+<p id="section-7.3.1-2">Details of an OAuth implementation are beyond the scope of this
 specification. Instead, an overview of how OAuth is used by Domain
-Connect is given here.<a href="#section-4.3-2" class="pilcrow">¶</a></p>
+Connect is given here.<a href="#section-7.3.1-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_47106dda-5180-7c6e-b6a1-fe96fcef7cd9">
-<p id="section-4.3-3">Not all DNS Providers will support the asyncronous flow. As such it is
+<div id="_ec3fd116-ed47-2cf0-9e1e-e67daca19115">
+<p id="section-7.3.1-3">Not all DNS Providers will support the asyncronous flow. As such it is
 recommended that Service Providers relying on an OAuth implementation also
-implement a synchronous implementation.<a href="#section-4.3-3" class="pilcrow">¶</a></p>
+implement a synchronous implementation.<a href="#section-7.3.1-3" class="pilcrow">¶</a></p>
+</div>
+</section>
 </div>
 <div id="_oauth_flow_setup">
-<section id="section-4.3.1">
+<section id="section-7.3.2">
           <h4 id="name-oauth-flow-setup">
-<a href="#section-4.3.1" class="section-number selfRef">4.3.1. </a><a href="#name-oauth-flow-setup" class="section-name selfRef">OAuth Flow: Setup</a>
+<a href="#section-7.3.2" class="section-number selfRef">7.3.2. </a><a href="#name-oauth-flow-setup" class="section-name selfRef">OAuth Flow: Setup</a>
           </h4>
-<div id="_3d1f3960-0273-a7f8-c58e-80b8c6e49609">
-<p id="section-4.3.1-1">Service providers wishing to use the OAuth flow must register as an
+<div id="_61f3ea9f-6ee4-725c-b9f9-e797d80b5573">
+<p id="section-7.3.2-1">Service providers wishing to use the OAuth flow must register as an
 OAuth client with each DNS provider. This is a manual
-process.<a href="#section-4.3.1-1" class="pilcrow">¶</a></p>
+process.<a href="#section-7.3.2-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_16a127ad-f4ce-0f16-53fd-6f2d5e0e9447">
-<p id="section-4.3.1-2">To register, the Service Provider would provide (in addition to their
+<div id="_46196909-165c-823b-eb30-c8b6f08d1a8b">
+<p id="section-7.3.2-2">To register, the Service Provider would provide (in addition to their
 template) any configuration necessary for the DNS Providers OAuth
 implementation. This includes valid URLs and Domains for redirects upon
-success or errors.<a href="#section-4.3.1-2" class="pilcrow">¶</a></p>
+success or errors.<a href="#section-7.3.2-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_2a24d778-6e53-4acb-208d-4547c93ace33">
-<p id="section-4.3.1-3">Note: The validity of redirects are very important in any OAuth implementation.
+<div id="_821c13f0-f14c-99b4-830b-a6d0838d2929">
+<p id="section-7.3.2-3">Note: The validity of redirects are very important in any OAuth implementation.
 Most OAuth vulnerabilities are a combination of an open redirect and/or a
-compromised secret.<a href="#section-4.3.1-3" class="pilcrow">¶</a></p>
+compromised secret.<a href="#section-7.3.2-3" class="pilcrow">¶</a></p>
 </div>
-<div id="_d0c45268-d316-c04f-e4f4-5bb5c8a7275e">
-<p id="section-4.3.1-4">In return, the DNS provider will give the Service Provider a client id
+<div id="_1b09f5b2-700a-2a59-dbd9-13029d8ff136">
+<p id="section-7.3.2-4">In return, the DNS provider will give the Service Provider a client id
 and a secret which will be used when requesting tokens. For simplicity the client
-id should be the same as the providerId.<a href="#section-4.3.1-4" class="pilcrow">¶</a></p>
+id should be the same as the providerId.<a href="#section-7.3.2-4" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="_oauth_flow_getting_an_authorization_code">
-<section id="section-4.3.2">
+<section id="section-7.3.3">
           <h4 id="name-oauth-flow-getting-an-autho">
-<a href="#section-4.3.2" class="section-number selfRef">4.3.2. </a><a href="#name-oauth-flow-getting-an-autho" class="section-name selfRef">OAuth Flow: Getting an Authorization Code</a>
+<a href="#section-7.3.3" class="section-number selfRef">7.3.3. </a><a href="#name-oauth-flow-getting-an-autho" class="section-name selfRef">OAuth Flow: Getting an Authorization Code</a>
           </h4>
-<div id="_c6a52787-32c9-fe2c-d8ee-cc9ebdc9dec4">
-<div id="section-4.3.2-1">
-<pre class="sourcecode">GET
+<div id="_7ca559df-0e7f-1b3c-f123-eb974dd1a8fd">
+<div class="sourcecode" id="section-7.3.3-1">
+<pre>GET
 
-{urlAsyncUX}/v2/domainTemplates/providers/{providerId}</pre><a href="#section-4.3.2-1" class="pilcrow">¶</a>
+{urlAsyncUX}/v2/domainTemplates/providers/{providerId}</pre><a href="#section-7.3.3-1" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_993ba154-5ab1-7344-6489-151820bdb042">
-<p id="section-4.3.2-2">To initiate the OAuth flow the Service Provider first links to the DNS
-Provider to gain consent.<a href="#section-4.3.2-2" class="pilcrow">¶</a></p>
+<div id="_593b6e18-f111-16e2-e497-b06ca8d4dc61">
+<p id="section-7.3.3-2">To initiate the OAuth flow the Service Provider first links to the DNS
+Provider to gain consent.<a href="#section-7.3.3-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_792e167b-e7f4-21a4-3334-23b8df666796">
-<p id="section-4.3.2-3">This endpoint is similar to the synchronous flow described above. The DNS Provider
+<div id="_11a3a361-3ea7-10d4-a18b-b77110c21ead">
+<p id="section-7.3.3-3">This endpoint is similar to the synchronous flow described above. The DNS Provider
 must authenticate the user, verify the user has control of the DNS Zone for the domain, and ask the user for
 permission. Instead of permission to make a change to DNS, the permission
 is now to allow the Service Provider to
 make the changes on their behalf. Similarly the
 DNS Provider may warn the user that (the eventual)
 application of a template might change existing records and/or disrupt
-existing services attached to the domain.<a href="#section-4.3.2-3" class="pilcrow">¶</a></p>
+existing services attached to the domain.<a href="#section-7.3.3-3" class="pilcrow">¶</a></p>
 </div>
-<div id="_a39a475b-0780-ba7f-5556-f05071923641">
-<p id="section-4.3.2-4">While the variables for the applied template would be provided later,
+<div id="_b690b9d2-f0f0-f98b-b60b-5ef8b659f8ad">
+<p id="section-7.3.3-4">While the variables for the applied template would be provided later,
 the values of some variables may be necessary to determine conflicts. As
 such, any variables impacting conflicting records should be provided
 in the consent flow. Today this includes variables in hosts, and
 variables in the data portion for certain TXT records. As conflict
-resolution evolves, this list may grow.<a href="#section-4.3.2-4" class="pilcrow">¶</a></p>
+resolution evolves, this list may grow.<a href="#section-7.3.3-4" class="pilcrow">¶</a></p>
 </div>
-<div id="_94e2e0da-3b4d-bf9d-3ac1-1a0ac2faf561">
-<p id="section-4.3.2-5">The protocol allows for the Service Provider to gain consent to apply
+<div id="_21daee93-928b-9efa-2dbc-749c9d926ebb">
+<p id="section-7.3.3-5">The protocol allows for the Service Provider to gain consent to apply
 multiple templates. These templates are specified in the <strong>scope</strong> parameter. It
 also allows for the Service Provider to gain consent to apply these templates to the domain
 or to the domain with multiple sub-domains. These are specified in the <strong>domain</strong> and <strong>host</strong>
 parameter. If conflict detection is implemented
-by the DNS Provider, they should account for all permutations.<a href="#section-4.3.2-5" class="pilcrow">¶</a></p>
+by the DNS Provider, they should account for all permutations.<a href="#section-7.3.3-5" class="pilcrow">¶</a></p>
 </div>
-<div id="_b31fedc6-ce2d-56b8-fb13-448b7fc7ec6f">
-<p id="section-4.3.2-6">The scope parameter is a space separated list (as per the OAuth protocol)
+<div id="_abcee595-e582-179c-98da-26e3c52f2ba0">
+<p id="section-7.3.3-6">The scope parameter is a space separated list (as per the OAuth protocol)
 of the template serviceIds. The host parameter is an OPTIONAL comma separated
 list of hosts. A blank entry for the host implies the template can be
-applied to the root domain. For example:<a href="#section-4.3.2-6" class="pilcrow">¶</a></p>
+applied to the root domain. For example:<a href="#section-7.3.3-6" class="pilcrow">¶</a></p>
 </div>
-<span id="name-examples-of-scope-and-host-"></span><div id="_c5f8d62d-0c2a-ebba-1a75-4a736c6a3870">
+<span id="name-examples-of-scope-and-host-"></span><div id="_c95bb66b-5c8b-bf8e-d9bf-313cc91305b7">
 <table class="center" id="table-5">
             <caption>
 <a href="#table-5" class="selfRef">Table 5</a>:
@@ -2839,46 +2940,46 @@ <h4 id="name-oauth-flow-getting-an-autho">
             </thead>
             <tbody>
               <tr>
-                <td class="text-left" rowspan="1" colspan="1">scope=t1+t2&amp;domain=example.com</td>
+                <td class="text-left" rowspan="1" colspan="1">scope=t1+t2=example.com</td>
                 <td class="text-left" rowspan="1" colspan="1">Templates "t1" and "t2" can be applied to example.com</td>
               </tr>
               <tr>
-                <td class="text-left" rowspan="1" colspan="1">scope=t1+t2&amp;domain=example.com&amp;host=sub1,sub2</td>
+                <td class="text-left" rowspan="1" colspan="1">scope=t1+t2=example.com=sub1,sub2</td>
                 <td class="text-left" rowspan="1" colspan="1">Templates "t1" and "t2" can be applied to sub1.example.com or sub2.example.com</td>
               </tr>
               <tr>
-                <td class="text-left" rowspan="1" colspan="1">scope=t1+t2&amp;domain=example.com&amp;host=sub1,</td>
+                <td class="text-left" rowspan="1" colspan="1">scope=t1+t2=example.com=sub1,</td>
                 <td class="text-left" rowspan="1" colspan="1">Templates "t1" and "t2" can be applied to example.com or sub1.example.com</td>
               </tr>
             </tbody>
           </table>
 </div>
-<div id="_757e843d-ef5d-6c5b-107c-cec2c5d4879b">
-<p id="section-4.3.2-8">Upon successful authorization/verification/consent from the user, the
+<div id="_60f7a4db-d6eb-7b77-a6a9-cacf58fd3594">
+<p id="section-7.3.3-8">Upon successful authorization/verification/consent from the user, the
 DNS Provider will direct the end user's browser to the redirect URI. The
 authorization code will be appended to this URI as a query parameter of
-"code=" as per the OAuth specification.<a href="#section-4.3.2-8" class="pilcrow">¶</a></p>
+"code=" as per the OAuth specification.<a href="#section-7.3.3-8" class="pilcrow">¶</a></p>
 </div>
-<div id="_3d9540d5-4a66-b534-1f40-a4e30673b27f">
-<p id="section-4.3.2-9">Similar to the synchronous flow, upon error the DNS provider may append
+<div id="_3bebdefc-15a5-497c-83e0-5063a5898d54">
+<p id="section-7.3.3-9">Similar to the synchronous flow, upon error the DNS provider may append
 an error code as query parameter "error". These errors are also from the
-oAuth 2.0 RFC 6749 (4.1.2.1. Error Response - "error" parameter). Valid
+OAuth 2.0 <span>[<a href="#RFC6749" class="cite xref">RFC6749</a>]</span> (4.1.2.1. Error Response - "error" parameter). Valid
 values include: invalid_request, unauthorized_client, access_denied,
 unsupported_response_type, invalid_scope, server_error, and
 temporarilly_unavailable. An OPTIONAL error_description suitable for
 developers may also be returned at the discretion of the DNS Provider.
-The same considerations as in the synchronous flow apply here.<a href="#section-4.3.2-9" class="pilcrow">¶</a></p>
+The same considerations as in the synchronous flow apply here.<a href="#section-7.3.3-9" class="pilcrow">¶</a></p>
 </div>
-<div id="_5a9a6e1d-9592-79ab-943a-fadbf69ce381">
-<p id="section-4.3.2-10">The state value passed into the call must be passed back on the query
-string as "state=".<a href="#section-4.3.2-10" class="pilcrow">¶</a></p>
+<div id="_fd3a53b5-1703-104b-c1ab-cc0a0adf27b4">
+<p id="section-7.3.3-10">The state value passed into the call must be passed back on the query
+string as "state=".<a href="#section-7.3.3-10" class="pilcrow">¶</a></p>
 </div>
-<div id="_515d5100-345e-e5ba-5241-6b9a8b124f11">
-<p id="section-4.3.2-11">The following table describes the values in the query
+<div id="_ad9c2f8c-ee26-9332-1a14-b1a0800a233b">
+<p id="section-7.3.3-11">The following table describes the values in the query
 string parameters for the request for the OAuth consent flow that must be included unless otherwise
-indicated<a href="#section-4.3.2-11" class="pilcrow">¶</a></p>
+indicated<a href="#section-7.3.3-11" class="pilcrow">¶</a></p>
 </div>
-<span id="name-query-parameters-of-the-aut"></span><div id="_264b6454-0ccb-ce9e-d221-d506e608633f">
+<span id="name-query-parameters-of-the-aut"></span><div id="_ad272029-2ff7-327a-2b5f-f176c7cce85d">
 <table class="center" id="table-6">
             <caption>
 <a href="#table-6" class="selfRef">Table 6</a>:
@@ -2897,7 +2998,7 @@ <h4 id="name-oauth-flow-getting-an-autho">
                   <strong>Domain</strong>
 </td>
                 <td class="text-left" rowspan="1" colspan="1">domain</td>
-                <td class="text-left" rowspan="1" colspan="1">The domain name being configured. This is the root domain (the registered domain or delegated zone).</td>
+                <td class="text-left" rowspan="1" colspan="1">(REQUIRED) The domain name being configured. This is the root domain (the registered domain or delegated zone).</td>
               </tr>
               <tr>
                 <td class="text-left" rowspan="1" colspan="1">
@@ -2911,7 +3012,7 @@ <h4 id="name-oauth-flow-getting-an-autho">
                   <strong>Client Id</strong>
 </td>
                 <td class="text-left" rowspan="1" colspan="1">client_id</td>
-                <td class="text-left" rowspan="1" colspan="1">The client id that was provided by the DNS provider to the service provider
+                <td class="text-left" rowspan="1" colspan="1">(REQUIRED) The client id that was provided by the DNS provider to the service provider
 during registration. It is recommended that this should be the same as the providerId in the template.</td>
               </tr>
               <tr>
@@ -2919,7 +3020,7 @@ <h4 id="name-oauth-flow-getting-an-autho">
                   <strong>Redirect URI</strong>
 </td>
                 <td class="text-left" rowspan="1" colspan="1">redirect_uri</td>
-                <td class="text-left" rowspan="1" colspan="1">The location to direct the client's browser upon successful authorization or upon error.
+                <td class="text-left" rowspan="1" colspan="1">(REQUIRED) The location to direct the client's browser upon successful authorization or upon error.
 Validation of the redirect_uri will be done by the DNS Provider to match the values provided during onboarding.</td>
               </tr>
               <tr>
@@ -2935,7 +3036,7 @@ <h4 id="name-oauth-flow-getting-an-autho">
                   <strong>Scope</strong>
 </td>
                 <td class="text-left" rowspan="1" colspan="1">scope</td>
-                <td class="text-left" rowspan="1" colspan="1">The OAuth scope corresponds to the requested templates. This is list of space separated
+                <td class="text-left" rowspan="1" colspan="1">(REQUIRED) The OAuth scope corresponds to the requested templates. This is list of space separated
 serviceIds.</td>
               </tr>
               <tr>
@@ -2965,64 +3066,73 @@ <h4 id="name-oauth-flow-getting-an-autho">
 to pass state value back to the caller. It will be returned as a parameter appended to
 the redirect_url described above.</td>
               </tr>
+              <tr>
+                <td class="text-left" rowspan="1" colspan="1">
+                  <strong>Name/Value Pairs</strong>
+</td>
+                <td class="text-left" rowspan="1" colspan="1">*</td>
+                <td class="text-left" rowspan="1" colspan="1">(OPTIONAL) Any key that will be used as a replacement for the "% surrounded" value(s) in a
+template required for conflict detection. This includes variables used in hosts and
+data in certain TXT records.</td>
+              </tr>
             </tbody>
           </table>
 </div>
 </section>
 </div>
 <div id="_oauth_flow_requesting_an_access_token">
-<section id="section-4.3.3">
+<section id="section-7.3.4">
           <h4 id="name-oauth-flow-requesting-an-ac">
-<a href="#section-4.3.3" class="section-number selfRef">4.3.3. </a><a href="#name-oauth-flow-requesting-an-ac" class="section-name selfRef">oAuth Flow: Requesting an Access Token</a>
+<a href="#section-7.3.4" class="section-number selfRef">7.3.4. </a><a href="#name-oauth-flow-requesting-an-ac" class="section-name selfRef">OAuth Flow: Requesting an Access Token</a>
           </h4>
-<div id="_51452a19-fdfa-54ad-4ea7-0f1cf51bcf73">
-<div id="section-4.3.3-1">
-<pre class="sourcecode">POST
+<div id="_c6909441-f465-228f-5e15-f4d39efd673e">
+<div class="sourcecode" id="section-7.3.4-1">
+<pre>POST
 
-{urlAPI}/v2/oauth/access_token</pre><a href="#section-4.3.3-1" class="pilcrow">¶</a>
+{urlAPI}/v2/oauth/access_token</pre><a href="#section-7.3.4-1" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_b65aaea8-2741-c151-3c5b-eba959e6ee8a">
-<p id="section-4.3.3-2">Once authorization has been granted, the Service Provider must use the
-Authorization Code provided to request an Access Token. The oAuth
+<div id="_584613a1-8c4e-3d84-f073-0c2166e6c400">
+<p id="section-7.3.4-2">Once authorization has been granted, the Service Provider must use the
+Authorization Code provided to request an Access Token. The OAuth
 specification recommends that the Authorization Code be a short lived
 token, and a reasonable recommended setting is ten minutes. As such this
 exchange needs to be completed before that time has expired or the
-process will need to be repeated.<a href="#section-4.3.3-2" class="pilcrow">¶</a></p>
+process will need to be repeated.<a href="#section-7.3.4-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_e0afecd1-697b-382c-200a-823ea0573b26">
-<p id="section-4.3.3-3">This token exchange is typically done via a server to server API call from the
+<div id="_c2426a1b-f6ab-bd8c-5ca6-de4a6fde5afe">
+<p id="section-7.3.4-3">This token exchange is typically done via a server to server API call from the
 Service Provider to the DNS Provider using a POST. When called in this manner a
 secret is provided
-along with the Authorization Code.<a href="#section-4.3.3-3" class="pilcrow">¶</a></p>
+along with the Authorization Code.<a href="#section-7.3.4-3" class="pilcrow">¶</a></p>
 </div>
-<div id="_f754114d-cabf-a39b-14aa-66d696034e13">
-<p id="section-4.3.3-4">OAuth does allow for retrieving the access token without a secret. This is typically
+<div id="_e1561674-fd29-d6e1-ffaa-50eec639abeb">
+<p id="section-7.3.4-4">OAuth does allow for retrieving the access token without a secret. This is typically
 done when the OAuth client is a client application.
-When onboarding with the DNS Provider this would need to be enabled.<a href="#section-4.3.3-4" class="pilcrow">¶</a></p>
+When onboarding with the DNS Provider this would need to be enabled.<a href="#section-7.3.4-4" class="pilcrow">¶</a></p>
 </div>
-<div id="_15e37249-6284-c424-0542-874f49650836">
-<p id="section-4.3.3-5">When the secret is provided (which is the normal case), care must be taken. A malicious
+<div id="_8beeb69f-8a02-7077-9089-22d56fe987a5">
+<p id="section-7.3.4-5">When the secret is provided (which is the normal case), care must be taken. A malicious
 user could create a domain that returns a false <em>_domainconnect</em> TXT record, and
 subsequently a JSON call to their own server for the API end point. By doing so, they
-could then run Domain Connect on their domain and retrieve the secret.<a href="#section-4.3.3-5" class="pilcrow">¶</a></p>
+could then run Domain Connect on their domain and retrieve the secret.<a href="#section-7.3.4-5" class="pilcrow">¶</a></p>
 </div>
-<div id="_b8c08dbf-6ba9-ca98-4ed5-5b3953eb18b9">
-<p id="section-4.3.3-6">As such the urlAPI used for oAuth by the Service Provider should be maintained per DNS
-Provider and not the value retrieved during discovery.<a href="#section-4.3.3-6" class="pilcrow">¶</a></p>
+<div id="_e10321c9-af14-1e4a-d195-fd4696b82083">
+<p id="section-7.3.4-6">As such the urlAPI used for OAuth by the Service Provider should be maintained per DNS
+Provider and not the value retrieved during discovery.<a href="#section-7.3.4-6" class="pilcrow">¶</a></p>
 </div>
-<div id="_9c2b8c51-1af6-9f7d-9a44-54d8b62fab12">
-<p id="section-4.3.3-7">The following table describes the POST parameters that must be included in the
+<div id="_c0cb3e98-44fe-12d6-8096-f7ef76ca5841">
+<p id="section-7.3.4-7">The following table describes the POST parameters that must be included in the
 request for the access token unless otherwise indicated.
 The parameters should be accepted via the
 query string or the body of the post. This is again particularly
 important for the client_secret, as passing secrets via a query string
-is generally frowned upon given that various systems often log URLs.<a href="#section-4.3.3-7" class="pilcrow">¶</a></p>
+is generally frowned upon given that various systems often log URLs.<a href="#section-7.3.4-7" class="pilcrow">¶</a></p>
 </div>
-<div id="_5638f6fb-7abe-9716-dd3a-60ac5cff9987">
-<p id="section-4.3.3-8">The body of the post is application/json encoded.<a href="#section-4.3.3-8" class="pilcrow">¶</a></p>
+<div id="_65214185-731a-daa6-0b74-80b403426d3a">
+<p id="section-7.3.4-8">The body of the post is application/json encoded.<a href="#section-7.3.4-8" class="pilcrow">¶</a></p>
 </div>
-<span id="name-parameters-of-the-token-end"></span><div id="_5692610c-891e-d6d4-d2b5-37bf56a26ee5">
+<span id="name-parameters-of-the-token-end"></span><div id="_76b39d85-7434-ae59-71e0-0bd0660baa33">
 <table class="center" id="table-7">
             <caption>
 <a href="#table-7" class="selfRef">Table 7</a>:
@@ -3041,7 +3151,7 @@ <h4 id="name-oauth-flow-requesting-an-ac">
                   <strong>Authorization Code/Refresh Code</strong>
 </td>
                 <td class="text-left" rowspan="1" colspan="1">code/refresh_token</td>
-                <td class="text-left" rowspan="1" colspan="1">The authorization code that was
+                <td class="text-left" rowspan="1" colspan="1">(REQUIRED) The authorization code that was
 provided in the previous step when the customer accepted the
 authorization request, or the refresh_token for a subsequent access
 token.</td>
@@ -3051,7 +3161,7 @@ <h4 id="name-oauth-flow-requesting-an-ac">
                   <strong>Redirect URI</strong>
 </td>
                 <td class="text-left" rowspan="1" colspan="1">redirect_uri</td>
-                <td class="text-left" rowspan="1" colspan="1">(OPTIONAL) This is required if a redirect_uri was
+                <td class="text-left" rowspan="1" colspan="1">(OPTIONAL) This is REQUIRED if a redirect_uri was
 passed to request the authorization code. When included, it needs to be
 the same redirect_uri provided in this step.</td>
               </tr>
@@ -3060,14 +3170,14 @@ <h4 id="name-oauth-flow-requesting-an-ac">
                   <strong>Grant type</strong>
 </td>
                 <td class="text-left" rowspan="1" colspan="1">grant_type</td>
-                <td class="text-left" rowspan="1" colspan="1">The type of code in the request. Usually the string 'authorization_code' or 'refresh_token'</td>
+                <td class="text-left" rowspan="1" colspan="1">(REQUIRED) The type of code in the request. Usually the string 'authorization_code' or 'refresh_token'</td>
               </tr>
               <tr>
                 <td class="text-left" rowspan="1" colspan="1">
                   <strong>Client ID</strong>
 </td>
                 <td class="text-left" rowspan="1" colspan="1">client_id</td>
-                <td class="text-left" rowspan="1" colspan="1">This is the client id that was provided by the DNS provider to the Service Provider during
+                <td class="text-left" rowspan="1" colspan="1">(REQUIRED) This is the client id that was provided by the DNS provider to the Service Provider during
 registration</td>
               </tr>
               <tr>
@@ -3075,17 +3185,17 @@ <h4 id="name-oauth-flow-requesting-an-ac">
                   <strong>Client Secret</strong>
 </td>
                 <td class="text-left" rowspan="1" colspan="1">client_secret</td>
-                <td class="text-left" rowspan="1" colspan="1">The secret provided to the Service Provider during registration. Typically required
-unless the rare circumstance with secret-less oAuth.</td>
+                <td class="text-left" rowspan="1" colspan="1">(REQUIRED) The secret provided to the Service Provider during registration. Typically required
+unless the rare circumstance with secret-less OAuth.</td>
               </tr>
             </tbody>
           </table>
 </div>
-<div id="_18ad4e93-5c80-a27e-2f1d-2c4b4a322297">
-<p id="section-4.3.3-10">Upon successful token exchange, the DNS Provider will return a response
-with 4 properties in the body of the response.<a href="#section-4.3.3-10" class="pilcrow">¶</a></p>
+<div id="_19d7f405-5593-e03b-1831-8bd1b148c82d">
+<p id="section-7.3.4-10">Upon successful token exchange, the DNS Provider will return a response
+with 4 properties in the body of the response.<a href="#section-7.3.4-10" class="pilcrow">¶</a></p>
 </div>
-<span id="name-properties-of-the-token-end"></span><div id="_b1b8cb07-3963-8a6f-7c29-a9385da88f80">
+<span id="name-properties-of-the-token-end"></span><div id="_62fa1efb-531b-f226-d8a7-d1c82804e1e3">
 <table class="center" id="table-8">
             <caption>
 <a href="#table-8" class="selfRef">Table 8</a>:
@@ -3125,7 +3235,7 @@ <h4 id="name-oauth-flow-requesting-an-ac">
             </tbody>
           </table>
 </div>
-<span id="name-http-status-codes-of-the-to"></span><div id="_5fdbb0ce-ebf6-e835-c437-11359a6e77bd">
+<span id="name-http-status-codes-of-the-to"></span><div id="_8b000128-6216-8afb-18fb-69fa96ccab39">
 <table class="center" id="table-9">
             <caption>
 <a href="#table-9" class="selfRef">Table 9</a>:
@@ -3160,88 +3270,89 @@ <h4 id="name-oauth-flow-requesting-an-ac">
 </section>
 </div>
 <div id="_oauth_flow_making_requests_with_access_tokens">
-<section id="section-4.3.4">
+<section id="section-7.3.5">
           <h4 id="name-oauth-flow-making-requests-">
-<a href="#section-4.3.4" class="section-number selfRef">4.3.4. </a><a href="#name-oauth-flow-making-requests-" class="section-name selfRef">OAuth Flow: Making Requests with Access Tokens</a>
+<a href="#section-7.3.5" class="section-number selfRef">7.3.5. </a><a href="#name-oauth-flow-making-requests-" class="section-name selfRef">OAuth Flow: Making Requests with Access Tokens</a>
           </h4>
-<div id="_69ae5d9b-fb07-7c2f-91d2-a2261ecf9826">
-<p id="section-4.3.4-1">Once the Service Provider has the access token, they can call the DNS
+<div id="_c5c93815-4045-214b-6663-ec8ac17aa414">
+<p id="section-7.3.5-1">Once the Service Provider has the access token, they can call the DNS
 Provider's API to make changes to DNS on the domain by applying and (OPTIONALLY)
 removing authorized templates. These templates can be applied to the
-root domain or to any sub-domain of the root domain that has been authorized.<a href="#section-4.3.4-1" class="pilcrow">¶</a></p>
+root domain or to any sub-domain of the root domain that has been authorized.<a href="#section-7.3.5-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_60b4eb5a-0e9b-daca-b44e-501ec8d8cff0">
-<p id="section-4.3.4-2">All calls to this API pass the access token in the Authorization Header
+<div id="_273197e2-705d-d434-640e-5971085a4a3b">
+<p id="section-7.3.5-2">All calls to this API pass the access token in the Authorization Header
 of the request to the call to the API. More details can be found in the
-OAuth specifications, but as an example:<a href="#section-4.3.4-2" class="pilcrow">¶</a></p>
+OAuth specifications, but as an example:<a href="#section-7.3.5-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_9418851b-7e97-52b8-2814-3cebe5cbafa0">
-<div id="section-4.3.4-3">
-<pre class="sourcecode">GET /resource/1 HTTP/1.1
+<div id="_6caaba40-82c0-6260-3791-7993a2d7a30c">
+<div class="sourcecode" id="section-7.3.5-3">
+<pre>GET /resource/1 HTTP/1.1
 
 Host: example.com
 
-Authorization: Bearer mF_9.B5f-4.1JqM</pre><a href="#section-4.3.4-3" class="pilcrow">¶</a>
+Authorization: Bearer mF_9.B5f-4.1JqM</pre><a href="#section-7.3.5-3" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_689068ce-3911-1f8c-0c72-ea8c6d7bc0b7">
-<p id="section-4.3.4-4">While the calls below do not have the same security consideration of
+<div id="_84f91c55-9ffd-00a5-85b4-86e302e6c9af">
+<p id="section-7.3.5-4">While the calls below do not have the same security consideration of
 passing the secret, it is recommend that the urlAPI be from a stored
-value vs. the value returned during discovery here as well.<a href="#section-4.3.4-4" class="pilcrow">¶</a></p>
+value vs. the value returned during discovery here as well.<a href="#section-7.3.5-4" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="_oauth_flow_apply_template_to_domain">
-<section id="section-4.3.5">
+<section id="section-7.3.6">
           <h4 id="name-oauth-flow-apply-template-t">
-<a href="#section-4.3.5" class="section-number selfRef">4.3.5. </a><a href="#name-oauth-flow-apply-template-t" class="section-name selfRef">OAuth Flow: Apply Template to Domain.</a>
+<a href="#section-7.3.6" class="section-number selfRef">7.3.6. </a><a href="#name-oauth-flow-apply-template-t" class="section-name selfRef">OAuth Flow: Apply Template to Domain.</a>
           </h4>
-<div id="_9e901c1e-9c91-41f9-b664-fdb3a9ce78ea">
-<div id="section-4.3.5-1">
-<pre class="sourcecode">POST
+<div id="_44b6da15-0b75-6d05-0724-3307d7ae7a08">
+<div class="sourcecode" id="section-7.3.6-1">
+<pre>POST
 
-{urlAPI}/v2/domainTemplates/providers/{providerId}/services/{serviceId}/apply?[properties]</pre><a href="#section-4.3.5-1" class="pilcrow">¶</a>
+{urlAPI}/v2/domainTemplates/providers/{providerId}/services
+/{serviceId}/apply?[properties]</pre><a href="#section-7.3.6-1" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_e5cfcd34-a98e-06ac-5d6f-98f2d6945ccb">
-<p id="section-4.3.5-2">The primary function of the API is to apply a template to a customer
-domain.<a href="#section-4.3.5-2" class="pilcrow">¶</a></p>
+<div id="_8ae8141d-b166-2a71-1a2e-5bfcab2c9c4c">
+<p id="section-7.3.6-2">The primary function of the API is to apply a template to a customer
+domain.<a href="#section-7.3.6-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_dc986a2b-915d-69b2-eb56-68a9923f1597">
-<p id="section-4.3.5-3">While the providerId is implied in the authorization, this is on the
+<div id="_2579abcf-72dd-816a-1bc6-431027d2e4db">
+<p id="section-7.3.6-3">While the providerId is implied in the authorization, this is on the
 path for consistency with the synchronous flows and other APIs. If not
-matching what was authorized, an error must be returned.<a href="#section-4.3.5-3" class="pilcrow">¶</a></p>
+matching what was authorized, an error must be returned.<a href="#section-7.3.6-3" class="pilcrow">¶</a></p>
 </div>
-<div id="_dce4cc11-084c-41ca-e69d-a49596f64f0d">
-<p id="section-4.3.5-4">When applying a template to a domain, it is possible that a conflict may
+<div id="_80f22a24-6b97-8096-46fb-c3f191540f69">
+<p id="section-7.3.6-4">When applying a template to a domain, it is possible that a conflict may
 exist with previous settings. While it is recommended that conflicts be
 detected when the user grants consent, because OAuth is asynchronous it
-is possible that a new conflict was introduced by the user.<a href="#section-4.3.5-4" class="pilcrow">¶</a></p>
+is possible that a new conflict was introduced by the user.<a href="#section-7.3.6-4" class="pilcrow">¶</a></p>
 </div>
-<div id="_8148ce14-9a62-9d40-1ba8-c542c167be2e">
-<p id="section-4.3.5-5">While it is up to the DNS Provider to determine what constitutes a
+<div id="_b6ec7dc5-071a-9261-3d73-4f0d6c462c6c">
+<p id="section-7.3.6-5">While it is up to the DNS Provider to determine what constitutes a
 conflict (see section on Conflicts below), when one is detected calling
 this API must return an error. This error should enumerate the
-conflicting records in a format described below.<a href="#section-4.3.5-5" class="pilcrow">¶</a></p>
+conflicting records in a format described below.<a href="#section-7.3.6-5" class="pilcrow">¶</a></p>
 </div>
-<div id="_458b045c-695d-accf-1e89-9a10912e92cd">
-<p id="section-4.3.5-6">Because the user often isn't present at the time of this error, it is up the
+<div id="_e02c3feb-d4c3-8142-1e0e-20e2bf1c497c">
+<p id="section-7.3.6-6">Because the user often isn't present at the time of this error, it is up the
 Service Provider to determine how to handle this condition. Some providers
 may decide to notify the user. Others may decide to apply their template
 anyway using the "force" parameter. This parameter will bypass error
 checks for conflicts, and after the call the service will be in its
-desired state.<a href="#section-4.3.5-6" class="pilcrow">¶</a></p>
+desired state.<a href="#section-7.3.6-6" class="pilcrow">¶</a></p>
 </div>
-<div id="_c568cdfd-b6db-42b6-c11e-4f06ee6c6ad5">
-<p id="section-4.3.5-7">Calls to apply a template via OAuth require the following parameters
+<div id="_a977a5d9-a657-c06d-5435-36efe19b297e">
+<p id="section-7.3.6-7">Calls to apply a template via OAuth require the following parameters
 posted to the above URL unless otherwise indicated.
 The DNS Provider must accept parameters in query string or body of this
-post.<a href="#section-4.3.5-7" class="pilcrow">¶</a></p>
+post.<a href="#section-7.3.6-7" class="pilcrow">¶</a></p>
 </div>
-<div id="_38d7f344-d70c-f89f-43e2-bc3c1a6644e9">
-<p id="section-4.3.5-8">The body is application/json encoded.<a href="#section-4.3.5-8" class="pilcrow">¶</a></p>
+<div id="_200f5ca9-7f34-6189-9291-7ecd758f56ea">
+<p id="section-7.3.6-8">The body is application/json encoded.<a href="#section-7.3.6-8" class="pilcrow">¶</a></p>
 </div>
-<span id="name-query-parameters-of-the-appl"></span><div id="_babbbfe9-092e-6c92-f606-83e570546817">
+<span id="name-query-parameters-of-the-appl"></span><div id="_538dd35c-0971-5ecd-eea7-29a6021a819e">
 <table class="center" id="table-10">
             <caption>
 <a href="#table-10" class="selfRef">Table 10</a>:
@@ -3260,7 +3371,7 @@ <h4 id="name-oauth-flow-apply-template-t">
                   <strong>Domain</strong>
 </td>
                 <td class="text-left" rowspan="1" colspan="1">domain</td>
-                <td class="text-left" rowspan="1" colspan="1">The root domain name being configured. It must match the domain that was authorized
+                <td class="text-left" rowspan="1" colspan="1">(REQUIRED) The root domain name being configured. It must match the domain that was authorized
 in the token.</td>
               </tr>
               <tr>
@@ -3277,7 +3388,7 @@ <h4 id="name-oauth-flow-apply-template-t">
                   <strong>Name/Value Pairs</strong>
 </td>
                 <td class="text-left" rowspan="1" colspan="1">*</td>
-                <td class="text-left" rowspan="1" colspan="1">Any variable fields consumed by
+                <td class="text-left" rowspan="1" colspan="1">(REQUIRED) Any variable fields consumed by
 this template. The name portion of this API call corresponds to the
 variable(s) specified in the record and the value corresponds to the
 value that must be used when applying the template as per the
@@ -3327,37 +3438,39 @@ <h4 id="name-oauth-flow-apply-template-t">
 </td>
                 <td class="text-left" rowspan="1" colspan="1">instanceId</td>
                 <td class="text-left" rowspan="1" colspan="1">(OPTIONAL) Only applicable to templates supporting multiple instances
-(see <span><a href="#template-definition" class="xref">multiInstance</a> (<a href="#template-definition" class="xref">Section 5.2</a>)</span> template property). Allows for later
+(see <span><a href="#template-definition" class="internal xref">multiInstance</a> (<a href="#template-definition" class="auto internal xref">Section 8.2</a>)</span> template property). Allows for later
 removal of one template instance by DNS Providers storing this information.</td>
               </tr>
             </tbody>
           </table>
 </div>
-<div id="_a8de3da1-a6fe-edb0-be45-a8a0ff1429f8">
-<p id="section-4.3.5-10">An example call is below. In this example, it is contemplated that there
+<div id="_42dbd489-a5a7-db1a-e83e-e9e40f849a3f">
+<p id="section-7.3.6-10">An example call is below. In this example, it is contemplated that there
 are two variables in this template, "IP" and "RANDOMTEXT" which both require
 values. These variables are
-passed as name/value pairs.<a href="#section-4.3.5-10" class="pilcrow">¶</a></p>
+passed as name/value pairs.<a href="#section-7.3.6-10" class="pilcrow">¶</a></p>
 </div>
-<div id="_d66ad56e-23fc-eef2-4523-9f2c57f29eb8">
-<div id="section-4.3.5-11">
-<pre class="sourcecode">POST
+<div id="_03a66551-df62-5041-f977-c31924686596">
+<div class="sourcecode" id="section-7.3.6-11">
+<pre>POST
 
-https://connect.dnsprovider.com/v2/domainTemplates/providers/exampleservice.domainconnect.org/services/template1/apply?IP=192.168.42.42&amp;RANDOMTEXT=shm%3A1542108821%3AHello&amp;force=1</pre><a href="#section-4.3.5-11" class="pilcrow">¶</a>
+https://connect.dnsprovider.example/v2/domainTemplates/providers/
+exampleservice.example/services/template1/apply?IP=192.0.2.42
+&amp;#x26;RANDOMTEXT=shm%3A1542108821%3AHello&amp;#x26;force=1</pre><a href="#section-7.3.6-11" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_9678e1c0-5df4-6a26-3f0d-3bfc358cdcf7">
-<p id="section-4.3.5-12">The API must validate the access token, and that the domain belongs to
+<div id="_a1b0c7f6-306d-b165-a2ff-8a679ca1aae7">
+<p id="section-7.3.6-12">The API must validate the access token, and that the domain belongs to
 the customer and is represented by the token being presented. Any errors
 with variables, conflicting templates, or problems with the state of the
-domain are returned; otherwise the template is applied.<a href="#section-4.3.5-12" class="pilcrow">¶</a></p>
+domain are returned; otherwise the template is applied.<a href="#section-7.3.6-12" class="pilcrow">¶</a></p>
 </div>
-<div id="_677ce658-e301-d5b0-dcef-db9255b4beea">
-<p id="section-4.3.5-13">Results of this call can include information indicating success or an
+<div id="_bf1bf9dc-f597-d3a6-726e-d897eab0e13a">
+<p id="section-7.3.6-13">Results of this call can include information indicating success or an
 error. Errors will be 400 status codes, with the following codes
-defined.<a href="#section-4.3.5-13" class="pilcrow">¶</a></p>
+defined.<a href="#section-7.3.6-13" class="pilcrow">¶</a></p>
 </div>
-<span id="name-http-status-codes-of-the-ap"></span><div id="_820b85c4-3f4c-a626-4843-6b3ef4cc69d1">
+<span id="name-http-status-codes-of-the-ap"></span><div id="_0ffab5e3-cc09-2aa1-7883-d6ae21cfa403">
 <table class="center" id="table-11">
             <caption>
 <a href="#table-11" class="selfRef">Table 11</a>:
@@ -3419,18 +3532,18 @@ <h4 id="name-oauth-flow-apply-template-t">
             </tbody>
           </table>
 </div>
-<div id="_1225671e-0a7e-f20f-4930-6c9207da874d">
-<p id="section-4.3.5-15">When a 409 is returned, the body of the response should contain details of
+<div id="_3720da50-401f-682d-c252-683625be85ac">
+<p id="section-7.3.6-15">When a 409 is returned, the body of the response should contain details of
 the conflicting records. This should be JSON containing the error code, a message
 suitable for developers, and an array of tuples containing the
-conflicting records type, host, and data element.<a href="#section-4.3.5-15" class="pilcrow">¶</a></p>
+conflicting records type, host, and data element.<a href="#section-7.3.6-15" class="pilcrow">¶</a></p>
 </div>
-<div id="_1e14ebc8-f70a-385f-2a36-78edc0c9dc48">
-<p id="section-4.3.5-16">As an example:<a href="#section-4.3.5-16" class="pilcrow">¶</a></p>
+<div id="_19d2c60d-0baf-40ba-717c-2f9896175a60">
+<p id="section-7.3.6-16">As an example:<a href="#section-7.3.6-16" class="pilcrow">¶</a></p>
 </div>
-<div id="_1caee516-e51f-700f-d303-f16d2f9ee8d5">
-<div id="section-4.3.5-17">
-<pre class="lang-json sourcecode">{
+<div id="_91c313ce-a803-e36c-e03c-ddac8cfa9191">
+<div class="lang-json sourcecode" id="section-7.3.6-17">
+<pre>{
     "code": "409",
     "message": "Conflicting records",
     "records": [
@@ -3445,59 +3558,61 @@ <h4 id="name-oauth-flow-apply-template-t">
             "data": "random ip"
         }
     ]
-}</pre><a href="#section-4.3.5-17" class="pilcrow">¶</a>
+}</pre><a href="#section-7.3.6-17" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_0117a093-e852-7de7-5b7f-dae45e27ea66">
-<p id="section-4.3.5-18">In this example, the Service Provider tried to apply a new hosting
-template. The domain had an existing service applied for hosting.<a href="#section-4.3.5-18" class="pilcrow">¶</a></p>
+<div id="_11fa147a-3ed3-5643-2cbf-3eecb4fda671">
+<p id="section-7.3.6-18">In this example, the Service Provider tried to apply a new hosting
+template. The domain had an existing service applied for hosting.<a href="#section-7.3.6-18" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="_oauth_flow_revert_template">
-<section id="section-4.3.6">
+<section id="section-7.3.7">
           <h4 id="name-oauth-flow-revert-template">
-<a href="#section-4.3.6" class="section-number selfRef">4.3.6. </a><a href="#name-oauth-flow-revert-template" class="section-name selfRef">OAuth Flow: Revert Template</a>
+<a href="#section-7.3.7" class="section-number selfRef">7.3.7. </a><a href="#name-oauth-flow-revert-template" class="section-name selfRef">OAuth Flow: Revert Template</a>
           </h4>
-<div id="_43ae96a1-0907-1c17-cdfb-15ea03527a0c">
-<p id="section-4.3.6-1">This call reverts the application of a specific template from a domain.<a href="#section-4.3.6-1" class="pilcrow">¶</a></p>
+<div id="_46bdf902-f34d-29a0-f354-f92def61e1b6">
+<p id="section-7.3.7-1">This call reverts the application of a specific template from a domain.<a href="#section-7.3.7-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_8b4ee1b2-bfe5-6daf-8d08-6a070069e7a4">
-<p id="section-4.3.6-2">Implementation of this call is OPTIONAL. If not supported a 501 MUST be returned.<a href="#section-4.3.6-2" class="pilcrow">¶</a></p>
+<div id="_f6b895bc-090e-4153-7330-38669c40d319">
+<p id="section-7.3.7-2">Implementation of this call is OPTIONAL. If not supported a 501 MUST be returned.<a href="#section-7.3.7-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_935f5c37-977c-0434-19c3-e3e85e487b60">
-<div id="section-4.3.6-3">
-<pre class="sourcecode">POST
+<div id="_cbd636e1-ffdc-c1ef-2eb7-047d939b87ea">
+<div class="sourcecode" id="section-7.3.7-3">
+<pre>POST
 
-{urlAPI}/v2/domainTemplates/providers/{providerId}/services/{serviceId}/revert?domain={domain}&amp;host={host}</pre><a href="#section-4.3.6-3" class="pilcrow">¶</a>
+{urlAPI}/v2/domainTemplates/providers/{providerId}/services
+/{serviceId}/revert?domain={domain}&amp;host={host}</pre><a href="#section-7.3.7-3" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_5aba34b2-9e23-931c-1d18-64aa2516b6ae">
-<p id="section-4.3.6-4">This API allows the removal of a template from a customer domain/host
-using an OAuth request.<a href="#section-4.3.6-4" class="pilcrow">¶</a></p>
+<div id="_36273a0d-f6b8-5c9e-30d2-d4f7a097cd22">
+<p id="section-7.3.7-4">This API allows the removal of a template from a customer domain/host
+using an OAuth request.<a href="#section-7.3.7-4" class="pilcrow">¶</a></p>
 </div>
-<div id="_2b81ca93-e6b8-5ca9-af64-fd130b75138b">
-<p id="section-4.3.6-5">The provider and service name in the URL must match the values provided during authorization.<a href="#section-4.3.6-5" class="pilcrow">¶</a></p>
+<div id="_fb6e9ba3-ead5-69d4-17b9-747d66fe0c58">
+<p id="section-7.3.7-5">The provider and service name in the URL must match the values provided during authorization.<a href="#section-7.3.7-5" class="pilcrow">¶</a></p>
 </div>
-<div id="_05528a7f-0830-c7fe-f59f-61d2fef1d8d3">
-<p id="section-4.3.6-6">This call must validate that the template exists and has been
+<div id="_278e209f-dd7a-cd58-a1b5-15a5f3800df9">
+<p id="section-7.3.7-6">This call must validate that the template exists and has been
 applied to the domain by the Service Provider, or a warning must be
-returned that the call would have no effect.<a href="#section-4.3.6-6" class="pilcrow">¶</a></p>
+returned that the call would have no effect.<a href="#section-7.3.7-6" class="pilcrow">¶</a></p>
 </div>
-<div id="_a561fa35-19e7-9730-9ed6-992db5c04ca0">
-<p id="section-4.3.6-7">An example query string might look like:<a href="#section-4.3.6-7" class="pilcrow">¶</a></p>
+<div id="_79dc2b07-cb4d-557a-24c9-fe49e3473f0e">
+<p id="section-7.3.7-7">An example query string might look like:<a href="#section-7.3.7-7" class="pilcrow">¶</a></p>
 </div>
-<div id="_c09b981e-8cb1-6ed3-c2f9-273da7ecff2a">
-<div id="section-4.3.6-8">
-<pre class="sourcecode">POST
+<div id="_6c21fc60-4382-b2dd-6f95-f038e325acfe">
+<div class="sourcecode" id="section-7.3.7-8">
+<pre>POST
 
-https://connect.dnsprovider.com/v2/domainTemplates/providers/exampleservice.domainconnect.org/services/template1/revert?domain=example.com</pre><a href="#section-4.3.6-8" class="pilcrow">¶</a>
+https://connect.dnsprovider.example/v2/domainTemplates/providers
+/exampleservice.example/services/template1/revert?domain=example.com</pre><a href="#section-7.3.7-8" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_4d16fabe-8f07-9607-e29f-c54c79483178">
-<p id="section-4.3.6-9">Allowed parameters:<a href="#section-4.3.6-9" class="pilcrow">¶</a></p>
+<div id="_56cfdf56-d98b-8438-0646-5bac0a67b6fe">
+<p id="section-7.3.7-9">Allowed parameters:<a href="#section-7.3.7-9" class="pilcrow">¶</a></p>
 </div>
-<span id="name-query-parameters-of-the-rev"></span><div id="_7152cdea-d3b3-62c1-3ff4-c78d7d0c2ddc">
+<span id="name-query-parameters-of-the-rev"></span><div id="_4b2d0705-539a-bdb5-341c-39aca795ef38">
 <table class="center" id="table-12">
             <caption>
 <a href="#table-12" class="selfRef">Table 12</a>:
@@ -3516,7 +3631,7 @@ <h4 id="name-oauth-flow-revert-template">
                   <strong>Domain</strong>
 </td>
                 <td class="text-left" rowspan="1" colspan="1">domain</td>
-                <td class="text-left" rowspan="1" colspan="1">The root domain name being configured. It
+                <td class="text-left" rowspan="1" colspan="1">(REQUIRED) The root domain name being configured. It
 must match the domain that was authorized in the token.</td>
               </tr>
               <tr>
@@ -3524,7 +3639,7 @@ <h4 id="name-oauth-flow-revert-template">
                   <strong>Host</strong>
 </td>
                 <td class="text-left" rowspan="1" colspan="1">host</td>
-                <td class="text-left" rowspan="1" colspan="1">The host name of the sub domain of the root domain that was authorized in the token.
+                <td class="text-left" rowspan="1" colspan="1">(OPTIONAL) The host name of the sub domain of the root domain that was authorized in the token.
 If omitted or left blank, the template is being applied to the root
 domain.</td>
               </tr>
@@ -3534,31 +3649,31 @@ <h4 id="name-oauth-flow-revert-template">
 </td>
                 <td class="text-left" rowspan="1" colspan="1">instanceId</td>
                 <td class="text-left" rowspan="1" colspan="1">(OPTIONAL) Only applicable to templates supporting multiple instances
-(see <span><a href="#template-definition" class="xref">multiInstance</a> (<a href="#template-definition" class="xref">Section 5.2</a>)</span> template property). For DNS Provider
+(see <span><a href="#template-definition" class="internal xref">multiInstance</a> (<a href="#template-definition" class="auto internal xref">Section 8.2</a>)</span> template property). For DNS Provider
 storing information about applied templates allows removal of single instance
 of template. If missing all instances of template should be removed.</td>
               </tr>
             </tbody>
           </table>
 </div>
-<div id="_1ef131f0-a47c-e84c-112a-e447f7f12bdf">
-<p id="section-4.3.6-11">The DNS Provider should be able to accept these on the query string or in the body of the POST with <code>application/json</code> encoding.<a href="#section-4.3.6-11" class="pilcrow">¶</a></p>
+<div id="_19cb2091-9fea-5737-1a7c-faede947d375">
+<p id="section-7.3.7-11">The DNS Provider should be able to accept these on the query string or in the body of the POST with <code>application/json</code> encoding.<a href="#section-7.3.7-11" class="pilcrow">¶</a></p>
 </div>
-<div id="_97fe1c40-b5a8-f8eb-f8e1-8974e2c06398">
-<p id="section-4.3.6-12">Response codes Success, Authorization, and Errors are identical to
-above with the addition of the 501 code.<a href="#section-4.3.6-12" class="pilcrow">¶</a></p>
+<div id="_90bfa03e-6323-dce8-7fe4-e3a30f815b3a">
+<p id="section-7.3.7-12">Response codes Success, Authorization, and Errors are identical to
+above with the addition of the 501 code.<a href="#section-7.3.7-12" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="_oauth_flow_revoking_access">
-<section id="section-4.3.7">
+<section id="section-7.3.8">
           <h4 id="name-oauth-flow-revoking-access">
-<a href="#section-4.3.7" class="section-number selfRef">4.3.7. </a><a href="#name-oauth-flow-revoking-access" class="section-name selfRef">OAuth Flow: Revoking access</a>
+<a href="#section-7.3.8" class="section-number selfRef">7.3.8. </a><a href="#name-oauth-flow-revoking-access" class="section-name selfRef">OAuth Flow: Revoking access</a>
           </h4>
-<div id="_825cf0f5-c6a5-1c83-89a7-35fa99bdc602">
-<p id="section-4.3.7-1">Like all oAuth flows, the user may revoke the access at any time using
+<div id="_c9e4ba28-7f97-deaf-33d5-d429840e87b0">
+<p id="section-7.3.8-1">Like all OAuth flows, the user may revoke the access at any time using
 UX at the DNS Provider site. As such the Service Provider needs to be
-aware that their access to the API may be denied.<a href="#section-4.3.7-1" class="pilcrow">¶</a></p>
+aware that their access to the API may be denied.<a href="#section-7.3.8-1" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
@@ -3567,38 +3682,38 @@ <h4 id="name-oauth-flow-revoking-access">
 </section>
 </div>
 <div id="_domain_connect_objects_and_templates">
-<section id="section-5">
+<section id="section-8">
       <h2 id="name-domain-connect-objects-and-">
-<a href="#section-5" class="section-number selfRef">5. </a><a href="#name-domain-connect-objects-and-" class="section-name selfRef">Domain Connect Objects and Templates</a>
+<a href="#section-8" class="section-number selfRef">8. </a><a href="#name-domain-connect-objects-and-" class="section-name selfRef">Domain Connect Objects and Templates</a>
       </h2>
 <div id="_template_versioning">
-<section id="section-5.1">
+<section id="section-8.1">
         <h3 id="name-template-versioning">
-<a href="#section-5.1" class="section-number selfRef">5.1. </a><a href="#name-template-versioning" class="section-name selfRef">Template Versioning</a>
+<a href="#section-8.1" class="section-number selfRef">8.1. </a><a href="#name-template-versioning" class="section-name selfRef">Template Versioning</a>
         </h3>
-<div id="_9d9e2c11-e7b8-f84a-9534-4c770c5babfd">
-<p id="section-5.1-1">If a breaking change is made to a template it is recommended that a new template be created. While on the surface versioning looks appealing, in reality this is rarely needed.<a href="#section-5.1-1" class="pilcrow">¶</a></p>
+<div id="_e9fffcaf-adc4-6a65-3c34-91a9540a1610">
+<p id="section-8.1-1">If a breaking change is made to a template it is recommended that a new template be created. While on the surface versioning looks appealing, in reality this is rarely needed.<a href="#section-8.1-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_39331568-f4fe-f9fd-a11f-50e4ff28bb79">
-<p id="section-5.1-2">Any changes to the template need to account for existing customers with settings in DNS, some applied through Domain Connect and some manual. So when changes are made, they are often backward compatible.<a href="#section-5.1-2" class="pilcrow">¶</a></p>
+<div id="_e25810e2-ea69-54ef-fc06-063ed3aed474">
+<p id="section-8.1-2">Any changes to the template need to account for existing customers with settings in DNS, some applied through Domain Connect and some manual. So when changes are made, they are often backward compatible.<a href="#section-8.1-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_78b7d1c2-7605-1075-169b-f3bc5796e27e">
-<p id="section-5.1-3">Note that when a template changes, it does need to be on-boarded with the DNS Providers.<a href="#section-5.1-3" class="pilcrow">¶</a></p>
+<div id="_e4a2af8e-258a-2af0-da2b-ea6e29816c1b">
+<p id="section-8.1-3">Note that when a template changes, it does need to be on-boarded with the DNS Providers.<a href="#section-8.1-3" class="pilcrow">¶</a></p>
 </div>
-<div id="_8363e49c-a0b3-2aed-c4ef-89bc885dd566">
-<p id="section-5.1-4">The <span><a href="#template-definition" class="xref">version field</a> (<a href="#template-definition" class="xref">Section 5.2</a>)</span> of the template definition serves the purpose of transparency between the DNS Provider and the Service Provider in case of such changes.<a href="#section-5.1-4" class="pilcrow">¶</a></p>
+<div id="_930fc0ea-590e-390b-61dc-d72db7d60cf8">
+<p id="section-8.1-4">The <span><a href="#template-definition" class="internal xref">version field</a> (<a href="#template-definition" class="auto internal xref">Section 8.2</a>)</span> of the template definition serves the purpose of transparency between the DNS Provider and the Service Provider in case of such changes.<a href="#section-8.1-4" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="template-definition">
-<section id="section-5.2">
+<section id="section-8.2">
         <h3 id="name-template-definition">
-<a href="#section-5.2" class="section-number selfRef">5.2. </a><a href="#name-template-definition" class="section-name selfRef">Template Definition</a>
+<a href="#section-8.2" class="section-number selfRef">8.2. </a><a href="#name-template-definition" class="section-name selfRef">Template Definition</a>
         </h3>
-<div id="_a1396700-f639-f74b-575b-c32ea6a407c7">
-<p id="section-5.2-1">A template is defined as a standard JSON data structure containing the following data. Fields are required unless otherwise indicated.<a href="#section-5.2-1" class="pilcrow">¶</a></p>
+<div id="_24a86343-5f6c-9d9c-1d2e-6a4cd7ad5f68">
+<p id="section-8.2-1">A template is defined as a standard JSON data structure containing the following data. Fields are required unless otherwise indicated.<a href="#section-8.2-1" class="pilcrow">¶</a></p>
 </div>
-<span id="name-properties-of-the-template-"></span><div id="_6d32540c-dbab-f149-65b4-9244b75ec5ee">
+<span id="name-properties-of-the-template-"></span><div id="_bb193fc9-46d2-9e7e-4c1e-f1e70224f978">
 <table class="center" id="table-13">
           <caption>
 <a href="#table-13" class="selfRef">Table 13</a>:
@@ -3619,7 +3734,7 @@ <h3 id="name-template-definition">
 </td>
               <td class="text-left" rowspan="1" colspan="1">String</td>
               <td class="text-left" rowspan="1" colspan="1">providerId</td>
-              <td class="text-left" rowspan="1" colspan="1">The unique identifier of the Service Provider that created this template. This is used in the URLs to identify the Service Provider. To ensure non-coordinated uniqueness, this should be the domain name of the Service Provider (e.g. exampleservice.domainconnect.org).</td>
+              <td class="text-left" rowspan="1" colspan="1">(REQUIRED) The unique identifier of the Service Provider that created this template. This is used in the URLs to identify the Service Provider. To ensure non-coordinated uniqueness, this should be the domain name of the Service Provider (e.g. exampleservice.example).</td>
             </tr>
             <tr>
               <td class="text-left" rowspan="1" colspan="1">
@@ -3627,7 +3742,7 @@ <h3 id="name-template-definition">
 </td>
               <td class="text-left" rowspan="1" colspan="1">String</td>
               <td class="text-left" rowspan="1" colspan="1">providerName</td>
-              <td class="text-left" rowspan="1" colspan="1">The name of the Service Provider suitable for display. This may be displayed to the user on the DNS Provider consent UX.</td>
+              <td class="text-left" rowspan="1" colspan="1">(REQUIRED) The name of the Service Provider suitable for display. This may be displayed to the user on the DNS Provider consent UX.</td>
             </tr>
             <tr>
               <td class="text-left" rowspan="1" colspan="1">
@@ -3635,8 +3750,8 @@ <h3 id="name-template-definition">
 </td>
               <td class="text-left" rowspan="1" colspan="1">String</td>
               <td class="text-left" rowspan="1" colspan="1">serviceId</td>
-              <td class="text-left" rowspan="1" colspan="1">The name or identifier of the template.
-This is used in URLs to identify the template. It is also used in the scope parameter for oAuth. It must not contain space characters, and must be URL friendly.</td>
+              <td class="text-left" rowspan="1" colspan="1">(REQUIRED) The name or identifier of the template.
+This is used in URLs to identify the template. It is also used in the scope parameter for OAuth. It must not contain space characters, and must be URL friendly.</td>
             </tr>
             <tr>
               <td class="text-left" rowspan="1" colspan="1">
@@ -3644,7 +3759,7 @@ <h3 id="name-template-definition">
 </td>
               <td class="text-left" rowspan="1" colspan="1">String</td>
               <td class="text-left" rowspan="1" colspan="1">serviceName</td>
-              <td class="text-left" rowspan="1" colspan="1">The name of the service suitable for display to the user. This may be displayed to the user on the DNS Provider consent UX.</td>
+              <td class="text-left" rowspan="1" colspan="1">(REQUIRED) The name of the service suitable for display to the user. This may be displayed to the user on the DNS Provider consent UX.</td>
             </tr>
             <tr>
               <td class="text-left" rowspan="1" colspan="1">
@@ -3769,7 +3884,7 @@ <h3 id="name-template-definition">
 </td>
               <td class="text-left" rowspan="1" colspan="1">Array of Template Records</td>
               <td class="text-left" rowspan="1" colspan="1">records</td>
-              <td class="text-left" rowspan="1" colspan="1">A list of records for the template.</td>
+              <td class="text-left" rowspan="1" colspan="1">(REQUIRED) A list of records for the template.</td>
             </tr>
           </tbody>
         </table>
@@ -3777,66 +3892,66 @@ <h3 id="name-template-definition">
 </section>
 </div>
 <div id="template-record">
-<section id="section-5.3">
+<section id="section-8.3">
         <h3 id="name-template-record">
-<a href="#section-5.3" class="section-number selfRef">5.3. </a><a href="#name-template-record" class="section-name selfRef">Template Record</a>
+<a href="#section-8.3" class="section-number selfRef">8.3. </a><a href="#name-template-record" class="section-name selfRef">Template Record</a>
         </h3>
-<div id="_525c48a7-743b-fd11-63b4-e79e9e2770db">
-<p id="section-5.3-1">Each template record is an entry that contains a type and several
-other values depending on the type.<a href="#section-5.3-1" class="pilcrow">¶</a></p>
+<div id="_a042d8bf-9c7f-0787-a102-3ba7c2b0c3e5">
+<p id="section-8.3-1">Each template record is an entry that contains a type and several
+other values depending on the type.<a href="#section-8.3-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_89cff121-c267-1b9e-1931-835ecd4409ed">
-<p id="section-5.3-2">Many of these values can contain variables. There are three built in variables.<a href="#section-5.3-2" class="pilcrow">¶</a></p>
+<div id="_cc24645b-bdea-48de-3432-dc726a04ec71">
+<p id="section-8.3-2">Many of these values can contain variables. There are three built in variables.<a href="#section-8.3-2" class="pilcrow">¶</a></p>
 </div>
 <ul class="normal">
-<li class="normal" id="section-5.3-3.1">%host%: This is the host passed from the query string<a href="#section-5.3-3.1" class="pilcrow">¶</a>
+<li class="normal" id="section-8.3-3.1">%host%: This is the host passed from the query string<a href="#section-8.3-3.1" class="pilcrow">¶</a>
 </li>
-          <li class="normal" id="section-5.3-3.2">%domain%: This is the domain passed from the query string<a href="#section-5.3-3.2" class="pilcrow">¶</a>
+          <li class="normal" id="section-8.3-3.2">%domain%: This is the domain passed from the query string<a href="#section-8.3-3.2" class="pilcrow">¶</a>
 </li>
-          <li class="normal" id="section-5.3-3.3">%fqdn%: This is the fully qualified domain name e.g. [host.]domain<a href="#section-5.3-3.3" class="pilcrow">¶</a>
+          <li class="normal" id="section-8.3-3.3">%fqdn%: This is the fully qualified domain name e.g. [host.]domain<a href="#section-8.3-3.3" class="pilcrow">¶</a>
 </li>
         </ul>
-<div id="_6002a529-8e38-6d1d-5df0-d9a26bb6cdc2">
-<p id="section-5.3-4">The @ symbol has special meaning, and can be used in the host/name field or in
-the pointsTo/data field in isolation.<a href="#section-5.3-4" class="pilcrow">¶</a></p>
+<div id="_8ea1d6b4-2fe4-55e7-ab1b-9bb8a1f026af">
+<p id="section-8.3-4">The @ symbol has special meaning, and can be used in the host/name field or in
+the pointsTo/data field in isolation.<a href="#section-8.3-4" class="pilcrow">¶</a></p>
 </div>
-<div id="_afa1045c-62b9-1b7c-e352-e2162bf99ab4">
-<p id="section-5.3-5">For the host/name field it is a shortcut for the value "%fqdn%.". When applying the
+<div id="_9e825a73-4c48-7069-68ab-d6960b0a5385">
+<p id="section-8.3-5">For the host/name field it is a shortcut for the value "%fqdn%.". When applying the
 template to a domain only, it represents "example.com.". When applying with a sub-domain
-(host) it represents "subdomain.example.com.".<a href="#section-5.3-5" class="pilcrow">¶</a></p>
+(host) it represents "subdomain.example.com.".<a href="#section-8.3-5" class="pilcrow">¶</a></p>
 </div>
-<div id="_d447cf2e-b595-bf3f-79fc-1a5e2c802dae">
-<p id="section-5.3-6">Note: The trailing dot here is similar to the bind protocol, which indicates the value
-is absolute. Without the trailing ".", the value in this field is relative to the [host.]domain.com
-value.<a href="#section-5.3-6" class="pilcrow">¶</a></p>
+<div id="_681394e1-84ec-aa31-aa33-cd2698b5b75d">
+<p id="section-8.3-6">Note: The trailing dot here is similar to the bind notation, which indicates the value
+is absolute. Without the trailing ".", the value in this field is relative to the [host.]example.com
+value.<a href="#section-8.3-6" class="pilcrow">¶</a></p>
 </div>
-<div id="_98119cae-2fbc-bb2f-227f-5d199e4209a9">
-<p id="section-5.3-7">For the pointsTo/data field it is a shortcut for for the "%fqdn%". When appling
+<div id="_d193214c-546f-0df7-fe84-8d7a8096d05a">
+<p id="section-8.3-7">For the pointsTo/data field it is a shortcut for for the "%fqdn%". When appling
 the template to a domain only, it represents "example.com". When applying with a sub-
-domain (host) it represents "subdomain.example.com".<a href="#section-5.3-7" class="pilcrow">¶</a></p>
+domain (host) it represents "subdomain.example.com".<a href="#section-8.3-7" class="pilcrow">¶</a></p>
 </div>
-<div id="_a7e8296d-faaf-df7a-ad97-c0acc5e2cfaf">
-<p id="section-5.3-8">Note: The pointsTo and data files are always absolute for these fields.<a href="#section-5.3-8" class="pilcrow">¶</a></p>
+<div id="_e0932740-0d3b-299c-d686-c233cbbf1e83">
+<p id="section-8.3-8">Note: The pointsTo and data files are always absolute for these fields.<a href="#section-8.3-8" class="pilcrow">¶</a></p>
 </div>
-<div id="_b4dc646e-77cf-7668-5847-73ea9955f0e8">
-<p id="section-5.3-9">It is noted that as a best practice the variable portions should be constrained
-to as small as possible a portion of the resulting DNS record.<a href="#section-5.3-9" class="pilcrow">¶</a></p>
+<div id="_9ff687a1-cbf3-f046-12ca-5a141836d193">
+<p id="section-8.3-9">It is noted that as a best practice the variable portions should be constrained
+to as small as possible a portion of the resulting DNS record.<a href="#section-8.3-9" class="pilcrow">¶</a></p>
 </div>
-<div id="_099a46c1-fbd9-7c7d-5ec4-c4c7c0f86a88">
-<p id="section-5.3-10">For example, say a Service Provider requires a CNAME of one of three
+<div id="_fa4e0f8e-3e55-6c71-dcae-890f1498a210">
+<p id="section-8.3-10">For example, say a Service Provider requires a CNAME of one of three
 values for their users: s01.example.com, s02.example.com, and
-s03.example.com.<a href="#section-5.3-10" class="pilcrow">¶</a></p>
+s03.example.com.<a href="#section-8.3-10" class="pilcrow">¶</a></p>
 </div>
-<div id="_15c1ac41-1dce-ba3e-0e79-28e7fefb5d30">
-<p id="section-5.3-11">The value in the template could simply contain %servercluster%, and the
+<div id="_b0aff594-e277-bd78-211b-d396c35e4901">
+<p id="section-8.3-11">The value in the template could simply contain %servercluster%, and the
 fully qualified string passed in. Alternatively, the value in the
 template could contain %var%.example.com and a value of 01, 02, or 03 passed in.
-By placing more fixed data into the template, the template is more secure.<a href="#section-5.3-11" class="pilcrow">¶</a></p>
+By placing more fixed data into the template, the template is more secure.<a href="#section-8.3-11" class="pilcrow">¶</a></p>
 </div>
-<div id="_ff29cd53-3690-507d-792e-68d29c09f000">
-<p id="section-5.3-12">Each record will contain the following elements.<a href="#section-5.3-12" class="pilcrow">¶</a></p>
+<div id="_aca6c47f-0156-8370-111b-4a8b78205726">
+<p id="section-8.3-12">Each record will contain the following elements.<a href="#section-8.3-12" class="pilcrow">¶</a></p>
 </div>
-<span id="name-properties-of-the-template-r"></span><div id="_ad09fab9-9924-1980-9142-7851c075705a">
+<span id="name-properties-of-the-template-r"></span><div id="_88cf7168-1e3b-7b96-8a3e-a12d62475b12">
 <table class="center" id="table-14">
           <caption>
 <a href="#table-14" class="selfRef">Table 14</a>:
@@ -3857,27 +3972,20 @@ <h3 id="name-template-record">
 </td>
               <td class="text-left" rowspan="1" colspan="1">enum</td>
               <td class="text-left" rowspan="1" colspan="1">type</td>
-              <td class="text-left" rowspan="1" colspan="1">Describes the type of record in DNS, or the operation impacting DNS.
-
-Valid values include: A, AAAA, CNAME, MX, TXT, SRV, or SPFM
-
-For each type, additional fields would be required.
-
-A: host, pointsTo, TTL
-
-AAAA: host, pointsTo, TTL
-
-CNAME: host, pointsTo, TTL (host must not be null or @)
-
-NS: host, pointsTo, TTL (host must not be null or @)
+              <td class="text-left" rowspan="1" colspan="1">(REQUIRED) Describes the type of record in DNS, or the operation impacting DNS.<br>
 
-TXT: host, data, TTL, txtConflictMatchingMode, txtConflictMatchingPrefix
+Valid values include: A, AAAA, CNAME, MX, TXT, SRV, or SPFM<br>
 
-MX: host, pointsTo, TTL, priority
-
-SRV: name, target, TTL, priority, protocol, service, weight, port
-
-SPFM: host, spfRules</td>
+For each type, additional fields would be REQUIRED.<br>
+* A: host, pointsTo, TTL<br>
+* AAAA: host, pointsTo, TTL<br>
+* CNAME: host, pointsTo, TTL (host must not be null or @ unless <code>hostRequired</code> is defined <code>true</code> for the template)<br>
+* NS: host, pointsTo, TTL (host must not be null or @ unless <code>hostRequired</code> is defined <code>true</code> for the template)<br>
+* TXT: host, data, TTL, txtConflict-MatchingMode, txtConflict-MatchingPrefix<br>
+* MX: host, pointsTo, TTL, priority<br>
+* SRV: name, target, TTL, priority, protocol, service, weight, port<br>
+* SPFM: host, spfRules<br>
+</td>
             </tr>
             <tr>
               <td class="text-left" rowspan="1" colspan="1">
@@ -3897,14 +4005,15 @@ <h3 id="name-template-record">
               <td class="text-left" rowspan="1" colspan="1">essential</td>
               <td class="text-left" rowspan="1" colspan="1">(OPTIONAL)
 This parameter indicates how the record is treated during conflict detection with
-existing templates.
+existing templates.<br>
 
-If the DNS Provider is not implementing applied template state in DNS this is ignored.
+If the DNS Provider is not implementing applied template state in DNS this is ignored.<br>
 
-Always (default) - record MUST be applied and kept with the template
+Always (default) - record MUST be applied and kept with the template<br>
 
 OnApply - record MUST be applied but can be later removed without dropping the whole
-template</td>
+template<br>
+</td>
             </tr>
             <tr>
               <td class="text-left" rowspan="1" colspan="1">
@@ -3912,15 +4021,16 @@ <h3 id="name-template-record">
 </td>
               <td class="text-left" rowspan="1" colspan="1">String</td>
               <td class="text-left" rowspan="1" colspan="1">host</td>
-              <td class="text-left" rowspan="1" colspan="1">The host for A, AAAA, CNAME, NS, TXT, and MX values.
+              <td class="text-left" rowspan="1" colspan="1">(REQUIRED) The host for A, AAAA, CNAME, NS, TXT, and MX values.<br>
 
-This value is relative to the applied host and domain, unless trailed by a ".".
+This value is relative to the applied host and domain, unless trailed by a ".".<br>
 
 A value of empty or @ indicates the root of the applied host and domain. In other words
-"[host.]domain.com.".
+"[host.]example.com.".<br>
 
 This value should not contain variables unless absolutely necessary. This is discussed
-below.</td>
+below.<br>
+</td>
             </tr>
             <tr>
               <td class="text-left" rowspan="1" colspan="1">
@@ -3928,13 +4038,14 @@ <h3 id="name-template-record">
 </td>
               <td class="text-left" rowspan="1" colspan="1">String</td>
               <td class="text-left" rowspan="1" colspan="1">name</td>
-              <td class="text-left" rowspan="1" colspan="1">The name for the SRV record.
+              <td class="text-left" rowspan="1" colspan="1">The name for the SRV record.<br>
 
 This value is relative to the applied host and domain. A value of empty or @ indicates
-the root of the applied host and domain.
+the root of the applied host and domain.<br>
 
 This value should not contain variables unless absolutely necessary. This is discussed
-below.</td>
+below.<br>
+</td>
             </tr>
             <tr>
               <td class="text-left" rowspan="1" colspan="1">
@@ -3942,9 +4053,10 @@ <h3 id="name-template-record">
 </td>
               <td class="text-left" rowspan="1" colspan="1">String</td>
               <td class="text-left" rowspan="1" colspan="1">pointsTo</td>
-              <td class="text-left" rowspan="1" colspan="1">The pointsTo location for A, AAAA, CNAME, NS and MX records.
+              <td class="text-left" rowspan="1" colspan="1">The pointsTo location for A, AAAA, CNAME, NS and MX records.<br>
 
-A value of empty or @ indicates the host and domain name being applied or [host.]domain.com</td>
+A value of empty or @ indicates the host and domain name being applied or [host.]example.com<br>
+</td>
             </tr>
             <tr>
               <td class="text-left" rowspan="1" colspan="1">
@@ -3963,7 +4075,7 @@ <h3 id="name-template-record">
               <td class="text-left" rowspan="1" colspan="1">data</td>
               <td class="text-left" rowspan="1" colspan="1">The data for a TXT record in DNS.
 
-A value of empty or @ indicates the host and domain name being applied or [host.]domain.com</td>
+A value of empty or @ indicates the host and domain name being applied or [host.]example.com</td>
             </tr>
             <tr>
               <td class="text-left" rowspan="1" colspan="1">
@@ -3972,7 +4084,7 @@ <h3 id="name-template-record">
               <td class="text-left" rowspan="1" colspan="1">String</td>
               <td class="text-left" rowspan="1" colspan="1">txtConflictMatchingMode</td>
               <td class="text-left" rowspan="1" colspan="1">Describes how conflicts on the TXT record are detected. Possible values are
-None, All, or Prefix. The default value is None. <span><a href="#record-types-conflicts" class="xref">See below</a> (<a href="#record-types-conflicts" class="xref">Section 6.3</a>)</span>.</td>
+None, All, or Prefix. The default value is None. <span><a href="#record-types-conflicts" class="internal xref">See below</a> (<a href="#record-types-conflicts" class="auto internal xref">Section 9.3</a>)</span>.</td>
             </tr>
             <tr>
               <td class="text-left" rowspan="1" colspan="1">
@@ -3980,8 +4092,8 @@ <h3 id="name-template-record">
 </td>
               <td class="text-left" rowspan="1" colspan="1">String</td>
               <td class="text-left" rowspan="1" colspan="1">txtConflictMatchingPrefix</td>
-              <td class="text-left" rowspan="1" colspan="1">The prefix to detect conflicts when txtConflictMatchingMode is "Prefix". This
-must not contain variables. <span><a href="#record-types-conflicts" class="xref">See below</a> (<a href="#record-types-conflicts" class="xref">Section 6.3</a>)</span>.</td>
+              <td class="text-left" rowspan="1" colspan="1">The prefix to detect conflicts when txtConflict-MatchingMode is "Prefix". This
+must not contain variables. <span><a href="#record-types-conflicts" class="internal xref">See below</a> (<a href="#record-types-conflicts" class="auto internal xref">Section 9.3</a>)</span>.</td>
             </tr>
             <tr>
               <td class="text-left" rowspan="1" colspan="1">
@@ -4038,7 +4150,7 @@ <h3 id="name-template-record">
               <td class="text-left" rowspan="1" colspan="1">String</td>
               <td class="text-left" rowspan="1" colspan="1">spfRules</td>
               <td class="text-left" rowspan="1" colspan="1">These are desired rules for the SPF TXT record. These rules will be merged with other
-SPFM records into final SPF TXT record. See <a href="#spf-record-merging" class="xref">Section 6.10</a>.</td>
+SPFM records into final SPF TXT record. See <a href="#spf-record-merging" class="auto internal xref">Section 9.10</a>.</td>
             </tr>
           </tbody>
         </table>
@@ -4048,133 +4160,133 @@ <h3 id="name-template-record">
 </section>
 </div>
 <div id="_template_considerations">
-<section id="section-6">
+<section id="section-9">
       <h2 id="name-template-considerations">
-<a href="#section-6" class="section-number selfRef">6. </a><a href="#name-template-considerations" class="section-name selfRef">Template Considerations</a>
+<a href="#section-9" class="section-number selfRef">9. </a><a href="#name-template-considerations" class="section-name selfRef">Template Considerations</a>
       </h2>
 <div id="_template_state_in_dns">
-<section id="section-6.1">
+<section id="section-9.1">
         <h3 id="name-template-state-in-dns">
-<a href="#section-6.1" class="section-number selfRef">6.1. </a><a href="#name-template-state-in-dns" class="section-name selfRef">Template State in DNS</a>
+<a href="#section-9.1" class="section-number selfRef">9.1. </a><a href="#name-template-state-in-dns" class="section-name selfRef">Template State in DNS</a>
         </h3>
-<div id="_002c13e3-2daa-c7c1-cb09-c06559ce89de">
-<p id="section-6.1-1">DNS Providers may chose to maintain state inside records in DNS indicating the templates
-writing the records. Other providers may chose to not maintain this state.<a href="#section-6.1-1" class="pilcrow">¶</a></p>
+<div id="_6329133f-85fb-14f3-4ed3-cab4d1f62162">
+<p id="section-9.1-1">DNS Providers may chose to maintain state inside records in DNS indicating the templates
+writing the records. Other providers may chose to not maintain this state.<a href="#section-9.1-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_7e59711f-67ab-4edd-057d-10208d4f704e">
-<p id="section-6.1-2">A DNS Provider that maintains this state may be able to provide an improved experience for
+<div id="_7dd29f75-68ee-5ad2-18af-0518dac41ac4">
+<p id="section-9.1-2">A DNS Provider that maintains this state may be able to provide an improved experience for
 customers, telling them the services enabled. They also may be able to have more
-advanced handling of conflicts.<a href="#section-6.1-2" class="pilcrow">¶</a></p>
+advanced handling of conflicts.<a href="#section-9.1-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_d25d0d61-0812-5995-804f-fdc435432af7">
-<p id="section-6.1-3">To make the implementation burden reasonable for DNS Providers, Domain Connect does not dictate the approach.<a href="#section-6.1-3" class="pilcrow">¶</a></p>
+<div id="_8714ec3c-bebd-e951-cc4d-a8d7d6384f25">
+<p id="section-9.1-3">To make the implementation burden reasonable for DNS Providers, Domain Connect does not dictate the approach.<a href="#section-9.1-3" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="_disclosure_of_changes_and_conflicts">
-<section id="section-6.2">
+<section id="section-9.2">
         <h3 id="name-disclosure-of-changes-and-c">
-<a href="#section-6.2" class="section-number selfRef">6.2. </a><a href="#name-disclosure-of-changes-and-c" class="section-name selfRef">Disclosure of Changes and Conflicts</a>
+<a href="#section-9.2" class="section-number selfRef">9.2. </a><a href="#name-disclosure-of-changes-and-c" class="section-name selfRef">Disclosure of Changes and Conflicts</a>
         </h3>
-<div id="_5bdb648e-d64d-49af-d39b-f8525620e4ea">
-<p id="section-6.2-1">It is left to the discretion of the DNS Provider to determine what is disclosed to the user
+<div id="_8db9b227-7f3f-bb75-61fe-dc094f305cc8">
+<p id="section-9.2-1">It is left to the discretion of the DNS Provider to determine what is disclosed to the user
 when granting permission and/or applying changes to DNS.
 This includes disclosing the records being applied and the records
-that may be overwritten.<a href="#section-6.2-1" class="pilcrow">¶</a></p>
+that may be overwritten.<a href="#section-9.2-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_f57a68c5-1d11-7342-4cc5-fdd9e530e3a3">
-<p id="section-6.2-2">For changes being made, one DNS Provider
+<div id="_85c5501f-a4b1-d16f-7574-9caab1336b08">
+<p id="section-9.2-2">For changes being made, one DNS Provider
 may decide to simply tell the user the name of the service being enabled. Another
 may decide to display the records being set. And another
-may progressively display both.<a href="#section-6.2-2" class="pilcrow">¶</a></p>
+may progressively display both.<a href="#section-9.2-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_b8da646e-a7c3-2377-01b9-d974b5762a30">
-<p id="section-6.2-3">For conflict detection, one DNS Provider may simply overwrite
+<div id="_b2f552e0-a9e6-43c4-81b5-8278dd26df17">
+<p id="section-9.2-3">For conflict detection, one DNS Provider may simply overwrite
 changed records without warning. Another may detect conflicts and warn the user of the
 records that will change. And another may implement logic to further detect, warn, and
 remove any of the existing templates that overlap with the new template once applied
-(this assumes they are a DNS Provider that maintains template state in DNS).<a href="#section-6.2-3" class="pilcrow">¶</a></p>
+(this assumes they are a DNS Provider that maintains template state in DNS).<a href="#section-9.2-3" class="pilcrow">¶</a></p>
 </div>
-<div id="_60af842a-1e94-5a0b-4a0b-9c1f58e207c0">
-<p id="section-6.2-4">As an example, consider applying a template that sets two records
+<div id="_e043ef22-d59d-c759-2196-e4ba5f94f9f2">
+<p id="section-9.2-4">As an example, consider applying a template that sets two records
 (recordA and recordB) into a zone. Next consider applying a second template that
 overlaps with the first template (recordB and recordC). If the DNS maintains template state
 and removes conflicting templates, applying the second template would remove the first
 template. Application of the second template would conflict with recordB and the entire
-first template would be removed.<a href="#section-6.2-4" class="pilcrow">¶</a></p>
+first template would be removed.<a href="#section-9.2-4" class="pilcrow">¶</a></p>
 </div>
-<div id="_f6b5bd81-9781-ca95-3e5f-86810a670d87">
-<p id="section-6.2-5">Manual changes made by the user at the DNS Provider may also have
+<div id="_7948e0bf-6950-064d-69f0-46435eaed072">
+<p id="section-9.2-5">Manual changes made by the user at the DNS Provider may also have
 appropriate warnings in place to prevent unwanted changes; with
-overrides being possible and removal of conflicting templates.<a href="#section-6.2-5" class="pilcrow">¶</a></p>
+overrides being possible and removal of conflicting templates.<a href="#section-9.2-5" class="pilcrow">¶</a></p>
 </div>
-<div id="_3cb272fb-4911-8446-eb16-95335fe285a3">
-<p id="section-6.2-6">For the synchronous flow, this happens while the user is present.<a href="#section-6.2-6" class="pilcrow">¶</a></p>
+<div id="_ed681040-c672-5c36-d83e-d2c2adb8fbba">
+<p id="section-9.2-6">For the synchronous flow, this happens while the user is present.<a href="#section-9.2-6" class="pilcrow">¶</a></p>
 </div>
-<div id="_5af65ef0-9ee2-0102-c9bd-a9cd066029a6">
-<p id="section-6.2-7">For the asynchronous flow, the consent UX is similar. However, the changes are made later
+<div id="_f08fd71c-d8a8-2fa6-cd05-fa106e452a7c">
+<p id="section-9.2-7">For the asynchronous flow, the consent UX is similar. However, the changes are made later
 using the API and OAuth. The DNS Provider may decide to detect conflicts and
 return these from the API without applying the change using the proper response code.
-If the force parameter is set, the changes must be applied regardless of conflicts.<a href="#section-6.2-7" class="pilcrow">¶</a></p>
+If the force parameter is set, the changes must be applied regardless of conflicts.<a href="#section-9.2-7" class="pilcrow">¶</a></p>
 </div>
-<div id="_671e16fd-d6f3-4b2c-4f9d-9ab262e20cf5">
-<p id="section-6.2-8">It is ultimately left to the DNS Provider to determine the amount of
+<div id="_177e91df-034e-eaa2-4a13-a862c1996c11">
+<p id="section-9.2-8">It is ultimately left to the DNS Provider to determine the amount of
 disclosure and/or conflict detection. The only requirement is that after
-a template is applied the new records must be applied in totality.<a href="#section-6.2-8" class="pilcrow">¶</a></p>
+a template is applied the new records must be applied in totality.<a href="#section-9.2-8" class="pilcrow">¶</a></p>
 </div>
-<div id="_7f3fe682-e9ca-6c67-b3c3-d3878ffe0f4f">
-<p id="section-6.2-9">A reasonable set of recommendations for the UX might consist of:<a href="#section-6.2-9" class="pilcrow">¶</a></p>
+<div id="_b9237900-55e8-c463-ebe3-375681847c5e">
+<p id="section-9.2-9">A reasonable set of recommendations for the UX might consist of:<a href="#section-9.2-9" class="pilcrow">¶</a></p>
 </div>
 <ul class="normal">
-<li class="normal" id="section-6.2-10.1">The consent UX should inform the customer of the service that will be
+<li class="normal" id="section-9.2-10.1">The consent UX should inform the customer of the service that will be
 enabled. If the customer want to know the specifics, the DNS
 Provider could provide a "show details" link to the user. This could
-display to them the specific records that are being set in DNS.<a href="#section-6.2-10.1" class="pilcrow">¶</a>
+display to them the specific records that are being set in DNS.<a href="#section-9.2-10.1" class="pilcrow">¶</a>
 </li>
-          <li class="normal" id="section-6.2-10.2">If there are conflicts, either at the template or record level, the
+          <li class="normal" id="section-9.2-10.2">If there are conflicts, either at the template or record level, the
 consent UX should warn the user about these conflicts. For templates,
 this would be services that would be disabled. For records, this would be
-records that would be deleted or overwritten. This could be progressively disclosed.<a href="#section-6.2-10.2" class="pilcrow">¶</a>
+records that would be deleted or overwritten. This could be progressively disclosed.<a href="#section-9.2-10.2" class="pilcrow">¶</a>
 </li>
         </ul>
 </section>
 </div>
 <div id="record-types-conflicts">
-<section id="section-6.3">
+<section id="section-9.3">
         <h3 id="name-record-types-and-conflicts">
-<a href="#section-6.3" class="section-number selfRef">6.3. </a><a href="#name-record-types-and-conflicts" class="section-name selfRef">Record Types and Conflicts</a>
+<a href="#section-9.3" class="section-number selfRef">9.3. </a><a href="#name-record-types-and-conflicts" class="section-name selfRef">Record Types and Conflicts</a>
         </h3>
-<div id="_bca32f71-55d2-a526-ed16-1776dd262353">
-<p id="section-6.3-1">Conflict detection done by the DNS provider prior to template application has to take
+<div id="_3f7f6296-a175-58d7-1dca-e16c06a038cc">
+<p id="section-9.3-1">Conflict detection done by the DNS provider prior to template application has to take
 into consideration specifics of each DNS record type. The rules outlined below
 ensure predictable conflict resolution between DNS providers. Each rule applies to
-the records on the very same host, unless specifed otherwise.<a href="#section-6.3-1" class="pilcrow">¶</a></p>
+the records on the very same host, unless specifed otherwise.<a href="#section-9.3-1" class="pilcrow">¶</a></p>
 </div>
 <ul class="normal">
-<li class="normal" id="section-6.3-2.1">CNAME record conflicts with TXT, MX, AAAA, A and existing CNAME records, and any other records of these
-types conflict with an existing CNAME record. Note: CNAME records cannot be at the root of the zone.<a href="#section-6.3-2.1" class="pilcrow">¶</a>
+<li class="normal" id="section-9.3-2.1">CNAME record conflicts with TXT, MX, AAAA, A and existing CNAME records, and any other records of these
+types conflict with an existing CNAME record. Note: CNAME records cannot be at the root of the zone.<a href="#section-9.3-2.1" class="pilcrow">¶</a>
 </li>
-          <li class="normal" id="section-6.3-2.2">NS records conflict with all other records. This includes of the same host, and for any record ending with the NS host. For example, an NS record of foo will conflict with any foo, www.foo, bar.foo, etc. Similarly all
-other record type conflict with NS records in the same manner.<a href="#section-6.3-2.2" class="pilcrow">¶</a>
+          <li class="normal" id="section-9.3-2.2">NS records conflict with all other records. This includes of the same host, and for any record ending with the NS host. For example, an NS record of foo will conflict with any foo, www.foo, bar.foo, etc. Similarly all
+other record type conflict with NS records in the same manner.<a href="#section-9.3-2.2" class="pilcrow">¶</a>
 </li>
-          <li class="normal" id="section-6.3-2.3">MX, SRV records always conflict with records of the same type<a href="#section-6.3-2.3" class="pilcrow">¶</a>
+          <li class="normal" id="section-9.3-2.3">MX, SRV records always conflict with records of the same type<a href="#section-9.3-2.3" class="pilcrow">¶</a>
 </li>
-          <li class="normal" id="section-6.3-2.4">A and AAAA records conflict with any other A and/or AAAA record, to avoid IPv4
-and IPv6 pointing to different services.<a href="#section-6.3-2.4" class="pilcrow">¶</a>
+          <li class="normal" id="section-9.3-2.4">A and AAAA records conflict with any other A and/or AAAA record, to avoid IPv4
+and IPv6 pointing to different services.<a href="#section-9.3-2.4" class="pilcrow">¶</a>
 </li>
-          <li class="normal" id="section-6.3-2.5">
-            <div id="_bf45ba57-3b43-e3ba-3d79-1e7fcd9e4b54">
-<p id="section-6.3-2.5.1">TXT records conflict detection is handled looking at txtConflictMatchingMode
-parameter<a href="#section-6.3-2.5.1" class="pilcrow">¶</a></p>
+          <li class="normal" id="section-9.3-2.5">
+            <div id="_6702f1bf-e3be-680f-ea2a-362367b16e41">
+<p id="section-9.3-2.5.1">TXT records conflict detection is handled looking at txtConflictMatchingMode
+parameter<a href="#section-9.3-2.5.1" class="pilcrow">¶</a></p>
 </div>
 <ul class="normal">
-<li class="normal" id="section-6.3-2.5.2.1">None: This indicates that the TXT records do not conflict with any other TXT
-record. This is the default setting, if not specified.<a href="#section-6.3-2.5.2.1" class="pilcrow">¶</a>
+<li class="normal" id="section-9.3-2.5.2.1">None: This indicates that the TXT records do not conflict with any other TXT
+record. This is the default setting, if not specified.<a href="#section-9.3-2.5.2.1" class="pilcrow">¶</a>
 </li>
-              <li class="normal" id="section-6.3-2.5.2.2">All: This indicates that the TXT records conflict with any other TXT record<a href="#section-6.3-2.5.2.2" class="pilcrow">¶</a>
+              <li class="normal" id="section-9.3-2.5.2.2">All: This indicates that the TXT records conflict with any other TXT record<a href="#section-9.3-2.5.2.2" class="pilcrow">¶</a>
 </li>
-              <li class="normal" id="section-6.3-2.5.2.3">Prefix: This indicates that TXT record conflict with any other TXT containing value starting with
-txtConfictMatchingPrefix<a href="#section-6.3-2.5.2.3" class="pilcrow">¶</a>
+              <li class="normal" id="section-9.3-2.5.2.3">Prefix: This indicates that TXT record conflict with any other TXT containing value starting with
+txtConflictMatchingPrefix<a href="#section-9.3-2.5.2.3" class="pilcrow">¶</a>
 </li>
             </ul>
 </li>
@@ -4182,237 +4294,237 @@ <h3 id="name-record-types-and-conflicts">
 </section>
 </div>
 <div id="_apply_re_apply_and_multi_instance">
-<section id="section-6.4">
+<section id="section-9.4">
         <h3 id="name-apply-re-apply-and-multi-in">
-<a href="#section-6.4" class="section-number selfRef">6.4. </a><a href="#name-apply-re-apply-and-multi-in" class="section-name selfRef">Apply, Re-apply, and Multi-Instance</a>
+<a href="#section-9.4" class="section-number selfRef">9.4. </a><a href="#name-apply-re-apply-and-multi-in" class="section-name selfRef">Apply, Re-apply, and Multi-Instance</a>
         </h3>
-<div id="_dd5e4071-8003-8b37-047c-0a7268f6b070">
-<p id="section-6.4-1">There is an additional consideration for DNS Providers that maintain the state of an applied
-template when re-applying a template.<a href="#section-6.4-1" class="pilcrow">¶</a></p>
+<div id="_c37c42e0-9a4f-1bf4-bb9f-e32e4dd7cce8">
+<p id="section-9.4-1">There is an additional consideration for DNS Providers that maintain the state of an applied
+template when re-applying a template.<a href="#section-9.4-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_93cc49ef-96f7-ec41-9520-606e476e45c5">
-<p id="section-6.4-2">To avoid unnecessary conflict warnings to the user, under normal use when re-applying a
-template such a DNS Provider should remove the previously applied template on the same host.<a href="#section-6.4-2" class="pilcrow">¶</a></p>
+<div id="_008301a0-6e10-877e-7501-8604ddc95077">
+<p id="section-9.4-2">To avoid unnecessary conflict warnings to the user, under normal use when re-applying a
+template such a DNS Provider should remove the previously applied template on the same host.<a href="#section-9.4-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_1fb3484e-9f63-ae52-f181-6b444fc7ef8f">
-<p id="section-6.4-3">This may not be desireable for all templates, as a limited set of templates are designed to
-be applied multiple times. To faciliate this the template can have the flag <span><a href="#template-definition" class="xref">multiInstance</a> (<a href="#template-definition" class="xref">Section 5.2</a>)</span>
+<div id="_3bcbb7b8-e234-dba4-0e32-14b21545710e">
+<p id="section-9.4-3">This may not be desireable for all templates, as a limited set of templates are designed to
+be applied multiple times. To faciliate this the template can have the flag <span><a href="#template-definition" class="internal xref">multiInstance</a> (<a href="#template-definition" class="auto internal xref">Section 8.2</a>)</span>
 set. This tells the DNS Provider that the template is expected to be written multiple times
-and that a re-apply must not remove previous instances.<a href="#section-6.4-3" class="pilcrow">¶</a></p>
+and that a re-apply must not remove previous instances.<a href="#section-9.4-3" class="pilcrow">¶</a></p>
 </div>
-<div id="_96f0245d-53c3-804a-a821-464a7229c2d7">
-<p id="section-6.4-4">This setting only impacts DNS Providers that maintain applied template state. DNS Providers
+<div id="_375af312-d39f-8319-ce04-84ae0ad3025f">
+<p id="section-9.4-4">This setting only impacts DNS Providers that maintain applied template state. DNS Providers
 that do not maintain applied template state must rely on the normal conflict
-resolution rules, and this flag has no impact.<a href="#section-6.4-4" class="pilcrow">¶</a></p>
+resolution rules, and this flag has no impact.<a href="#section-9.4-4" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="non-essential-record">
-<section id="section-6.5">
+<section id="section-9.5">
         <h3 id="name-non-essential-records">
-<a href="#section-6.5" class="section-number selfRef">6.5. </a><a href="#name-non-essential-records" class="section-name selfRef">Non-essential records</a>
+<a href="#section-9.5" class="section-number selfRef">9.5. </a><a href="#name-non-essential-records" class="section-name selfRef">Non-essential records</a>
         </h3>
-<div id="_e602047f-a14a-2607-7f11-7ce95793cc9b">
-<p id="section-6.5-1">Typically a template specifies a list of DNS records which are required for the service.
+<div id="_0ed0f19a-39ec-4cae-176a-6e020a04c695">
+<p id="section-9.5-1">Typically a template specifies a list of DNS records which are required for the service.
 There may be cases where some records are only required for a very short period of time,
 and removing or altering the record later (either by the end user or through application
-of another template) should not trigger conflict detection.<a href="#section-6.5-1" class="pilcrow">¶</a></p>
+of another template) should not trigger conflict detection.<a href="#section-9.5-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_551b84fe-b78c-6b3c-778a-0549d95fb9cd">
-<p id="section-6.5-2">This can be controlled by the <span><a href="#template-record" class="xref">essential</a> (<a href="#template-record" class="xref">Section 5.3</a>)</span> property of a record in
-the template.<a href="#section-6.5-2" class="pilcrow">¶</a></p>
+<div id="_b0476117-3750-dc42-ea63-8b03a3074157">
+<p id="section-9.5-2">This can be controlled by the <span><a href="#template-record" class="internal xref">essential</a> (<a href="#template-record" class="auto internal xref">Section 8.3</a>)</span> property of a record in
+the template.<a href="#section-9.5-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_2493c3c8-7ea5-772e-8107-b60a3edbcc15">
-<p id="section-6.5-3">Again, this setting only impacts DNS Providers that maintain applied template state.<a href="#section-6.5-3" class="pilcrow">¶</a></p>
+<div id="_8c266452-7dcb-6390-233f-88f173c8cb9a">
+<p id="section-9.5-3">Again, this setting only impacts DNS Providers that maintain applied template state.<a href="#section-9.5-3" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="_template_scope">
-<section id="section-6.6">
+<section id="section-9.6">
         <h3 id="name-template-scope">
-<a href="#section-6.6" class="section-number selfRef">6.6. </a><a href="#name-template-scope" class="section-name selfRef">Template Scope</a>
+<a href="#section-9.6" class="section-number selfRef">9.6. </a><a href="#name-template-scope" class="section-name selfRef">Template Scope</a>
         </h3>
-<div id="_95a8e342-ce02-7227-d5ee-fd7e3f8f2586">
-<p id="section-6.6-1">For DNS Providers that maintain template state, an individual template is scoped to the set of records applied to a
+<div id="_9f965488-e131-9f1d-ecc9-4df31e0a6eb2">
+<p id="section-9.6-1">For DNS Providers that maintain template state, an individual template is scoped to the set of records applied to a
 fully qualified domain. This includes the root domain and the host (aka
-sub-domain) at apply time.<a href="#section-6.6-1" class="pilcrow">¶</a></p>
+sub-domain) at apply time.<a href="#section-9.6-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_70fd40f0-8553-2375-e346-3964a710d8e2">
-<p id="section-6.6-2">As an example, if a template is applied on domain=example.com&amp;host=sub1
-a later application of the template on domain=example.com&amp;host=sub2 must be
+<div id="_3f7cda2f-008d-6137-6085-b8e1f35d0904">
+<p id="section-9.6-2">As an example, if a template is applied on domain=example.com=sub1
+a later application of the template on domain=example.com=sub2 must be
 treated as a distinct template. If a conflict is detected later
 with the records set into "sub2.example.com",
-only the records set with this template would be removed.<a href="#section-6.6-2" class="pilcrow">¶</a></p>
+only the records set with this template would be removed.<a href="#section-9.6-2" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="_hostname_in_template">
-<section id="section-6.7">
+<section id="section-9.7">
         <h3 id="name-host-name-in-template">
-<a href="#section-6.7" class="section-number selfRef">6.7. </a><a href="#name-host-name-in-template" class="section-name selfRef">Host/Name in Template</a>
+<a href="#section-9.7" class="section-number selfRef">9.7. </a><a href="#name-host-name-in-template" class="section-name selfRef">Host/Name in Template</a>
         </h3>
-<div id="_a171cc6a-da8d-4eb5-a406-5c1a68292a8b">
-<p id="section-6.7-1">Template records contain the host name of the record to set into the zone (called name
+<div id="_088f1ac6-6f83-47cd-309e-daa1e3c47148">
+<p id="section-9.7-1">Template records contain the host name of the record to set into the zone (called name
 for SRV records). This value must be considered relative to the domain/host when
-the template is applied, unless followed by a trailing ".".<a href="#section-6.7-1" class="pilcrow">¶</a></p>
+the template is applied, unless followed by a trailing ".".<a href="#section-9.7-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_fc3069ad-c804-c218-ac4e-672b7d4f019c">
-<p id="section-6.7-2">Consider a template record of type A with a host value of "xyz". When the template is
-applied to a domain=foo.com and an empty host value, the resulting zone after the template
-is applied will contain an A record of "xyz" (or "xyz.foo.com." in bind format).<a href="#section-6.7-2" class="pilcrow">¶</a></p>
+<div id="_8875afdd-b485-841a-18db-783a2406e938">
+<p id="section-9.7-2">Consider a template record of type A with a host value of "xyz". When the template is
+applied to a domain=example.com and an empty host value, the resulting zone after the template
+is applied will contain an A record of "xyz" (or "xyz.example.com." in bind format).<a href="#section-9.7-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_c827df29-12c2-bc79-e6a0-aa92ab61e7ff">
-<p id="section-6.7-3">If the same template is applied to a domain=foo.com and host=bar, the zone will contain an A
-record of "xyz.bar" (or "xyz.bar.foo.com." in bind format).<a href="#section-6.7-3" class="pilcrow">¶</a></p>
+<div id="_559c5575-e328-ae62-fe97-66089afaf692">
+<p id="section-9.7-3">If the same template is applied to a domain=example.com and host=bar, the zone will contain an A
+record of "xyz.bar" (or "xyz.bar.example.com." in bind format).<a href="#section-9.7-3" class="pilcrow">¶</a></p>
 </div>
-<div id="_b079b09f-7357-d202-ff99-b58e08857133">
-<p id="section-6.7-4">A value of @ for host in the template is a placeholder for an empty value. In other words @
-would point to "bar.foo.com." when the same template is applied to domain=foo.com and host=bar.<a href="#section-6.7-4" class="pilcrow">¶</a></p>
+<div id="_a7f7d19a-d78a-44a3-2054-922558de8f7f">
+<p id="section-9.7-4">A value of @ for host in the template is a placeholder for an empty value. In other words @
+would point to "bar.example.com." when the same template is applied to domain=example.com and host=bar.<a href="#section-9.7-4" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="_pointsto_in_template">
-<section id="section-6.8">
+<section id="section-9.8">
         <h3 id="name-pointsto-in-template">
-<a href="#section-6.8" class="section-number selfRef">6.8. </a><a href="#name-pointsto-in-template" class="section-name selfRef">PointsTo in Template</a>
+<a href="#section-9.8" class="section-number selfRef">9.8. </a><a href="#name-pointsto-in-template" class="section-name selfRef">PointsTo in Template</a>
         </h3>
-<div id="_051fd3ac-a5b2-d03c-7e9b-043a53ec55dc">
-<p id="section-6.8-1">Template records of certain types contain the pointsTo value to set in the zone. For
-record types such as CNAME where this can be a fully qualified domain name.<a href="#section-6.8-1" class="pilcrow">¶</a></p>
+<div id="_8e103659-b5e7-758e-44c4-2d984b582c0e">
+<p id="section-9.8-1">Template records of certain types contain the pointsTo value to set in the zone. For
+record types such as CNAME where this can be a fully qualified domain name.<a href="#section-9.8-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_b7a6116e-166d-61cb-0902-9fbe38b546ca">
-<p id="section-6.8-2">A value of @ in pointsTo field in the template is a shortcut for the fully qualified domain
-name of the domain/host being applied.<a href="#section-6.8-2" class="pilcrow">¶</a></p>
+<div id="_a2ff4ac8-7a6b-e031-c6b0-48449d528e77">
+<p id="section-9.8-2">A value of @ in pointsTo field in the template is a shortcut for the fully qualified domain
+name of the domain/host being applied.<a href="#section-9.8-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_2d31e165-de0a-8974-2db0-6b6a5148e8a4">
-<p id="section-6.8-3">Consider a template record of type CNAME with a pointsTo value of "@". After a template of
-domain=foo.com and an empty host is applied, the pointsTo value (or corresponding field) in
-the resulting zone would be "foo.com". After a template of domain=foo.com
-with host=bar is applied, the points to value would be "bar.foo.com".<a href="#section-6.8-3" class="pilcrow">¶</a></p>
+<div id="_92b4ad6c-c826-d09c-4398-0bd140dc3c4f">
+<p id="section-9.8-3">Consider a template record of type CNAME with a pointsTo value of "@". After a template of
+domain=example.com and an empty host is applied, the pointsTo value (or corresponding field) in
+the resulting zone would be "example.com". After a template of domain=example.com
+with host=bar is applied, the points to value would be "bar.example.com".<a href="#section-9.8-3" class="pilcrow">¶</a></p>
 </div>
-<div id="_6b39da4b-396a-4913-1e74-1410a088e92b">
-<p id="section-6.8-4">Any domain in a pointsTo field in a template must be considered fully qualified and not
-relative.<a href="#section-6.8-4" class="pilcrow">¶</a></p>
+<div id="_2d8b5c25-fd3a-581b-8f43-a611f9e5131a">
+<p id="section-9.8-4">Any domain in a pointsTo field in a template must be considered fully qualified and not
+relative.<a href="#section-9.8-4" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="_variables">
-<section id="section-6.9">
+<section id="section-9.9">
         <h3 id="name-variables">
-<a href="#section-6.9" class="section-number selfRef">6.9. </a><a href="#name-variables" class="section-name selfRef">Variables</a>
+<a href="#section-9.9" class="section-number selfRef">9.9. </a><a href="#name-variables" class="section-name selfRef">Variables</a>
         </h3>
 <div id="variables-and-hosts">
-<section id="section-6.9.1">
+<section id="section-9.9.1">
           <h4 id="name-variables-and-host-name-in-">
-<a href="#section-6.9.1" class="section-number selfRef">6.9.1. </a><a href="#name-variables-and-host-name-in-" class="section-name selfRef">Variables and Host/Name in Template</a>
+<a href="#section-9.9.1" class="section-number selfRef">9.9.1. </a><a href="#name-variables-and-host-name-in-" class="section-name selfRef">Variables and Host/Name in Template</a>
           </h4>
-<div id="_db949e3a-bbbf-9bc4-e718-035f00a986cf">
-<p id="section-6.9.1-1">While templates do allow for variables in a host or name field values, these should be used
-very sparingly.<a href="#section-6.9.1-1" class="pilcrow">¶</a></p>
+<div id="_3aeb38f0-ed2c-099d-a77b-b657ef8becf9">
+<p id="section-9.9.1-1">While templates do allow for variables in a host or name field values, these should be used
+very sparingly.<a href="#section-9.9.1-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_168cb20d-e7ac-3b28-2719-6c0e7cd75267">
-<p id="section-6.9.1-2">As an example, consider setting up hosting for a site. But instead of
+<div id="_1fb477c6-cced-4161-7f65-730ee61b4e46">
+<p id="section-9.9.1-2">As an example, consider setting up hosting for a site. But instead of
 applying the template to a domain/host, the name of the host is
-placed as a variable in the template.<a href="#section-6.9.1-2" class="pilcrow">¶</a></p>
+placed as a variable in the template.<a href="#section-9.9.1-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_ae1c87b9-dbfe-33dd-b092-b0d3b3a91f6d">
-<p id="section-6.9.1-3">Such a template might contain an A record of the form:<a href="#section-6.9.1-3" class="pilcrow">¶</a></p>
+<div id="_a4123deb-cc6f-cb72-1da7-f5696cc758e2">
+<p id="section-9.9.1-3">Such a template might contain an A record of the form:<a href="#section-9.9.1-3" class="pilcrow">¶</a></p>
 </div>
-<div id="_d6fb715c-ea0d-c288-ceac-17278510d41b">
-<div id="section-6.9.1-4">
-<pre class="lang-json sourcecode">{
+<div id="_f3594c8f-e7d0-580c-efa0-7cd39199e118">
+<div class="lang-json sourcecode" id="section-9.9.1-4">
+<pre>{
     "type": "A",
     "host": "%var%",
-    "pointsTo": "2.2.2.2",
+    "pointsTo": "192.0.2.2",
     "ttl": 1800
-}</pre><a href="#section-6.9.1-4" class="pilcrow">¶</a>
+}</pre><a href="#section-9.9.1-4" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_a3449c63-645e-505b-c2b7-b4ba44d90b21">
-<p id="section-6.9.1-5">This template could be applied on a domain like example.com with the var set
-to "sub", "sub1", "sub2", etc.<a href="#section-6.9.1-5" class="pilcrow">¶</a></p>
+<div id="_0cf33909-75f2-0311-285c-6c1626b0c2bf">
+<p id="section-9.9.1-5">This template could be applied on a domain like example.com with the var set
+to "sub", "sub1", "sub2", etc.<a href="#section-9.9.1-5" class="pilcrow">¶</a></p>
 </div>
-<div id="_f43d2eba-708a-ff79-bdf5-2b80eb3a1e47">
-<p id="section-6.9.1-6">Application of this template would be at the domain level for
+<div id="_c28a2685-b694-e21e-f476-ea7fb20d1475">
+<p id="section-9.9.1-6">Application of this template would be at the domain level for
 "example.com". This causes problems for application/re-application
-of the template, conflict detection, and template removal.<a href="#section-6.9.1-6" class="pilcrow">¶</a></p>
+of the template, conflict detection, and template removal.<a href="#section-9.9.1-6" class="pilcrow">¶</a></p>
 </div>
-<div id="_67c5dd9e-d9e6-f09e-5ee6-80f1ad2f8ace">
-<p id="section-6.9.1-7">Since this template would be applied to the domain only, DNS providers that maintain
+<div id="_a894eb51-846b-0f72-f8b3-8ecaadb5fb2b">
+<p id="section-9.9.1-7">Since this template would be applied to the domain only, DNS providers that maintain
 template state would remove previous instances of the template before re-application.
 This means applying this template with var=sub
 would result in the A record for sub.example.com to be set to
-the value 2.2.2.2. Later, applying the template on "example.com" with the
+the value 192.0.2.2. Later, applying the template on "example.com" with the
 var=sub2 should remove the old template before setting the new one. sub.example.com
 would be removed, and sub2.example.com would be set to the value
-2.2.2.2.<a href="#section-6.9.1-7" class="pilcrow">¶</a></p>
+192.0.2.2.<a href="#section-9.9.1-7" class="pilcrow">¶</a></p>
 </div>
-<div id="_88996bb6-1b6d-9874-2e2b-a59612ec5fb9">
-<p id="section-6.9.1-8">Furthermore, determining conflicts would be impossible when the user is granting consent
-for asynchronous operations (OAuth). This is because the host would be indeterminate.<a href="#section-6.9.1-8" class="pilcrow">¶</a></p>
+<div id="_7af0364a-28d5-649e-df78-6c560176d325">
+<p id="section-9.9.1-8">Furthermore, determining conflicts would be impossible when the user is granting consent
+for asynchronous operations (OAuth). This is because the host would be indeterminate.<a href="#section-9.9.1-8" class="pilcrow">¶</a></p>
 </div>
-<div id="_9955503b-8cd7-ff41-6bf2-93d1b111a3e0">
-<p id="section-6.9.1-9">To solve this problem, templates are scoped to a domain and a host
+<div id="_39bceb50-bf01-08f5-d188-6c7dedbb65b4">
+<p id="section-9.9.1-9">To solve this problem, templates are scoped to a domain and a host
 value. For synchronous operations, the host value is specified in the url.
 For asynchronous operations, permissions are granted for specific host values, whose value
-is later specified when applying the template.<a href="#section-6.9.1-9" class="pilcrow">¶</a></p>
+is later specified when applying the template.<a href="#section-9.9.1-9" class="pilcrow">¶</a></p>
 </div>
-<div id="_d680622b-4d63-ed0f-e279-3aa9aff59977">
-<p id="section-6.9.1-10">Note: There are some templates that utilize CNAME or TXT records with host values containing
+<div id="_34216470-292f-1777-cdf2-4c6002c713b6">
+<p id="section-9.9.1-10">Note: There are some templates that utilize CNAME or TXT records with host values containing
 some form of user identification for validation of domain ownership, and these are often
-passed in variables.<a href="#section-6.9.1-10" class="pilcrow">¶</a></p>
+passed in variables.<a href="#section-9.9.1-10" class="pilcrow">¶</a></p>
 </div>
-<div id="_5fd94fd0-bcdc-0712-5e79-44a1b79f6e1a">
-<p id="section-6.9.1-11">To support this use case, variables are allowed for the host name. But only in this
-limited circumstance.<a href="#section-6.9.1-11" class="pilcrow">¶</a></p>
+<div id="_08d32464-6e68-01b8-6451-c00d9dd2cdc5">
+<p id="section-9.9.1-11">To support this use case, variables are allowed for the host name. But only in this
+limited circumstance.<a href="#section-9.9.1-11" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="_variable_values">
-<section id="section-6.9.2">
+<section id="section-9.9.2">
           <h4 id="name-variable-values">
-<a href="#section-6.9.2" class="section-number selfRef">6.9.2. </a><a href="#name-variable-values" class="section-name selfRef">Variable Values</a>
+<a href="#section-9.9.2" class="section-number selfRef">9.9.2. </a><a href="#name-variable-values" class="section-name selfRef">Variable Values</a>
           </h4>
-<div id="_86d6bdf3-a0c2-06dc-b9ce-cd3318207d42">
-<p id="section-6.9.2-1">To allow for the use of the host name or domain name in templates, the
+<div id="_b1c4e9da-c92f-1538-20d2-65975d62de79">
+<p id="section-9.9.2-1">To allow for the use of the host name or domain name in templates, the
 values of %host% and %domain% are available. A third value of %fqdn% is also available. This
-value is the result of combining the host and domain name with the necessary ".".<a href="#section-6.9.2-1" class="pilcrow">¶</a></p>
+value is the result of combining the host and domain name with the necessary ".".<a href="#section-9.9.2-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_fd3aa143-f943-ec57-6cc7-331ca27cd85c">
-<p id="section-6.9.2-2">For example, with the query string "domain=example.com&amp;host=", %fqdn% in a template would be
+<div id="_0fa21af1-6b86-b9f9-30fb-d2ec7970d246">
+<p id="section-9.9.2-2">For example, with the query string "domain=example.com=", %fqdn% in a template would be
 "example.com", and with
-"domain=example.com&amp;host=sub1", %fqdn% in a template would be "sub1.example.com".<a href="#section-6.9.2-2" class="pilcrow">¶</a></p>
+"domain=example.com=sub1", %fqdn% in a template would be "sub1.example.com".<a href="#section-9.9.2-2" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="_variables_and_security">
-<section id="section-6.9.3">
+<section id="section-9.9.3">
           <h4 id="name-variables-and-security">
-<a href="#section-6.9.3" class="section-number selfRef">6.9.3. </a><a href="#name-variables-and-security" class="section-name selfRef">Variables and Security</a>
+<a href="#section-9.9.3" class="section-number selfRef">9.9.3. </a><a href="#name-variables-and-security" class="section-name selfRef">Variables and Security</a>
           </h4>
-<div id="_479bdbe2-2d3e-b697-b622-4d9ff6cd6772">
-<p id="section-6.9.3-1">As discussed, with variables consideration is necessary to prevent certain styles of
-phishing attacks.<a href="#section-6.9.3-1" class="pilcrow">¶</a></p>
+<div id="_addd6e14-2da3-9dcd-8665-52775e374167">
+<p id="section-9.9.3-1">As discussed, with variables consideration is necessary to prevent certain styles of
+phishing attacks.<a href="#section-9.9.3-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_74708e5e-59d7-3814-d96e-bfcf847f91e3">
-<p id="section-6.9.3-2">The more static the value in the template record, the more secure the template. When static values are not possible, a carefully crafted link could hijack DNS settings.<a href="#section-6.9.3-2" class="pilcrow">¶</a></p>
+<div id="_2bd2cdf3-5f65-3506-af5a-b2fb89afc9d3">
+<p id="section-9.9.3-2">The more static the value in the template record, the more secure the template. When static values are not possible, a carefully crafted link could hijack DNS settings.<a href="#section-9.9.3-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_298ba756-dbae-cc6f-570d-2d36d2165ac6">
-<p id="section-6.9.3-3">Mitigations to this are discussed above.<a href="#section-6.9.3-3" class="pilcrow">¶</a></p>
+<div id="_5931cb0a-577c-189d-19eb-8ca9e1c7133a">
+<p id="section-9.9.3-3">Mitigations to this are discussed above.<a href="#section-9.9.3-3" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="_variable_examples">
-<section id="section-6.9.4">
+<section id="section-9.9.4">
           <h4 id="name-variable-examples">
-<a href="#section-6.9.4" class="section-number selfRef">6.9.4. </a><a href="#name-variable-examples" class="section-name selfRef">Variable Examples</a>
+<a href="#section-9.9.4" class="section-number selfRef">9.9.4. </a><a href="#name-variable-examples" class="section-name selfRef">Variable Examples</a>
           </h4>
-<div id="_546e3848-f3da-7c2b-0345-28a85e44b41c">
-<p id="section-6.9.4-1">Example template:<a href="#section-6.9.4-1" class="pilcrow">¶</a></p>
+<div id="_3efb322d-a59e-e81c-c64e-a0a2412631f5">
+<p id="section-9.9.4-1">Example template:<a href="#section-9.9.4-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_f7ac8ab9-8f6f-bdc7-db3e-8e8c86e38abe">
-<div id="section-6.9.4-2">
-<pre class="lang-json sourcecode">[{
+<div id="_438e2ddc-4bd6-8133-396c-12e7247d1d33">
+<div class="lang-json sourcecode" id="section-9.9.4-2">
+<pre>[{
     "type": "CNAME",
     "host": "www",
     "pointsTo": "@",
@@ -4421,45 +4533,45 @@ <h4 id="name-variable-examples">
 {
     "type": "A",
     "host": "@",
-    "pointsTo": "1.1.1.1",
+    "pointsTo": "192.0.2.1",
     "ttl": 1800
-}]</pre><a href="#section-6.9.4-2" class="pilcrow">¶</a>
+}]</pre><a href="#section-9.9.4-2" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_a3f59c73-a763-5fb6-290b-c9a9693f35d3">
-<p id="section-6.9.4-3">Template applied with <em>domain</em>=foo.com and <em>host</em> parameter missing or empty:<a href="#section-6.9.4-3" class="pilcrow">¶</a></p>
+<div id="_d774d258-9bff-6614-2291-0a092400acb2">
+<p id="section-9.9.4-3">Template applied with <em>domain</em>=example.com and <em>host</em> parameter missing or empty:<a href="#section-9.9.4-3" class="pilcrow">¶</a></p>
 </div>
-<div id="_a0b2a7f7-2054-7f07-194a-c2623a41d0d9">
-<div id="section-6.9.4-4">
-<pre class="sourcecode">www 1800 IN CNAME foo.com.
-@   1800 IN A 1.1.1.1</pre><a href="#section-6.9.4-4" class="pilcrow">¶</a>
+<div id="_87c1acc2-0e27-3275-c139-f41d403dc1c8">
+<div class="sourcecode" id="section-9.9.4-4">
+<pre>www 1800 IN CNAME example.com.
+@   1800 IN A 192.0.2.1</pre><a href="#section-9.9.4-4" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_1fd9a2a7-41c1-d462-091e-f0979bc6e4ec">
-<p id="section-6.9.4-5"><em>alternatively</em><a href="#section-6.9.4-5" class="pilcrow">¶</a></p>
+<div id="_873cdfee-fa3e-16fe-10ae-57ede10f829e">
+<p id="section-9.9.4-5"><em>alternatively</em><a href="#section-9.9.4-5" class="pilcrow">¶</a></p>
 </div>
-<div id="_40a9508e-5d08-01e6-d67e-834a36675241">
-<div id="section-6.9.4-6">
-<pre class="sourcecode">www.foo.com.    1800 IN CNAME foo.com.
-foo.com.        1800 IN A 1.1.1.1</pre><a href="#section-6.9.4-6" class="pilcrow">¶</a>
+<div id="_6e9177ce-e1b3-3fc1-5e27-bb546dcebf79">
+<div class="sourcecode" id="section-9.9.4-6">
+<pre>www.example.com.    1800 IN CNAME example.com.
+example.com.        1800 IN A 192.0.2.1</pre><a href="#section-9.9.4-6" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_8eed682a-b967-5f9a-756d-80e152b79981">
-<p id="section-6.9.4-7">Template applied with <em>domain</em>=foo.com and <em>host</em>=bar:<a href="#section-6.9.4-7" class="pilcrow">¶</a></p>
+<div id="_43543793-3ff0-2f4c-d669-99f25a11a374">
+<p id="section-9.9.4-7">Template applied with <em>domain</em>=example.com and <em>host</em>=bar:<a href="#section-9.9.4-7" class="pilcrow">¶</a></p>
 </div>
-<div id="_e444aab2-15d1-b1f1-6281-9a34866c7ef5">
-<div id="section-6.9.4-8">
-<pre class="sourcecode">www.bar 1800 IN CNAME bar.foo.com.
-bar     1800 IN A 1.1.1.1</pre><a href="#section-6.9.4-8" class="pilcrow">¶</a>
+<div id="_4e7b9493-2573-fefd-eca2-5285f5b1bae4">
+<div class="sourcecode" id="section-9.9.4-8">
+<pre>www.bar 1800 IN CNAME bar.example.com.
+bar     1800 IN A 192.0.2.1</pre><a href="#section-9.9.4-8" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_cca2a93d-67bf-9061-e51d-823e2af2e98c">
-<p id="section-6.9.4-9"><em>alternatively</em><a href="#section-6.9.4-9" class="pilcrow">¶</a></p>
+<div id="_7ac4ef0f-ea45-2d4e-f86c-f82ae0b74f18">
+<p id="section-9.9.4-9"><em>alternatively</em><a href="#section-9.9.4-9" class="pilcrow">¶</a></p>
 </div>
-<div id="_b55be2ed-c707-5b19-725f-4da8f8bcb438">
-<div id="section-6.9.4-10">
-<pre class="sourcecode">www.bar.foo.com.    1800 IN CNAME bar.foo.com.
-bar.foo.com.        1800 IN A 1.1.1.1</pre><a href="#section-6.9.4-10" class="pilcrow">¶</a>
+<div id="_bce3efc3-9982-d82d-4991-5bab53b1a736">
+<div class="sourcecode" id="section-9.9.4-10">
+<pre>www.bar.example.com.    1800 IN CNAME bar.example.com.
+bar.example.com.        1800 IN A 192.0.2.1</pre><a href="#section-9.9.4-10" class="pilcrow">¶</a>
 </div>
 </div>
 </section>
@@ -4467,227 +4579,236 @@ <h4 id="name-variable-examples">
 </section>
 </div>
 <div id="spf-record-merging">
-<section id="section-6.10">
+<section id="section-9.10">
         <h3 id="name-spf-txt-record">
-<a href="#section-6.10" class="section-number selfRef">6.10. </a><a href="#name-spf-txt-record" class="section-name selfRef">SPF TXT Record</a>
+<a href="#section-9.10" class="section-number selfRef">9.10. </a><a href="#name-spf-txt-record" class="section-name selfRef">SPF TXT Record</a>
         </h3>
 <div id="_what_is_spf">
-<section id="section-6.10.1">
+<section id="section-9.10.1">
           <h4 id="name-what-is-spf">
-<a href="#section-6.10.1" class="section-number selfRef">6.10.1. </a><a href="#name-what-is-spf" class="section-name selfRef">What is SPF?</a>
+<a href="#section-9.10.1" class="section-number selfRef">9.10.1. </a><a href="#name-what-is-spf" class="section-name selfRef">What is SPF?</a>
           </h4>
-<div id="_0f6e82c2-01a3-bc77-c3c7-e5d6ec83e78b">
-<p id="section-6.10.1-1">SPF stands for Sender Policy Framework specified in
-<span>[<a href="#RFC7208" class="xref">RFC7208</a>]</span>. It is a
+<div id="_1cacd893-f110-363a-0f85-ce105178e048">
+<p id="section-9.10.1-1">SPF stands for Sender Policy Framework specified in
+<span>[<a href="#RFC7208" class="cite xref">RFC7208</a>]</span>. It is a
 record that specifies a list of authorized host names and/or IP addresses from which mail
-can originate from for a given domain name.<a href="#section-6.10.1-1" class="pilcrow">¶</a></p>
+can originate from for a given domain name.<a href="#section-9.10.1-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_6a5c87db-cf9d-1ff8-f017-2d3b594339de">
-<p id="section-6.10.1-2">It manifests itself as a TXT record.  The format of which starts with v=spf1 followed by a list of "rules" of
+<div id="_7a24992f-ef53-cc61-9bb8-abeb8e1af5f3">
+<p id="section-9.10.1-2">It manifests itself as a TXT record.  The format of which starts with v=spf1 followed by a list of "rules" of
 what to include/exclude.  If a rule passes, the mail is allowed. If it fails, it moves to the next rule.
-Typical record might appear as:<a href="#section-6.10.1-2" class="pilcrow">¶</a></p>
+Typical record might appear as:<a href="#section-9.10.1-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_0e0d6542-df9a-2160-4e4c-0691846afd29">
-<div id="section-6.10.1-3">
-<pre class="sourcecode">v=spf1 include:policy.exampleprovider.com -all</pre><a href="#section-6.10.1-3" class="pilcrow">¶</a>
+<div id="_5f39bbe8-2204-9f33-cc64-58dc1b089ecb">
+<div class="sourcecode" id="section-9.10.1-3">
+<pre>v=spf1 include:policy.exampleprovider.example -all</pre><a href="#section-9.10.1-3" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_57afd789-24ae-b415-b7e0-7e778ddee7f2">
-<p id="section-6.10.1-4">This is an SPF record with two rules.  The first rule indicates that the rules for SPF record
-<em>policy.exampleprovider.com be included in this record. The second rule is a catch all (_all</em>). The default modifier for a rule is <em>pass</em> (+). Other modifiers are <em>hard failure</em>(-), <em>soft failure</em> (~) and <em>neutral</em> (?).<a href="#section-6.10.1-4" class="pilcrow">¶</a></p>
+<div id="_1ef0da64-71ce-e9c5-1031-b87b87b3807a">
+<p id="section-9.10.1-4">This is an SPF record with two rules.  The first rule indicates that the rules for SPF record
+<em>policy.exampleprovider.example be included in this record. The second rule is a catch all (_all</em>). The default modifier for a rule is <em>pass</em> (+). Other modifiers are <em>hard failure</em>(-), <em>soft failure</em> (~) and <em>neutral</em> (?).<a href="#section-9.10.1-4" class="pilcrow">¶</a></p>
 </div>
-<div id="_6dd42890-4857-50ea-56d8-136d64ca0e5b">
-<p id="section-6.10.1-5">Note: A failure in SPF doesn't mean delivery won't happen, however depending on the policies of the receiving
-system, messages classified with <em>hard failure</em> or <em>soft failure</em> may not be delivered or marked as spam.<a href="#section-6.10.1-5" class="pilcrow">¶</a></p>
+<div id="_4eb75087-44d1-11a4-fd0b-c67320df5260">
+<p id="section-9.10.1-5">Note: A failure in SPF doesn't mean delivery won't happen, however depending on the policies of the receiving
+system, messages classified with <em>hard failure</em> or <em>soft failure</em> may not be delivered or marked as spam.<a href="#section-9.10.1-5" class="pilcrow">¶</a></p>
 </div>
-<div id="_d95529a0-286f-c0fb-a078-2a833cc9c002">
-<p id="section-6.10.1-6">The use of "all" at the end  is pretty common, although some providers mark it as ~ (soft fail) or ? (neutral).
+<div id="_6b834557-b42f-ba6d-c68a-a2892ef2dcae">
+<p id="section-9.10.1-6">The use of "all" at the end  is pretty common, although some providers mark it as ~ (soft fail) or ? (neutral).
 The reality is that a good SPF record is tuned based on what services are attached to a domain. Not just one
-individual service.<a href="#section-6.10.1-6" class="pilcrow">¶</a></p>
+individual service.<a href="#section-9.10.1-6" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="multiple-services">
-<section id="section-6.10.2">
+<section id="section-9.10.2">
           <h4 id="name-multiple-services">
-<a href="#section-6.10.2" class="section-number selfRef">6.10.2. </a><a href="#name-multiple-services" class="section-name selfRef">Multiple Services</a>
+<a href="#section-9.10.2" class="section-number selfRef">9.10.2. </a><a href="#name-multiple-services" class="section-name selfRef">Multiple Services</a>
           </h4>
-<div id="_7e928e4c-ed90-b858-530f-071f31c3f1a9">
-<p id="section-6.10.2-1">If only one email sending service were active, the SPF record recommended by the provider is sufficient. But
-mail from a domain can often come from several different services.<a href="#section-6.10.2-1" class="pilcrow">¶</a></p>
+<div id="_0a0e9221-4692-74ee-3252-e8b7512c480d">
+<p id="section-9.10.2-1">If only one email sending service were active, the SPF record recommended by the provider is sufficient. But
+mail from a domain can often come from several different services.<a href="#section-9.10.2-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_a07eaa0e-bb3a-de87-d105-3f9ae65378d7">
-<p id="section-6.10.2-2">A very typical use case might be end user mail and an email newsletter service.
-Let's look at the SPF records recommended for individual services.<a href="#section-6.10.2-2" class="pilcrow">¶</a></p>
+<div id="_87fbf50f-e588-d3a0-a9f2-e2ed095b62c5">
+<p id="section-9.10.2-2">A very typical use case might be end user mail and an email newsletter service.
+Let's look at the SPF records recommended for individual services.<a href="#section-9.10.2-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_f740e942-8096-677f-1ecd-5b9225cda4c8">
-<p id="section-6.10.2-3">Mailer1: v=spf1 include:spf.mailer1.com -all
-Newsletter1: v=spf1 include:_spf.newsletter.net ~all<a href="#section-6.10.2-3" class="pilcrow">¶</a></p>
+<div id="_b86ef6be-e92a-8637-3204-ae7ae79ea4f8">
+<p id="section-9.10.2-3">Mailer1: v=spf1 include:spf.mailer1.example -all
+Newsletter1: v=spf1 include:_spf.newsletter.example ~all<a href="#section-9.10.2-3" class="pilcrow">¶</a></p>
 </div>
-<div id="_9f6a0e08-5d7e-8a22-ef25-7baf68ea0df2">
-<p id="section-6.10.2-4">All of these examples use the include syntax. This is fairly common. The use of all at the end is common,
-although is often inconsistent with the modifier.<a href="#section-6.10.2-4" class="pilcrow">¶</a></p>
+<div id="_97a1a3f3-5a70-a30d-06b2-b7df7f0e75fd">
+<p id="section-9.10.2-4">All of these examples use the include syntax. This is fairly common. The use of all at the end is common,
+although is often inconsistent with the modifier.<a href="#section-9.10.2-4" class="pilcrow">¶</a></p>
 </div>
-<div id="_e1155def-aa33-0ab3-589a-c9e47e1e48fa">
-<p id="section-6.10.2-5">If a customer installed Mailer1 and Newsletter1, their combined SPF record ought to be something like:<a href="#section-6.10.2-5" class="pilcrow">¶</a></p>
+<div id="_a27d1a7b-1b46-677a-3a4c-3ce481479408">
+<p id="section-9.10.2-5">If a customer installed Mailer1 and Newsletter1, their combined SPF record ought to be something like:<a href="#section-9.10.2-5" class="pilcrow">¶</a></p>
 </div>
-<div id="_876d2f0e-81de-b493-b556-223094d95c72">
-<div id="section-6.10.2-6">
-<pre class="sourcecode">v=spf1 include:spf.mailer1.com include:_spf.newsletter.net ~all</pre><a href="#section-6.10.2-6" class="pilcrow">¶</a>
+<div id="_d85934fa-4a6d-ee35-4227-e6e48188be04">
+<div class="sourcecode" id="section-9.10.2-6">
+<pre>v=spf1 include:spf.mailer1.example include:_spf.newsletter.example
+ ~all</pre><a href="#section-9.10.2-6" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_93814591-3a07-1525-5f2b-da7ed81c37ab">
-<p id="section-6.10.2-7">We combined the two rules, and in this case picked the least restrictive all modifier.<a href="#section-6.10.2-7" class="pilcrow">¶</a></p>
+<div id="_5dff0a3d-cf4d-595f-89c3-6a38025d94b6">
+<p id="section-9.10.2-7">We combined the two rules, and in this case picked the least restrictive all modifier.<a href="#section-9.10.2-7" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="_spf_record_merging">
-<section id="section-6.10.3">
+<section id="section-9.10.3">
           <h4 id="name-spf-record-merging">
-<a href="#section-6.10.3" class="section-number selfRef">6.10.3. </a><a href="#name-spf-record-merging" class="section-name selfRef">SPF Record Merging</a>
+<a href="#section-9.10.3" class="section-number selfRef">9.10.3. </a><a href="#name-spf-record-merging" class="section-name selfRef">SPF Record Merging</a>
           </h4>
-<div id="_3a1f06ca-9238-26f6-0a31-370d8d35e38a">
-<p id="section-6.10.3-1">The challenge with SPF records and Domain Connect is that an individual service might recommend an SPF record. If only one service were active, this would be accurate. But with several services together only the DNS Provider is able to determine the valid shape of a SPF TXT record.<a href="#section-6.10.3-1" class="pilcrow">¶</a></p>
+<div id="_e5a00c59-fdfd-9adb-fa4e-e8b535e148e0">
+<p id="section-9.10.3-1">The challenge with SPF records and Domain Connect is that an individual service might recommend an SPF record. If only one service were active, this would be accurate. But with several services together only the DNS Provider is able to determine the valid shape of a SPF TXT record.<a href="#section-9.10.3-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_fa2de62a-4063-8d4b-5aab-d566d5ee1092">
-<p id="section-6.10.3-2">One solution to this problem is to merge all related records. At the highest level, this means taking everything between the "v=spf1" and the "all" from each of the records and merging them together, terminating with hard-coded modifier on <em>all</em> at the end.  For an SPF record to fulfill it's purpose of protection against malicious email delivery, Domain Connect advises a fixed modifier <em>"~"</em> advising lower rating of the messages from other sources not specified in SPF. This setup offers a reasonable level of protection of mail delivery, on the other side does not reject the message in case forwarding facility is in place.<a href="#section-6.10.3-2" class="pilcrow">¶</a></p>
+<div id="_6549db41-1747-2db1-a7cd-9a34ecba2c07">
+<p id="section-9.10.3-2">One solution to this problem is to merge all related records. At the highest level, this means taking everything between the "v=spf1" and the "all" from each of the records and merging them together, terminating with hard-coded modifier on <em>all</em> at the end.  For an SPF record to fulfill it's purpose of protection against malicious email delivery, Domain Connect advises a fixed modifier <em>"~"</em> advising lower rating of the messages from other sources not specified in SPF. This setup offers a reasonable level of protection of mail delivery, on the other side does not reject the message in case forwarding facility is in place.<a href="#section-9.10.3-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_55c810d2-22c4-2727-4563-63fd05ea83ae">
-<div id="section-6.10.3-3">
-<pre class="sourcecode">@ TXT v=spf1 include:spf.mailer1.com include:_spf.newsletter.net ~all</pre><a href="#section-6.10.3-3" class="pilcrow">¶</a>
+<div id="_f05e4bef-5968-bfc3-758c-a6fe985d859f">
+<div class="sourcecode" id="section-9.10.3-3">
+<pre>@ TXT v=spf1 include:spf.mailer1.example include:_spf.newsletter.exam
+ple ~all</pre><a href="#section-9.10.3-3" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_5b6b7d8a-431e-a714-86e7-a13e92877f01">
-<p id="section-6.10.3-4">The other would be to write intermediate records, and reference these locally.<a href="#section-6.10.3-4" class="pilcrow">¶</a></p>
+<div id="_e1a05ef9-cb9e-2634-8fba-87e4ef3b8af1">
+<p id="section-9.10.3-4">The other would be to write intermediate records, and reference these locally.<a href="#section-9.10.3-4" class="pilcrow">¶</a></p>
 </div>
-<div id="_45b2ebf8-78f1-e8a8-8f75-8762b818da45">
-<div id="section-6.10.3-5">
-<pre class="sourcecode">r1.example.com. TXT v=spf1 include:spf.mailer1.com ~all
-r2.example.com. TXT v=spf1 include:_spf.newsletter.net ~all
-@ TXT v=spf1 include:r1.example.com include:r2.example.com ~all</pre><a href="#section-6.10.3-5" class="pilcrow">¶</a>
+<div id="_ba8c0d20-f366-c81e-8613-fce5005bd8ac">
+<div class="sourcecode" id="section-9.10.3-5">
+<pre>r1.example.com. TXT v=spf1 include:spf.mailer1.example ~all
+r2.example.com. TXT v=spf1 include:_spf.newsletter.example ~all
+@ TXT v=spf1 include:r1.example.com include:r2.example.com ~all</pre><a href="#section-9.10.3-5" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_72cd531e-848b-94e0-d7c0-606317cc3f24">
-<p id="section-6.10.3-6">There are advantages and disadvantages to both approaches.  SPF records have a limit of 10 DNS lookups and record length is limited to 255 characters.  So depending on the embedded records both approaches might have advantages.<a href="#section-6.10.3-6" class="pilcrow">¶</a></p>
+<div id="_9960ba23-b1d3-f5a5-021b-136f2fdca440">
+<p id="section-9.10.3-6">There are advantages and disadvantages to both approaches.  SPF records have a limit of 10 DNS lookups and record length is limited to 255 characters.  So depending on the embedded records both approaches might have advantages.<a href="#section-9.10.3-6" class="pilcrow">¶</a></p>
 </div>
-<div id="_e7db4302-8b46-9d58-d9cb-4f913c150a5f">
-<p id="section-6.10.3-7">The implementation would be left to the DNS Provider, but to facilitate this SPF records must NOT be included in templates.  Instead, we introduce a new pseudo-record type in the template called <em>SPFM</em>. This has the following attribute:<a href="#section-6.10.3-7" class="pilcrow">¶</a></p>
+<div id="_3506ab8e-a076-95b6-da7b-ea266e82990d">
+<p id="section-9.10.3-7">The implementation would be left to the DNS Provider, but to facilitate this SPF records must NOT be included in templates.  Instead, we introduce a new pseudo-record type in the template called <em>SPFM</em>. This has the following attribute:<a href="#section-9.10.3-7" class="pilcrow">¶</a></p>
 </div>
-<span class="break"></span><div id="_4a9c21dd-3aa9-1c1a-3608-4de7a88d2513">
-<dl class="dlParallel" id="section-6.10.3-8">
-            <dt id="section-6.10.3-8.1">spfRules</dt>
-            <dd style="margin-left: 1.5em" id="section-6.10.3-8.2">
-              <div id="_38cbb2fe-a211-bbf3-dd1b-b54846b363ad">
-<p id="section-6.10.3-8.2.1">Determines the desired rules, basically everything but leading "v=spf1" and trailing <em>all</em> rule -  see: <span><a href="#template-record" class="xref">SPF Rules</a> (<a href="#template-record" class="xref">Section 5.3</a>)</span><a href="#section-6.10.3-8.2.1" class="pilcrow">¶</a></p>
+<span class="break"></span><div id="_661f62fd-6ae2-ae70-43ed-64bd5b7bc023">
+<dl class="dlParallel" id="section-9.10.3-8">
+            <dt id="section-9.10.3-8.1">spfRules</dt>
+            <dd style="margin-left: 1.5em" id="section-9.10.3-8.2">
+              <div id="_5e12d990-5875-45f0-866e-083e9a0c32e9">
+<p id="section-9.10.3-8.2.1">Determines the desired rules, basically everything but leading "v=spf1" and trailing <em>all</em> rule -  see: <span><a href="#template-record" class="internal xref">SPF Rules</a> (<a href="#template-record" class="auto internal xref">Section 8.3</a>)</span><a href="#section-9.10.3-8.2.1" class="pilcrow">¶</a></p>
 </div>
 </dd>
           <dd class="break"></dd>
 </dl>
 </div>
-<div id="_c6e58c39-c56a-b964-cdc0-aa29f4fa9cb3">
-<p id="section-6.10.3-9">When a template is added or removed with an <em>SPFM</em> record in the template, some code would need to take the aggregate value of all <em>SPFM</em> records in all templates applied as well as existing SPF TXT record on the host and recalculate the resulting SPF TXT record. In case several sources specify the same rule with a different policy DNS Provider SHOULD apply the least restrictive one as a result. <em>soft failure</em> SHOULD be preferred over <em>hard failure</em>, <em>neutral</em> SHOULD be preferred over <em>soft failure</em>.<a href="#section-6.10.3-9" class="pilcrow">¶</a></p>
+<div id="_33d099eb-5bed-c885-fdf0-5e28b14645e7">
+<p id="section-9.10.3-9">When a template is added or removed with an <em>SPFM</em> record in the template, some code would need to take the aggregate value of all <em>SPFM</em> records in all templates applied as well as existing SPF TXT record on the host and recalculate the resulting SPF TXT record. In case several sources specify the same rule with a different policy DNS Provider SHOULD apply the least restrictive one as a result. <em>soft failure</em> SHOULD be preferred over <em>hard failure</em>, <em>neutral</em> SHOULD be preferred over <em>soft failure</em>.<a href="#section-9.10.3-9" class="pilcrow">¶</a></p>
 </div>
-<div id="_a310f8f2-bfb7-592b-19fd-7e45190294b4">
-<p id="section-6.10.3-10">DNS Provider SHOULD also allow the end user to modify the SPF record after merging.<a href="#section-6.10.3-10" class="pilcrow">¶</a></p>
+<div id="_c55eb9cc-49c6-9a24-96df-4dc16f892a00">
+<p id="section-9.10.3-10">DNS Provider SHOULD also allow the end user to modify the SPF record after merging.<a href="#section-9.10.3-10" class="pilcrow">¶</a></p>
 </div>
-<div id="_b59cd3fb-c5c9-697c-b993-dcf57f956677">
-<p id="section-6.10.3-11">Due to merging step in between, the resulting SPF TXT records are considered non-essential (see: <a href="#non-essential-record" class="xref">Section 6.5</a>). That means the user may decide to override the final calculated value or remove the whole SPF record. This action must not lead to removal of any related templates in conflict detection and template integrity routines if implemented by the DNS provider.<a href="#section-6.10.3-11" class="pilcrow">¶</a></p>
+<div id="_cbc1c114-a3e3-b337-c17f-b2ea3e6656a1">
+<p id="section-9.10.3-11">Due to merging step in between, the resulting SPF TXT records are considered non-essential (see: <a href="#non-essential-record" class="auto internal xref">Section 9.5</a>). That means the user may decide to override the final calculated value or remove the whole SPF record. This action must not lead to removal of any related templates in conflict detection and template integrity routines if implemented by the DNS provider.<a href="#section-9.10.3-11" class="pilcrow">¶</a></p>
 </div>
-<div id="_fb881bbf-ca0f-fe76-ac9a-4fa272714744">
-<p id="section-6.10.3-12">If the existing TXT record makes the merging operation not possible, the DNS provider must handle this situation the same way as a conflict and either let the end-user resolve it in the UX (both in Synchronous and Asynchronous flow) or return the conflict as an error in the Asynchronous flow unless the <em>force=true</em> parameter is used, effectively removing the existing record.<a href="#section-6.10.3-12" class="pilcrow">¶</a></p>
+<div id="_ba6a0236-cbe9-04ee-def2-dc36b223aacd">
+<p id="section-9.10.3-12">If the existing TXT record makes the merging operation not possible, the DNS provider must handle this situation the same way as a conflict and either let the end-user resolve it in the UX (both in Synchronous and Asynchronous flow) or return the conflict as an error in the Asynchronous flow unless the <em>force=true</em> parameter is used, effectively removing the existing record.<a href="#section-9.10.3-12" class="pilcrow">¶</a></p>
 </div>
-<div id="_671e2760-75f2-3ded-8707-7e2596eb59ac">
-<p id="section-6.10.3-13">Service providers should avoid exact match checking content of TXT SPF record, as it might be strongly influenced by the DNS Provider merging strategy and user actions.<a href="#section-6.10.3-13" class="pilcrow">¶</a></p>
+<div id="_5eab9d17-d380-2a94-e7c9-bc82693d4b0f">
+<p id="section-9.10.3-13">Service providers should avoid exact match checking content of TXT SPF record, as it might be strongly influenced by the DNS Provider merging strategy and user actions.<a href="#section-9.10.3-13" class="pilcrow">¶</a></p>
 </div>
-<div id="_c6c8205c-16f5-4e1f-b597-6a12fff5d3c2">
-<p id="section-6.10.3-14">See <a href="#example-spf-merge" class="xref">Appendix A.5</a>.<a href="#section-6.10.3-14" class="pilcrow">¶</a></p>
+<div id="_2cc60a00-c540-ed0e-d527-519b2877bfe2">
+<p id="section-9.10.3-14">See <a href="#example-spf-merge" class="auto internal xref">Appendix A.5</a>.<a href="#section-9.10.3-14" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="_alternatives">
-<section id="section-6.10.4">
+<section id="section-9.10.4">
           <h4 id="name-alternatives">
-<a href="#section-6.10.4" class="section-number selfRef">6.10.4. </a><a href="#name-alternatives" class="section-name selfRef">Alternatives</a>
+<a href="#section-9.10.4" class="section-number selfRef">9.10.4. </a><a href="#name-alternatives" class="section-name selfRef">Alternatives</a>
           </h4>
-<div id="_14f87d3c-7ec3-4f58-3ac9-50f99614495f">
-<p id="section-6.10.4-1">Some DNS Providers may decide not to support the SPFM record. The following alternative solution should allow general interoperability of the templates for those providers: onboard the templates with SPFM record in variable-compatible form using a regular TXT record with content <em>"v=spf1 %spfRules% ~all"</em>, using property <em>essential=OnApply</em> set to avoid removal of the whole template by a conflict.<a href="#section-6.10.4-1" class="pilcrow">¶</a></p>
+<div id="_bebbf8a3-4438-266b-e2af-7b22fcffd35d">
+<p id="section-9.10.4-1">Some DNS Providers may decide not to support the SPFM record. The following alternative solution should allow general interoperability of the templates for those providers: onboard the templates with SPFM record in variable-compatible form using a regular TXT record with content <em>"v=spf1 %spfRules% ~all"</em>, using property <em>essential=OnApply</em> set to avoid removal of the whole template by a conflict.<a href="#section-9.10.4-1" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 </section>
 </div>
 <div id="repository-and-integrity">
-<section id="section-6.11">
+<section id="section-9.11">
         <h3 id="name-public-template-repository">
-<a href="#section-6.11" class="section-number selfRef">6.11. </a><a href="#name-public-template-repository" class="section-name selfRef">Public Template Repository</a>
+<a href="#section-9.11" class="section-number selfRef">9.11. </a><a href="#name-public-template-repository" class="section-name selfRef">Public Template Repository</a>
         </h3>
-<div id="_6ce5fa14-3b48-e1dc-0054-300f416f2ffe">
-<p id="section-6.11-1">The Public Template Repository is an open accessible location where Service Providers
+<div id="_general_information_3">
+<section id="section-9.11.1">
+          <h4 id="name-general-information-3">
+<a href="#section-9.11.1" class="section-number selfRef">9.11.1. </a><a href="#name-general-information-3" class="section-name selfRef">General information</a>
+          </h4>
+<div id="_3471d989-85c1-532a-e088-4d513f6ea7d9">
+<p id="section-9.11.1-1">The Public Template Repository is an open accessible location where Service Providers
 MAY publish their Service Templates in the format specified in this specification.
 DNS Providers MAY support all of the published templates, just a subset or none of them according
-to own onboarding policies (see also: <a href="#onboarding-considerations" class="xref">Section 7.1</a>).<a href="#section-6.11-1" class="pilcrow">¶</a></p>
+to own onboarding policies (see also: <a href="#onboarding-considerations" class="auto internal xref">Section 10.1</a>).<a href="#section-9.11.1-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_63b38b06-90ea-e51a-3de6-76f7ff89ea4d">
-<p id="section-6.11-2">The template format is intended largely for documentation and communication between the DNS Providers and
+<div id="_3a16b2cd-3976-fdd5-454b-1f4d7eafd030">
+<p id="section-9.11.1-2">The template format is intended largely for documentation and communication between the DNS Providers and
 Service Providers, and there are no codified endpoints for creation or modification of these objects.
-Instead, Domain Connect references a template by ID.<a href="#section-6.11-2" class="pilcrow">¶</a></p>
+Instead, Domain Connect references a template by ID.<a href="#section-9.11.1-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_1c834208-2330-6f5a-0b60-50e22488d4ca">
-<p id="section-6.11-3">As such, DNS Providers may or may not use templates in this format in
+<div id="_8e3fd5cc-bd8c-2326-98ed-93437ea49424">
+<p id="section-9.11.1-3">As such, DNS Providers may or may not use templates in this format in
 their internal implementations. By defining a standard template format,
 it is believed it will make it easier for Service Providers to share
-their configuration across DNS Providers.<a href="#section-6.11-3" class="pilcrow">¶</a></p>
+their configuration across DNS Providers.<a href="#section-9.11.1-3" class="pilcrow">¶</a></p>
+</div>
+</section>
 </div>
 <div id="_repository_location">
-<section id="section-6.11.1">
+<section id="section-9.11.2">
           <h4 id="name-repository-location">
-<a href="#section-6.11.1" class="section-number selfRef">6.11.1. </a><a href="#name-repository-location" class="section-name selfRef">Repository Location</a>
+<a href="#section-9.11.2" class="section-number selfRef">9.11.2. </a><a href="#name-repository-location" class="section-name selfRef">Repository Location</a>
           </h4>
-<div id="_2002eea5-c71f-f4bc-24ee-ba4d360ab812">
-<p id="section-6.11.1-1">The  repository of the templates is maintained under
-<span><a href="/Domain-Connect/templates">https://github.com/Domain-Connect/templates</a></span>.<a href="#section-6.11.1-1" class="pilcrow">¶</a></p>
+<div id="_797a15a8-7d51-5da3-b160-15aab9b9470b">
+<p id="section-9.11.2-1">The  repository of the templates is maintained under
+<span><a href="/Domain-Connect/templates">https://github.com/Domain-Connect/templates</a></span>.<a href="#section-9.11.2-1" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="repository-file-names-requirements">
-<section id="section-6.11.2">
+<section id="section-9.11.3">
           <h4 id="name-file-naming-requirements">
-<a href="#section-6.11.2" class="section-number selfRef">6.11.2. </a><a href="#name-file-naming-requirements" class="section-name selfRef">File naming requirements</a>
+<a href="#section-9.11.3" class="section-number selfRef">9.11.3. </a><a href="#name-file-naming-requirements" class="section-name selfRef">File naming requirements</a>
           </h4>
-<div id="_c1f9d2b8-2a2d-4c5b-3667-54dbf8a64f3e">
-<p id="section-6.11.2-1">The file names in this repository MUST be all lower case, including the providerId
+<div id="_58130f40-0629-27db-a498-ae73b35a4755">
+<p id="section-9.11.3-1">The file names in this repository MUST be all lower case, including the providerId
 and serviceId. As a result, while the providerId and serviceId can be mixed case,
-all providerIds and serviceIds in this repository must be unique when lower case.<a href="#section-6.11.2-1" class="pilcrow">¶</a></p>
+all providerIds and serviceIds in this repository must be unique when lower case.<a href="#section-9.11.3-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_aaa6d745-ee89-5a5a-ac8f-9fbc56370ecc">
-<p id="section-6.11.2-2">Templates MUST be named according the following pattern: <code>providerId.serviceId.json</code><a href="#section-6.11.2-2" class="pilcrow">¶</a></p>
+<div id="_5a2244cb-22f0-cdc0-9254-2d3958b912e9">
+<p id="section-9.11.3-2">Templates MUST be named according the following pattern: <code>providerId.serviceId.json</code><a href="#section-9.11.3-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_38a2e2f6-66a4-94d8-0f03-1ad3d034b802">
-<div id="section-6.11.2-3">
-<pre class="sourcecode">providerId: Acme.com
+<div id="_e83edb14-183a-5754-8be5-bb034f1d588a">
+<div class="sourcecode" id="section-9.11.3-3">
+<pre>providerId: example.com
 serviceId: WebsiteBuilder
 
-Template file name: acme.com.websitebuilder.json</pre><a href="#section-6.11.2-3" class="pilcrow">¶</a>
+Template file name: example.com.websitebuilder.json</pre><a href="#section-9.11.3-3" class="pilcrow">¶</a>
 </div>
 </div>
 </section>
 </div>
 <div id="_template_integrity">
-<section id="section-6.11.3">
+<section id="section-9.11.4">
           <h4 id="name-template-integrity">
-<a href="#section-6.11.3" class="section-number selfRef">6.11.3. </a><a href="#name-template-integrity" class="section-name selfRef">Template Integrity</a>
+<a href="#section-9.11.4" class="section-number selfRef">9.11.4. </a><a href="#name-template-integrity" class="section-name selfRef">Template Integrity</a>
           </h4>
-<div id="_d9ea6b4c-bb83-9075-4720-4b3756dd60d8">
-<p id="section-6.11.3-1">Implementers are responsible for data integrity and should use the
+<div id="_2782bad4-6d89-c628-3e53-303f2b8054d8">
+<p id="section-9.11.4-1">Implementers are responsible for data integrity and should use the
 record type field to validate that variable input meets the criteria for
-each different data type.<a href="#section-6.11.3-1" class="pilcrow">¶</a></p>
+each different data type.<a href="#section-9.11.4-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_027765e8-997c-a96f-b65d-470fb3590847">
-<p id="section-6.11.3-2">Hard-coded host names are the responsibility of the DNS Provider to
+<div id="_a6bc278f-eb31-0c2e-3f2b-5fd4ce274b7a">
+<p id="section-9.11.4-2">Hard-coded host names are the responsibility of the DNS Provider to
 protect. That is, DNS Providers are responsible for ensuring that host
 names do not interfere with known values (such as m. or www. or mail.)
 or internal names that provide critical functionality that is outside
-the scope of this specification.<a href="#section-6.11.3-2" class="pilcrow">¶</a></p>
+the scope of this specification.<a href="#section-9.11.4-2" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
@@ -4696,217 +4817,215 @@ <h4 id="name-template-integrity">
 </section>
 </div>
 <div id="_general_considerations">
-<section id="section-7">
+<section id="section-10">
       <h2 id="name-general-considerations">
-<a href="#section-7" class="section-number selfRef">7. </a><a href="#name-general-considerations" class="section-name selfRef">General considerations</a>
+<a href="#section-10" class="section-number selfRef">10. </a><a href="#name-general-considerations" class="section-name selfRef">General considerations</a>
       </h2>
 <div id="onboarding-considerations">
-<section id="section-7.1">
+<section id="section-10.1">
         <h3 id="name-onboarding">
-<a href="#section-7.1" class="section-number selfRef">7.1. </a><a href="#name-onboarding" class="section-name selfRef">Onboarding</a>
+<a href="#section-10.1" class="section-number selfRef">10.1. </a><a href="#name-onboarding" class="section-name selfRef">Onboarding</a>
         </h3>
-<div id="_033bc590-3f14-e734-8a76-876eaf3e0311">
-<p id="section-7.1-1">This specification is an open standard that describes the protocol, messages and formats
+<div id="_f2e756f0-e3dc-cf99-03f6-a6314222714a">
+<p id="section-10.1-1">This specification is an open standard that describes the protocol, messages and formats
 used to enable Domain Connect between a Service Provider and a DNS
-Provider.<a href="#section-7.1-1" class="pilcrow">¶</a></p>
+Provider.<a href="#section-10.1-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_7c90ef0a-6b41-a019-8ef2-177d60771421">
-<p id="section-7.1-2">Any Service Provider is free to define and publish a template. However, the terms
+<div id="_431409f9-4ca7-98e1-35e8-2a18be6a21b7">
+<p id="section-10.1-2">Any Service Provider is free to define and publish a template. However, the terms
 and conditions for a DNS Provider onboarding a Service Provider
 template is beyond the scope of this document. A DNS Provider can
 be selective in what templates they support, can require a contractual
-relationship, or even charge a fee for onboarding.<a href="#section-7.1-2" class="pilcrow">¶</a></p>
+relationship, or even charge a fee for onboarding.<a href="#section-10.1-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_dfc831ab-edc4-2a26-5293-085b026edf7f">
-<p id="section-7.1-3">One way a Service Provider can be selective in which DNS Providers they accept is to
+<div id="_93aad956-9406-3e07-1540-77bc3963e6ca">
+<p id="section-10.1-3">One way a Service Provider can be selective in which DNS Providers they accept is to
 implement a whitelist of providerIds. A Service Provider who chooses to whitelist must
 use providerId to distinguish between unique DNS Providers. The DNS providerId is typically
-a domain name.<a href="#section-7.1-3" class="pilcrow">¶</a></p>
+a domain name.<a href="#section-10.1-3" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="_case_sensitivity">
-<section id="section-7.2">
+<section id="section-10.2">
         <h3 id="name-case-sensitivity">
-<a href="#section-7.2" class="section-number selfRef">7.2. </a><a href="#name-case-sensitivity" class="section-name selfRef">Case Sensitivity</a>
+<a href="#section-10.2" class="section-number selfRef">10.2. </a><a href="#name-case-sensitivity" class="section-name selfRef">Case Sensitivity</a>
         </h3>
-<div id="_fab18d86-1620-8b1b-370f-2405a269ae73">
-<p id="section-7.2-1">All values are case sensitive. This includes variable names, values, parameters and objects
-returned.<a href="#section-7.2-1" class="pilcrow">¶</a></p>
+<div id="_16d68f80-3222-9ea9-491c-44413d9b937c">
+<p id="section-10.2-1">All values are case sensitive. This includes variable names, values, parameters and objects
+returned.<a href="#section-10.2-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_93d8ef3e-f653-dcd4-a3a8-788f60848003">
-<p id="section-7.2-2">One exception is the domain/host name. This is because a fully qualified domain name is case insensitive.<a href="#section-7.2-2" class="pilcrow">¶</a></p>
+<div id="_a7162a2d-7a88-28f7-2073-f0ef9413f057">
+<p id="section-10.2-2">One exception is the domain/host name. This is because a fully qualified domain name is case insensitive.<a href="#section-10.2-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_630129fe-8f27-360a-370f-f87ac2b1f8ca">
-<p id="section-7.2-3">The values for providerId/serviceId in the template and passed through URIs in the path or query string are case sensitive. Different rules apply to the file naming in the <span><a href="#repository-file-names-requirements" class="xref">Public Template Repository</a> (<a href="#repository-file-names-requirements" class="xref">Section 6.11.2</a>)</span>.<a href="#section-7.2-3" class="pilcrow">¶</a></p>
+<div id="_b7bcecd8-aa27-9530-b8d2-e0f39174c626">
+<p id="section-10.2-3">The values for providerId/serviceId in the template and passed through URIs in the path or query string are case sensitive. Different rules apply to the file naming in the <span><a href="#repository-file-names-requirements" class="internal xref">Public Template Repository</a> (<a href="#repository-file-names-requirements" class="auto internal xref">Section 9.11.3</a>)</span>.<a href="#section-10.2-3" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 </section>
 </div>
 <div id="_extensionsexclusions">
-<section id="section-8">
+<section id="section-11">
       <h2 id="name-extensions-exclusions">
-<a href="#section-8" class="section-number selfRef">8. </a><a href="#name-extensions-exclusions" class="section-name selfRef">Extensions/Exclusions</a>
+<a href="#section-11" class="section-number selfRef">11. </a><a href="#name-extensions-exclusions" class="section-name selfRef">Extensions/Exclusions</a>
       </h2>
-<div id="_7a50fcde-2627-a832-5ffb-292fdc5bdd94">
-<p id="section-8-1">Additional record types and/or extensions to records in the template can
-be implemented on a per DNS Provider basis. However, care should be
-taken when defining extensions so as to not conflict with other
+<div id="_general_information_4">
+<section id="section-11.1">
+        <h3 id="name-general-information-4">
+<a href="#section-11.1" class="section-number selfRef">11.1. </a><a href="#name-general-information-4" class="section-name selfRef">General information</a>
+        </h3>
+<div id="_aa3a4891-ca58-cdef-8b54-dbcf7af255f7">
+<p id="section-11.1-1">Additional record types and/or extensions to records in the template can be implemented on a per DNS Provider basis. However, care should be taken when defining extensions so as to not conflict with other
 protocols and standards. Certain record names are reserved for use in
-DNS for protocols like DNSSEC (DNSKEY, RRSIG) at the registry level.<a href="#section-8-1" class="pilcrow">¶</a></p>
+DNS for protocols like DNSSEC (DNSKEY, RRSIG) <span>[<a href="#RFC9364" class="cite xref">RFC9364</a>]</span> at the registry level.<a href="#section-11.1-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_0f6fb4cc-43e4-c92c-aae4-65a0d35fb73a">
-<p id="section-8-2">Defining these OPTIONAL extensions in an open manner as part of this
-specification is done to provide consistency. The following are the initial
-OPTIONAL extensions a DNS Provider/Service Provider may support.<a href="#section-8-2" class="pilcrow">¶</a></p>
+<div id="_3e0a08b0-017d-051a-874d-cb2a499aaa8c">
+<p id="section-11.1-2">Defining these OPTIONAL extensions in an open manner as part of this
+specification is done to provide consistency. The following are the initial OPTIONAL extensions a DNS Provider/Service Provider may support.<a href="#section-11.1-2" class="pilcrow">¶</a></p>
+</div>
+</section>
 </div>
 <div id="_apexcname">
-<section id="section-8.1">
+<section id="section-11.2">
         <h3 id="name-apexcname">
-<a href="#section-8.1" class="section-number selfRef">8.1. </a><a href="#name-apexcname" class="section-name selfRef">APEXCNAME</a>
+<a href="#section-11.2" class="section-number selfRef">11.2. </a><a href="#name-apexcname" class="section-name selfRef">APEXCNAME</a>
         </h3>
-<div id="_cb2750f6-8644-262c-3954-f418cc6505f3">
-<p id="section-8.1-1">Some Service Providers desire the behavior of a CNAME record, but in the
+<div id="_4f2fadcf-ff82-4301-405a-fe4df20bace6">
+<p id="section-11.2-1">Some Service Providers desire the behavior of a CNAME record, but in the
 apex record. This would allow for an A Record at the root of the domain
-but dynamically determined at runtime.<a href="#section-8.1-1" class="pilcrow">¶</a></p>
+but dynamically determined at runtime.<a href="#section-11.2-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_9f89592f-d955-0bda-79e5-762c5d30092e">
-<p id="section-8.1-2">The recommended record type for DNS Providers that wish to support this
+<div id="_2fd75b30-482d-be4f-6374-d5657836de0c">
+<p id="section-11.2-2">The recommended record type for DNS Providers that wish to support this
 is an APEXCNAME record. Additional fields included with this record
-would include pointsTo and TTL.<a href="#section-8.1-2" class="pilcrow">¶</a></p>
+would include pointsTo and TTL.<a href="#section-11.2-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_28ce068b-207b-b255-1ba9-ebe0ebe1b20e">
-<p id="section-8.1-3">Defining a standard for such functionality in DNS is beyond the scope of
+<div id="_838f6cf3-301d-8532-840b-79cc6cf4bc11">
+<p id="section-11.2-3">Defining a standard for such functionality in DNS is beyond the scope of
 this specification. But for DNS Providers that support this
 functionality, using the same record type name across DNS Providers
-allows template reuse.<a href="#section-8.1-3" class="pilcrow">¶</a></p>
+allows template reuse.<a href="#section-11.2-3" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="_redirection">
-<section id="section-8.2">
+<section id="section-11.3">
         <h3 id="name-redirection">
-<a href="#section-8.2" class="section-number selfRef">8.2. </a><a href="#name-redirection" class="section-name selfRef">Redirection</a>
+<a href="#section-11.3" class="section-number selfRef">11.3. </a><a href="#name-redirection" class="section-name selfRef">Redirection</a>
         </h3>
-<div id="_d3903607-20a9-750c-a0ac-ff2c1bfd85f5">
-<p id="section-8.2-1">Some Service Providers desire a redirection service associated with the
+<div id="_ec1d85bd-5681-186b-ee3a-aef524763b95">
+<p id="section-11.3-1">Some Service Providers desire a redirection service associated with the
 A Record. A typical example is a service that requires a redirect of the
 domain (e.g. example.com) to the www variant (www.example.com). The www
-would often contain a CNAME.<a href="#section-8.2-1" class="pilcrow">¶</a></p>
+would often contain a CNAME.<a href="#section-11.3-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_06327d73-4470-9493-a2ea-16ef1f7ff20e">
-<p id="section-8.2-2">Since implementation of a redirection service is typically simple, it is
+<div id="_2633c35b-10d6-1752-abbd-68b9741858ed">
+<p id="section-11.3-2">Since implementation of a redirection service is typically simple, it is
 recommended that service providers implement redirection on their own.
 But for DNS Providers that have a redirection service, supporting simple
-templates with this functionality may be desired.<a href="#section-8.2-2" class="pilcrow">¶</a></p>
+templates with this functionality may be desired.<a href="#section-11.3-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_391fbb99-aba0-4ac7-87fd-c22a69076351">
-<p id="section-8.2-3">While technically not a "record" in DNS, when supporting this OPTIONAL
+<div id="_1c6be30c-9482-8d3d-0852-71099c006810">
+<p id="section-11.3-3">While technically not a "record" in DNS, when supporting this OPTIONAL
 functionality it is recommended that this should be implemented using two new
-record types.<a href="#section-8.2-3" class="pilcrow">¶</a></p>
+record types.<a href="#section-11.3-3" class="pilcrow">¶</a></p>
 </div>
-<div id="_c1be827b-c606-cb56-e631-7f98f114a7c5">
-<p id="section-8.2-4">REDIR301 and REDIR302 would implement 301 and 302 redirects
+<div id="_4a246beb-f57e-9f42-cad9-b6e14529db07">
+<p id="section-11.3-4">REDIR301 and REDIR302 would implement 301 and 302 redirects
 respectively. Associated with this record would be a single field called
-the "target", containing the target url of the redirect.<a href="#section-8.2-4" class="pilcrow">¶</a></p>
+the "target", containing the target url of the redirect.<a href="#section-11.3-4" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="_nameservers">
-<section id="section-8.3">
+<section id="section-11.4">
         <h3 id="name-nameservers">
-<a href="#section-8.3" class="section-number selfRef">8.3. </a><a href="#name-nameservers" class="section-name selfRef">Nameservers</a>
+<a href="#section-11.4" class="section-number selfRef">11.4. </a><a href="#name-nameservers" class="section-name selfRef">Nameservers</a>
         </h3>
-<div id="_caa32ae7-81ff-f8ce-4d8e-0a5a0d0ccc22">
-<p id="section-8.3-1">Several service providers have asked for functionality supporting an
+<div id="_6d2409e8-02a1-4b0c-2b37-ebfc4f5b5987">
+<p id="section-11.4-1">Several service providers have asked for functionality supporting an
 update to the nameserver records at the registry associated with the
-domain.<a href="#section-8.3-1" class="pilcrow">¶</a></p>
+domain.<a href="#section-11.4-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_3cf9af77-a952-0c79-9c31-5f20d4e698c1">
-<p id="section-8.3-2">When implementing this, two records should be provided. NS1 and NS2,
-each containing a pointsTo argument.<a href="#section-8.3-2" class="pilcrow">¶</a></p>
+<div id="_712820e4-573d-9670-d99b-8b20fec154c5">
+<p id="section-11.4-2">When implementing this, two records should be provided. NS1 and NS2,
+each containing a pointsTo argument.<a href="#section-11.4-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_272f1e5a-ee68-b133-a881-f1c6af8c136d">
-<p id="section-8.3-3">It will be noted that a nameserver update would require that the DNS
-Provider is the registrar. This is not always the case.<a href="#section-8.3-3" class="pilcrow">¶</a></p>
+<div id="_ddbe7577-ee13-fc54-38c1-9703c1e4a8bb">
+<p id="section-11.4-3">It will be noted that a nameserver update would require that the DNS
+Provider is the registrar. This is not always the case.<a href="#section-11.4-3" class="pilcrow">¶</a></p>
 </div>
-<div id="_f7fcd661-f704-557e-e0f7-81c9d8d2072b">
-<p id="section-8.3-4">This functionality is again deemed as OPTIONAL and up to the DNS
-Provider to determine if they will support this.<a href="#section-8.3-4" class="pilcrow">¶</a></p>
+<div id="_ad7f8896-6c66-8364-08be-d75a3616e3f9">
+<p id="section-11.4-4">This functionality is again deemed as OPTIONAL and up to the DNS
+Provider to determine if they will support this.<a href="#section-11.4-4" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 <div id="_ds_dnssec">
-<section id="section-8.4">
+<section id="section-11.5">
         <h3 id="name-ds-dnssec">
-<a href="#section-8.4" class="section-number selfRef">8.4. </a><a href="#name-ds-dnssec" class="section-name selfRef">DS (DNSSEC)</a>
+<a href="#section-11.5" class="section-number selfRef">11.5. </a><a href="#name-ds-dnssec" class="section-name selfRef">DS (DNSSEC)</a>
         </h3>
-<div id="_145af9a4-0b20-13c7-67e8-638d81ec8218">
-<p id="section-8.4-1">Requests have been made to allow for updates to the DS record for
+<div id="_fdcb8dfa-0af7-4564-edac-0e4b2d909666">
+<p id="section-11.5-1">Requests have been made to allow for updates to the DS record for
 DNSSEC. This record is required at the registry to enable DNSSEC, but
-can only be written by the registrar.<a href="#section-8.4-1" class="pilcrow">¶</a></p>
+can only be written by the registrar.<a href="#section-11.5-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_49923603-0d7b-a084-3591-1b3130039a9e">
-<p id="section-8.4-2">For DNS Providers that support this record, the record type should be
-DS. Values will be keyTag, algorithm, digestType, and digest.<a href="#section-8.4-2" class="pilcrow">¶</a></p>
+<div id="_2a9651dd-cbaf-be10-23af-dfc7472c925e">
+<p id="section-11.5-2">For DNS Providers that support this record, the record type should be
+DS. Values will be keyTag, algorithm, digestType, and digest.<a href="#section-11.5-2" class="pilcrow">¶</a></p>
 </div>
-<div id="_edb4f780-3819-38cf-d254-4e1209a015ea">
-<p id="section-8.4-3">Again it should be noted that a DS update would require that the DNS
-Provider is the registrar, and is again deemed as OPTIONAL and up to the
-DNS Provider to determine if they will support.<a href="#section-8.4-3" class="pilcrow">¶</a></p>
+<div id="_c95d6fda-1679-e9ed-57f9-cd8cce4820f9">
+<p id="section-11.5-3">Again it should be noted that a DS update would require that the DNS
+Provider is the registrar, and is again deemed as optional and up to the
+DNS Provider to determine if they will support.<a href="#section-11.5-3" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
 </section>
 </div>
 <div id="_iana_considerations">
-<section id="section-9">
+<section id="section-12">
       <h2 id="name-iana-considerations">
-<a href="#section-9" class="section-number selfRef">9. </a><a href="#name-iana-considerations" class="section-name selfRef">IANA Considerations</a>
-      </h2>
-<div id="_660f7c55-9221-6c5a-2266-f3f904c5d72b">
-<p id="section-9-1">TODO<a href="#section-9-1" class="pilcrow">¶</a></p>
-</div>
-</section>
-</div>
-<div id="_acknowledgments">
-<section id="section-10">
-      <h2 id="name-acknowledgments">
-<a href="#section-10" class="section-number selfRef">10. </a><a href="#name-acknowledgments" class="section-name selfRef">Acknowledgments</a>
+<a href="#section-12" class="section-number selfRef">12. </a><a href="#name-iana-considerations" class="section-name selfRef">IANA Considerations</a>
       </h2>
-<div id="_dea18904-bacd-a59b-e1d8-b75866da34a5">
-<p id="section-10-1">The authors wish to thank the following persons for their feedback and suggestions:<a href="#section-10-1" class="pilcrow">¶</a></p>
+<div id="_2b651246-3b49-7205-7321-79ac38b8f44b">
+<p id="section-12-1">None.<a href="#section-12-1" class="pilcrow">¶</a></p>
 </div>
-<ul class="normal">
-<li class="normal" id="section-10-2.1">Chris Ambler of GoDaddy Inc.<a href="#section-10-2.1" class="pilcrow">¶</a>
-</li>
-        <li class="normal" id="section-10-2.2">Jody Kolker of GoDaddy Inc.<a href="#section-10-2.2" class="pilcrow">¶</a>
-</li>
-      </ul>
 </section>
 </div>
 <div id="_change_history">
-<section id="section-11">
+<section id="section-13">
       <h2 id="name-change-history">
-<a href="#section-11" class="section-number selfRef">11. </a><a href="#name-change-history" class="section-name selfRef">Change History</a>
+<a href="#section-13" class="section-number selfRef">13. </a><a href="#name-change-history" class="section-name selfRef">Change History</a>
       </h2>
 <div id="_change_from_03_to_04">
-<section id="section-11.1">
+<section id="section-13.1">
         <h3 id="name-change-from-03-to-04">
-<a href="#section-11.1" class="section-number selfRef">11.1. </a><a href="#name-change-from-03-to-04" class="section-name selfRef">Change from 03 to 04</a>
-      </h3>
+<a href="#section-13.1" class="section-number selfRef">13.1. </a><a href="#name-change-from-03-to-04" class="section-name selfRef">Change from 03 to 04</a>
+        </h3>
+<div id="_80162c4f-c5a6-1f90-c821-1ffbe0c39554">
+<figure id="figure-5">
+          <div id="_c9c2a2ce-fe49-d844-abd9-fdf4de82b3bf">
+<div class="alignLeft art-ascii-art art-text artwork" id="section-13.1-1.1">
+<pre>Version synchronized with 2.2 version rev. 66 of the public Domain
+Connect specification.</pre>
+</div>
+</div>
+<figcaption><a href="#figure-5" class="selfRef">Figure 5</a></figcaption></figure>
+</div>
 </section>
 </div>
 <div id="_change_from_02_to_03">
-<section id="section-11.2">
+<section id="section-13.2">
         <h3 id="name-change-from-02-to-03">
-<a href="#section-11.2" class="section-number selfRef">11.2. </a><a href="#name-change-from-02-to-03" class="section-name selfRef">Change from 02 to 03</a>
+<a href="#section-13.2" class="section-number selfRef">13.2. </a><a href="#name-change-from-02-to-03" class="section-name selfRef">Change from 02 to 03</a>
         </h3>
-<div id="_299c560a-8aaa-365f-8d10-7d67615fcbf9">
-<figure id="figure-5">
-          <div id="_839b923b-fdc4-08f9-021b-d54291e836b0">
-<div class="alignLeft art-ascii-art art-text artwork" id="section-11.2-1.1">
+<div id="_b69ca960-3da1-c0a3-5b65-fc0842c44e16">
+<figure id="figure-6">
+          <div id="_54614d31-9ff3-6209-be9e-b068baefad03">
+<div class="alignLeft art-ascii-art art-text artwork" id="section-13.2-1.1">
 <pre>Added width/height JSON values returned by DNS Provider Discovery.
 Corrected text of GET method for getting the authorization token.
 Added clarifying text to Group ID description parameter of the apply
@@ -4915,72 +5034,80 @@ <h3 id="name-change-from-02-to-03">
 Implementation Considerations section.</pre>
 </div>
 </div>
-<figcaption><a href="#figure-5" class="selfRef">Figure 5</a></figcaption></figure>
+<figcaption><a href="#figure-6" class="selfRef">Figure 6</a></figcaption></figure>
 </div>
 </section>
 </div>
 <div id="_change_from_01_to_02">
-<section id="section-11.3">
+<section id="section-13.3">
         <h3 id="name-change-from-01-to-02">
-<a href="#section-11.3" class="section-number selfRef">11.3. </a><a href="#name-change-from-01-to-02" class="section-name selfRef">Change from 01 to 02</a>
+<a href="#section-13.3" class="section-number selfRef">13.3. </a><a href="#name-change-from-01-to-02" class="section-name selfRef">Change from 01 to 02</a>
         </h3>
-<div id="_74d5e38c-c4c7-2b78-fa10-165d0a27c75a">
-<figure id="figure-6">
-          <div id="_a205e4e0-54bc-a86b-c0bc-76ba0dc3b2d8">
-<div class="alignLeft art-ascii-art art-text artwork" id="section-11.3-1.1">
+<div id="_7f8bb4ba-7dfa-eb93-e2ba-7516f1da196d">
+<figure id="figure-7">
+          <div id="_822d98a3-8a70-5fe5-891b-92de04cb6732">
+<div class="alignLeft art-ascii-art art-text artwork" id="section-13.3-1.1">
 <pre>Added new GET method for Service Providers to determine if the DNS
 Provider supports a specific template.  Some other minor edits for
 clarification.</pre>
 </div>
 </div>
-<figcaption><a href="#figure-6" class="selfRef">Figure 6</a></figcaption></figure>
+<figcaption><a href="#figure-7" class="selfRef">Figure 7</a></figcaption></figure>
 </div>
 </section>
 </div>
 <div id="_change_from_00_to_01">
-<section id="section-11.4">
+<section id="section-13.4">
         <h3 id="name-change-from-00-to-01">
-<a href="#section-11.4" class="section-number selfRef">11.4. </a><a href="#name-change-from-00-to-01" class="section-name selfRef">Change from 00 to 01</a>
+<a href="#section-13.4" class="section-number selfRef">13.4. </a><a href="#name-change-from-00-to-01" class="section-name selfRef">Change from 00 to 01</a>
         </h3>
-<div id="_1009fb31-e8b4-e430-118a-6c27636e2b4e">
-<figure id="figure-7">
-          <div id="_f5f9efe5-2fbd-861d-0952-8dff24cbc48f">
-<div class="alignLeft art-ascii-art art-text artwork" id="section-11.4-1.1">
+<div id="_ff421bda-a429-301a-e0d2-b86ccb210565">
+<figure id="figure-8">
+          <div id="_569c2bee-c9fb-707e-7ef7-ca8ffbe144ec">
+<div class="alignLeft art-ascii-art art-text artwork" id="section-13.4-1.1">
 <pre>Minor edits and clarifications found during implementation.</pre>
 </div>
 </div>
-<figcaption><a href="#figure-7" class="selfRef">Figure 7</a></figcaption></figure>
+<figcaption><a href="#figure-8" class="selfRef">Figure 8</a></figcaption></figure>
 </div>
 </section>
 </div>
 </section>
 </div>
 <div id="_normative_references">
-<section id="section-12">
+<section id="section-14">
       <h2 id="name-normative-references">
-<a href="#section-12" class="section-number selfRef">12. </a><a href="#name-normative-references" class="section-name selfRef">Normative References</a>
+<a href="#section-14" class="section-number selfRef">14. </a><a href="#name-normative-references" class="section-name selfRef">Normative References</a>
       </h2>
 <dl class="references">
 <dt id="RFC2119">[RFC2119]</dt>
+      <dd>
+<span class="refAuthor">Bradner, S.</span>, <span class="refTitle">"Key words for use in RFCs to Indicate Requirement Levels"</span>, <span class="stream">IETF</span>, <span class="seriesInfo">DOI 10.17487/RFC2119</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 2119</span>, <time datetime="1997-03" class="refDate">March 1997</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc2119">https://www.rfc-editor.org/info/rfc2119</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+<dt id="RFC7208">[RFC7208]</dt>
+      <dd>
+<span class="refAuthor">Kitterman, S.</span>, <span class="refTitle">"Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1"</span>, <span class="stream">IETF</span>, <span class="seriesInfo">DOI 10.17487/RFC7208</span>, <span class="seriesInfo">RFC 7208</span>, <time datetime="2014-04" class="refDate">April 2014</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc7208">https://www.rfc-editor.org/info/rfc7208</a>&gt;</span>. </dd>
+<dd class="break"></dd>
+<dt id="RFC6749">[RFC6749]</dt>
     <dd>
-<span class="refAuthor">Bradner, S.</span>, <span class="refTitle">"Key words for use in RFCs to Indicate Requirement Levels"</span>, <span class="refContent">RFC 2119</span>, <span class="seriesInfo">RFC 2119</span>, <span class="seriesInfo">DOI 10.17487/RFC2119</span>, <time datetime="1997-03" class="refDate">March 1997</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc2119">https://www.rfc-editor.org/info/rfc2119</a>&gt;</span>. </dd>
+<span class="refAuthor">Hardt, D.</span>, <span class="refTitle">"The OAuth 2.0 Authorization Framework"</span>, <span class="stream">IETF</span>, <span class="seriesInfo">DOI 10.17487/RFC6749</span>, <span class="seriesInfo">RFC 6749</span>, <time datetime="2012-10" class="refDate">October 2012</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc6749">https://www.rfc-editor.org/info/rfc6749</a>&gt;</span>. </dd>
 <dd class="break"></dd>
 </dl>
 </section>
 </div>
 <div id="_informative_references">
-<section id="section-13">
+<section id="section-15">
       <h2 id="name-informative-references">
-<a href="#section-13" class="section-number selfRef">13. </a><a href="#name-informative-references" class="section-name selfRef">Informative References</a>
+<a href="#section-15" class="section-number selfRef">15. </a><a href="#name-informative-references" class="section-name selfRef">Informative References</a>
       </h2>
 <dl class="references">
 <dt id="RFC8174">[RFC8174]</dt>
       <dd>
-<span class="refAuthor">Leiba, B.</span>, <span class="refTitle">"Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words"</span>, <span class="refContent">RFC 8174</span>, <span class="seriesInfo">RFC 8174</span>, <span class="seriesInfo">DOI 10.17487/RFC8174</span>, <time datetime="2017-05" class="refDate">May 2017</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8174">https://www.rfc-editor.org/info/rfc8174</a>&gt;</span>. </dd>
+<span class="refAuthor">Leiba, B.</span>, <span class="refTitle">"Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words"</span>, <span class="stream">IETF</span>, <span class="seriesInfo">DOI 10.17487/RFC8174</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 8174</span>, <time datetime="2017-05" class="refDate">May 2017</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8174">https://www.rfc-editor.org/info/rfc8174</a>&gt;</span>. </dd>
 <dd class="break"></dd>
-<dt id="RFC7208">[RFC7208]</dt>
+<dt id="RFC9364">[RFC9364]</dt>
     <dd>
-<span class="refAuthor">Kitterman, S.</span>, <span class="refTitle">"Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1"</span>, <span class="refContent">RFC 7208</span>, <span class="seriesInfo">RFC 7208</span>, <span class="seriesInfo">DOI 10.17487/RFC7208</span>, <time datetime="2014-04" class="refDate">April 2014</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc7208">https://www.rfc-editor.org/info/rfc7208</a>&gt;</span>. </dd>
+<span class="refAuthor">Hoffman, P.</span>, <span class="refTitle">"DNS Security Extensions (DNSSEC)"</span>, <span class="stream">IETF</span>, <span class="seriesInfo">DOI 10.17487/RFC9364</span>, <span class="seriesInfo">BCP 237</span>, <span class="seriesInfo">RFC 9364</span>, <time datetime="2023-02" class="refDate">February 2023</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc9364">https://www.rfc-editor.org/info/rfc9364</a>&gt;</span>. </dd>
 <dd class="break"></dd>
 </dl>
 </section>
@@ -4995,45 +5122,44 @@ <h2 id="name-examples">
         <h3 id="name-example-template">
 <a href="#appendix-A.1" class="section-number selfRef">A.1. </a><a href="#name-example-template" class="section-name selfRef">Example Template</a>
         </h3>
-<div id="_e47f0d5f-e73b-95f3-d429-823df81ed444">
-<div id="appendix-A.1-1">
-<pre class="lang-json sourcecode">{
+<div id="_191efd0a-04f8-5a98-70dc-445d2282408d">
+<div class="lang-json sourcecode" id="appendix-A.1-1">
+<pre>{
     "providerId": "example.com",
     "providerName": "Example Web Hosting",
     "serviceId": "hosting",
     "serviceName": "Wordpress by example.com",
     "version": 1,
     "logoUrl": "https://www.example.com/images/billthecat.jpg",
-    "description": "This connects your domain to our super cool web hosting",
-    "launchURL" : "https://www.example.com/connectlaunch",
+    "description": "This connects your domain to our web hosting",
     "records": [
         {
-            "groupId" : "service",
             "type": "A",
+            "groupId": "service",
             "host": "www",
             "pointsTo": "%var1%",
-            "ttl": "%var2%"
+            "ttl": 600
         },
         {
-            "groupId" : "service",
             "type": "A",
+            "groupId": "service",
             "host": "m",
-            "pointsTo": "%var3%",
-            "ttl": "%var2%"
+            "pointsTo": "%var2%",
+            "ttl": 600
         },
         {
-            "groupId" : "service",
             "type": "CNAME",
+            "groupId": "service",
             "host": "webmail",
-            "pointsTo": "%var4%",
-            "ttl": "%var2%"
+            "pointsTo": "%var3%",
+            "ttl": 600
         },
         {
-            "groupId" : "verification",
             "type": "TXT",
+            "groupId": "verification",
             "host": "example",
-            "data": "%var5%",
-            "ttl": "%var2%"
+            "ttl": 600,
+            "data": "%var4%"
         }
     ]
 }</pre><a href="#appendix-A.1-1" class="pilcrow">¶</a>
@@ -5051,20 +5177,20 @@ <h3 id="name-example-records-single-stat">
 section of the template would have a single record of type "A" and could
 have a value of:<a href="#appendix-A.2-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_a6fe5e30-e8b9-065d-7a9e-f747a1410339">
-<div id="appendix-A.2-2">
-<pre class="lang-json sourcecode">[{
+<div id="_6fa9ba4b-1c57-ff27-0412-876c38b9cffd">
+<div class="lang-json sourcecode" id="appendix-A.2-2">
+<pre>[{
     "type": "A",
     "host": "www",
-    "pointsTo": "192.168.1.1",
+    "pointsTo": "192.0.2.1",
     "ttl": 600
 }]</pre><a href="#appendix-A.2-2" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_f0f0d155-5957-5fd4-6563-b3dc2c6e5e52">
+<div id="_5f2c547d-f995-20aa-907d-34869d1e0a28">
 <p id="appendix-A.2-3">This would have no variable substitution and the application of this
 template to a domain would simply set the host name "www" to the IP
-address "192.168.1.1"<a href="#appendix-A.2-3" class="pilcrow">¶</a></p>
+address "192.0.2.1"<a href="#appendix-A.2-3" class="pilcrow">¶</a></p>
 </div>
 </section>
 </div>
@@ -5078,12 +5204,12 @@ <h3 id="name-example-records-single-vari">
 variable, the template would have a single record of type "A" and could
 have a value of:<a href="#appendix-A.3-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_6901e1bc-764d-3645-407c-8f70276131a2">
-<div id="appendix-A.3-2">
-<pre class="lang-json sourcecode">[{
+<div id="_0eea237d-9d4f-1046-5fe9-7261f1eecde3">
+<div class="lang-json sourcecode" id="appendix-A.3-2">
+<pre>[{
     "type": "A",
     "host": "@",
-    "pointsTo": "192.168.1.%srv%",
+    "pointsTo": "198.51.100.%srv%",
     "ttl": 600
 }]</pre><a href="#appendix-A.3-2" class="pilcrow">¶</a>
 </div>
@@ -5092,13 +5218,13 @@ <h3 id="name-example-records-single-vari">
 <p id="appendix-A.3-3">A query string with a key/value pair of<a href="#appendix-A.3-3" class="pilcrow">¶</a></p>
 </div>
 <div id="_5c9436cf-d5bc-cc04-cef6-0eb9a852c3bd">
-<div id="appendix-A.3-4">
-<pre class="sourcecode">srv=2</pre><a href="#appendix-A.3-4" class="pilcrow">¶</a>
+<div class="sourcecode" id="appendix-A.3-4">
+<pre>srv=2</pre><a href="#appendix-A.3-4" class="pilcrow">¶</a>
 </div>
 </div>
-<div id="_90ccea0d-8bf8-ed04-acc6-2735aac1c0ee">
+<div id="_29e1c9b0-f7be-4e51-9cf0-afd8cee7b848">
 <p id="appendix-A.3-5">would cause the application of this template to a domain to set the host
-name for the apex A record to the IP address "192.168.1.2" with a TTL of
+name for the apex A record to the IP address "198.51.100.2" with a TTL of
 600<a href="#appendix-A.3-5" class="pilcrow">¶</a></p>
 </div>
 </section>
@@ -5111,46 +5237,46 @@ <h3 id="name-example-dns-zone-merging">
 <div id="_16909f0e-07c0-0093-5e8f-2ecf3ef3ce98">
 <p id="appendix-A.4-1">Consider a DNS Zone before a template application:<a href="#appendix-A.4-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_beb25201-df1e-4e41-7caf-68a46027b0e5">
-<div id="appendix-A.4-2">
-<pre class="sourcecode">$ORIGIN test-domain.com.
+<div id="_02b83fbe-ae18-edde-a30e-ea851ea9e03d">
+<div class="sourcecode" id="appendix-A.4-2">
+<pre>$ORIGIN example.com.
 
-@ 3600 IN SOA ns11.acme.net. support.acme.net. 2017050817 7200 1800
-1209600 3600
-@ 3600 IN NS ns11.acme.net.
-@ 3600 IN NS ns12.acme.net.
-@ 3600 IN A 1.1.1.1
-@ 3600 IN A 1.1.1.2
+@ 3600 IN SOA ns11.example.net. support.example.net. 2017050817 7200
+1800 1209600 3600
+@ 3600 IN NS ns11.example.net.
+@ 3600 IN NS ns12.example.net.
+@ 3600 IN A 192.0.2.1
+@ 3600 IN A 192.0.2.2
 @ 3600 IN AAAA 2001:db8:1234:0000:0000:0000:0000:0000
 @ 3600 IN AAAA 2001:db8:1234:0000:0000:0000:0000:0001
-@ 3600 IN MX 10 mx1.acme.net.
-@ 3600 IN MX 10 mx2.acme.net.
-@ 3600 IN TXT "v=spf1 a include:spf.acme.com ~all"
-www 3600 IN CNAME other.host.com.</pre><a href="#appendix-A.4-2" class="pilcrow">¶</a>
+@ 3600 IN MX 10 mx1.example.net.
+@ 3600 IN MX 10 mx2.example.net.
+@ 3600 IN TXT "v=spf1 a include:spf.example.org ~all"
+www 3600 IN CNAME other.host.example.</pre><a href="#appendix-A.4-2" class="pilcrow">¶</a>
 </div>
 </div>
 <div id="_cad92c59-6d08-4dfa-6fa7-5a9399613ea0">
 <p id="appendix-A.4-3">Now application of the following template:<a href="#appendix-A.4-3" class="pilcrow">¶</a></p>
 </div>
-<div id="_4c5ef042-58a0-fb37-e81e-faee1ad6c254">
-<div id="appendix-A.4-4">
-<pre class="lang-json sourcecode">[
+<div id="_e7d19a01-5433-6740-c4c3-80723a7278dc">
+<div class="lang-json sourcecode" id="appendix-A.4-4">
+<pre>[
     {
         "type":"A",
         "host":"@",
-        "pointsTo":"2.2.2.2",
+        "pointsTo":"203.0.113.2",
         "ttl":"1800"
     },
     {
         "type":"A",
         "host":"www",
-        "pointsTo":"2.2.2.2",
+        "pointsTo":"203.0.113.2",
         "ttl":"1800"
     },
     {
         "type":"SPFM",
         "host":"@",
-        "spfRules":"a include:spf.hoster.com"
+        "spfRules":"a include:spf.hoster.example"
     }
 ]</pre><a href="#appendix-A.4-4" class="pilcrow">¶</a>
 </div>
@@ -5158,19 +5284,20 @@ <h3 id="name-example-dns-zone-merging">
 <div id="_55c22736-a700-2e20-1595-78d174817ada">
 <p id="appendix-A.4-5">The following DNS Zone should be generated after the template is applied:<a href="#appendix-A.4-5" class="pilcrow">¶</a></p>
 </div>
-<div id="_299e8f02-e9d1-b144-d18a-91556694d7db">
-<div id="appendix-A.4-6">
-<pre class="sourcecode">$ORIGIN test-domain.com.
+<div id="_dc14f371-3b66-6184-7704-7f35483bc1bc">
+<div class="sourcecode" id="appendix-A.4-6">
+<pre>$ORIGIN example.com.
 
-@ 3600 IN SOA ns11.acme.net. support.acme.net. 2017050920 7200 1800
-1209600 3600
-@ 3600 IN NS ns11.acme.net.
-@ 3600 IN NS ns12.acme.net.
-@ 1800 IN A 2.2.2.2
-@ 3600 IN MX 10 mx1.acme.net.
-@ 3600 IN MX 10 mx2.acme.net.
-@ 1800 IN TXT "v=spf1 a include:spf.acme.com include:spf.hoster.com ~all"
-www 1800 IN A 2.2.2.2</pre><a href="#appendix-A.4-6" class="pilcrow">¶</a>
+@ 3600 IN SOA ns11.example.net. support.example.net. 2017050920 7200
+1800 1209600 3600
+@ 3600 IN NS ns11.example.net.
+@ 3600 IN NS ns12.example.net.
+@ 1800 IN A 203.0.113.2
+@ 3600 IN MX 10 mx1.example.net.
+@ 3600 IN MX 10 mx2.example.net.
+@ 1800 IN TXT "v=spf1 a include:spf.example.org include:spf.hoster.ex
+ample ~all"
+www 1800 IN A 203.0.113.2</pre><a href="#appendix-A.4-6" class="pilcrow">¶</a>
 </div>
 </div>
 </section>
@@ -5183,40 +5310,40 @@ <h3 id="name-example-spf-record-merging">
 <div id="_e0f231cb-09e8-836a-a74a-fd4b38ebf842">
 <p id="appendix-A.5-1">Consider a DNS Zone before a template application:<a href="#appendix-A.5-1" class="pilcrow">¶</a></p>
 </div>
-<div id="_37873257-5980-40a1-ee2a-514af103ea59">
-<div id="appendix-A.5-2">
-<pre class="sourcecode">$ORIGIN test-domain.com.
+<div id="_e34097a4-54e6-428a-66f0-9562d8d96aeb">
+<div class="sourcecode" id="appendix-A.5-2">
+<pre>$ORIGIN example.com.
 
-@ 3600 IN SOA ns11.acme.net. support.acme.net. 2017050817 7200 1800
-1209600 3600
-@ 3600 IN NS ns11.acme.net.
-@ 3600 IN NS ns12.acme.net.</pre><a href="#appendix-A.5-2" class="pilcrow">¶</a>
+@ 3600 IN SOA ns11.example.net. support.example.net. 2017050817 7200
+1800 1209600 3600
+@ 3600 IN NS ns11.example.net.
+@ 3600 IN NS ns12.example.net.</pre><a href="#appendix-A.5-2" class="pilcrow">¶</a>
 </div>
 </div>
 <div id="_34470460-8d9d-ddbb-2bfa-e2f2d1b8c1a1">
 <p id="appendix-A.5-3">Now application of the following template of Mail service:<a href="#appendix-A.5-3" class="pilcrow">¶</a></p>
 </div>
-<div id="_37816afc-f2fc-e10a-e3eb-3e4f159417c7">
-<div id="appendix-A.5-4">
-<pre class="lang-json sourcecode">[
+<div id="_28f54cd7-2847-33cf-f9f1-12b3f3b5c074">
+<div class="lang-json sourcecode" id="appendix-A.5-4">
+<pre>[
     {
         "type":"MX",
         "host":"@",
         "priority": "10",
-        "pointsTo":"mx1.acme.net",
+        "pointsTo":"mx1.example.net",
         "ttl":"1800"
     },
     {
         "type":"MX",
         "host":"www",
         "priority": "10",
-        "pointsTo":"mx2.acme.net",
+        "pointsTo":"mx2.example.net",
         "ttl":"1800"
     },
     {
         "type":"SPFM",
         "host":"@",
-        "spfRules":"a include:spf.acme.net"
+        "spfRules":"a include:spf.example.net"
     }
 ]</pre><a href="#appendix-A.5-4" class="pilcrow">¶</a>
 </div>
@@ -5224,30 +5351,30 @@ <h3 id="name-example-spf-record-merging">
 <div id="_3bf72938-d50a-22fb-99db-59ee714bffed">
 <p id="appendix-A.5-5">Expected result in the DNS Zone<a href="#appendix-A.5-5" class="pilcrow">¶</a></p>
 </div>
-<div id="_2a3344fd-1310-db28-3bf6-827b26eda390">
-<div id="appendix-A.5-6">
-<pre class="sourcecode">$ORIGIN test-domain.com.
+<div id="_33be2a21-f419-0c1d-750d-698b0e7376fc">
+<div class="sourcecode" id="appendix-A.5-6">
+<pre>$ORIGIN example.com.
 
-@ 3600 IN SOA ns11.acme.net. support.acme.net. 2017050817 7200 1800
-1209600 3600
-@ 3600 IN NS ns11.acme.net.
-@ 3600 IN NS ns12.acme.net.
-@ 3600 IN MX 10 mx1.acme.net.
-@ 3600 IN MX 10 mx2.acme.net.
-@ 3600 IN TXT "v=spf1 a include:spf.acme.net ~all"</pre><a href="#appendix-A.5-6" class="pilcrow">¶</a>
+@ 3600 IN SOA ns11.example.net. support.example.net. 2017050817 7200
+1800 1209600 3600
+@ 3600 IN NS ns11.example.net.
+@ 3600 IN NS ns12.example.net.
+@ 3600 IN MX 10 mx1.example.net.
+@ 3600 IN MX 10 mx2.example.net.
+@ 3600 IN TXT "v=spf1 a include:spf.example.net ~all"</pre><a href="#appendix-A.5-6" class="pilcrow">¶</a>
 </div>
 </div>
 <div id="_e4ae8869-9344-0bdd-f332-aa0483a5cba6">
 <p id="appendix-A.5-7">In the next step application of the following template of Newsletter
 service:<a href="#appendix-A.5-7" class="pilcrow">¶</a></p>
 </div>
-<div id="_2bec7e7f-c6a8-6625-1ac4-fd6da710cd3d">
-<div id="appendix-A.5-8">
-<pre class="lang-json sourcecode">[
+<div id="_354eee43-7aa7-f570-d41c-1cd1c2262d64">
+<div class="lang-json sourcecode" id="appendix-A.5-8">
+<pre>[
     {
         "type":"SPFM",
         "host":"@",
-        "spfRules":"include:_spf.newsletter.com"
+        "spfRules":"include:_spf.newsletter.example"
     }
 ]</pre><a href="#appendix-A.5-8" class="pilcrow">¶</a>
 </div>
@@ -5255,17 +5382,19 @@ <h3 id="name-example-spf-record-merging">
 <div id="_965ac019-171f-ae69-f909-7b7d62ed8277">
 <p id="appendix-A.5-9">Expected result in the DNS Zone<a href="#appendix-A.5-9" class="pilcrow">¶</a></p>
 </div>
-<div id="_359e1520-3e51-2295-a504-395d3252083d">
-<div id="appendix-A.5-10">
-<pre class="sourcecode">$ORIGIN test-domain.com.
+<div id="_9f87bd04-c14d-69d0-f7a9-93111ef714a1">
+<div class="sourcecode" id="appendix-A.5-10">
+<pre>$ORIGIN example.com.
 
-@ 3600 IN SOA ns11.acme.net. support.acme.net. 2017050817 7200 1800
-1209600 3600
-@ 3600 IN NS ns11.acme.net.
-@ 3600 IN NS ns12.acme.net.
-@ 3600 IN MX 10 mx1.acme.net.
-@ 3600 IN MX 10 mx2.acme.net.
-@ 3600 IN TXT "v=spf1 a include:spf.acme.net include:_spf.newsletter.com ~all"</pre><a href="#appendix-A.5-10" class="pilcrow">¶</a>
+@ 3600 IN SOA ns11.example.net. support.example.net. 2017050817 7200
+1800 1209600 3600
+@ 3600 IN NS ns11.example.net.
+@ 3600 IN NS ns12.example.net.
+@ 3600 IN MX 10 mx1.example.net.
+@ 3600 IN MX 10 mx2.example.net.
+@ 3600 IN TXT "v=spf1 a include:spf.example.net include:_spf.newslett
+er.
+example ~all"</pre><a href="#appendix-A.5-10" class="pilcrow">¶</a>
 </div>
 </div>
 </section>
@@ -5278,19 +5407,18 @@ <h2 id="name-authors-addresses">
 <a href="#name-authors-addresses" class="section-name selfRef">Authors' Addresses</a>
       </h2>
 <address class="vcard">
-        <div dir="auto" class="left"><span class="fn nameRole">R Carney</span></div>
-<div dir="auto" class="left"><span class="org">GoDaddy Inc.</span></div>
-<div dir="auto" class="left"><span class="street-address">14455 N. Hayden Rd. #219</span></div>
-<div dir="auto" class="left">
-<span class="locality">Scottsdale</span>,  </div>
-<div dir="auto" class="left"><span class="country-name">United States of America</span></div>
+        <div dir="auto" class="left"><span class="fn nameRole">P Kowalik</span></div>
+<div dir="auto" class="left"><span class="org">DENIC eG</span></div>
+<div dir="auto" class="left"><span class="street-address">Theodor-Stern-Kai 1</span></div>
+<div dir="auto" class="left"><span class="locality">Frankfurt am Main</span></div>
+<div dir="auto" class="left"><span class="country-name">Germany</span></div>
 <div class="email">
 <span>Email:</span>
-<a href="mailto:rcarney@godaddy.com" class="email">rcarney@godaddy.com</a>
+<a href="mailto:pawel.kowalik@denic.de" class="email">pawel.kowalik@denic.de</a>
 </div>
 <div class="url">
 <span>URI:</span>
-<a href="http://www.godaddy.com" class="url">http://www.godaddy.com</a>
+<a href="https://denic.de" class="url">https://denic.de</a>
 </div>
 </address>
 <address class="vcard">
@@ -5301,18 +5429,35 @@ <h2 id="name-authors-addresses">
 </div>
 </address>
 <address class="vcard">
-        <div dir="auto" class="left"><span class="fn nameRole">P Kowalik</span></div>
-<div dir="auto" class="left"><span class="org">IONOS SE</span></div>
-<div dir="auto" class="left"><span class="street-address">Elgendorfer Str. 57</span></div>
-<div dir="auto" class="left"><span class="locality">Montabaur</span></div>
-<div dir="auto" class="left"><span class="country-name">Germany</span></div>
+        <div dir="auto" class="left"><span class="fn nameRole">J Kolker</span></div>
+<div dir="auto" class="left"><span class="org">GoDaddy Inc.</span></div>
+<div dir="auto" class="left"><span class="street-address">14455 N. Hayden Rd. #219</span></div>
+<div dir="auto" class="left">
+<span class="locality">Scottsdale</span>,  </div>
+<div dir="auto" class="left"><span class="country-name">United States of America</span></div>
+<div class="email">
+<span>Email:</span>
+<a href="mailto:jkolker@godaddy.com" class="email">jkolker@godaddy.com</a>
+</div>
+<div class="url">
+<span>URI:</span>
+<a href="https://www.godaddy.com" class="url">https://www.godaddy.com</a>
+</div>
+</address>
+<address class="vcard">
+        <div dir="auto" class="left"><span class="fn nameRole">S Kerola</span></div>
+<div dir="auto" class="left"><span class="org">Cloudflare, Inc.</span></div>
+<div dir="auto" class="left"><span class="street-address">101 Townsend St</span></div>
+<div dir="auto" class="left">
+<span class="locality">San Francisco</span>,  </div>
+<div dir="auto" class="left"><span class="country-name">United States of America</span></div>
 <div class="email">
 <span>Email:</span>
-<a href="mailto:pawel.kowalik@ionos.com" class="email">pawel.kowalik@ionos.com</a>
+<a href="mailto:kerolasa@cloudflare.com" class="email">kerolasa@cloudflare.com</a>
 </div>
 <div class="url">
 <span>URI:</span>
-<a href="https://ionos.com" class="url">https://ionos.com</a>
+<a href="https://cloudflare.com" class="url">https://cloudflare.com</a>
 </div>
 </address>
 </section>
diff --git a/draft-domain-connect-04.rfc.xml b/draft-kowalik-regext-domainconnect-00.rfc.xml
similarity index 64%
rename from draft-domain-connect-04.rfc.xml
rename to draft-kowalik-regext-domainconnect-00.rfc.xml
index 960fe14..9546b32 100644
--- a/draft-domain-connect-04.rfc.xml
+++ b/draft-kowalik-regext-domainconnect-00.rfc.xml
@@ -1,4 +1,4 @@
-<?xml version="1.0"?>
+<?xml version="1.0" encoding="UTF-8"?>
 <?rfc notedraftinprogress=""?>
 <?rfc rfcedstyle=""?>
 <?rfc strict="yes"?>
@@ -8,50 +8,69 @@
 <?rfc tocdepth="4"?>
 <?rfc symrefs="yes"?>
 <?rfc sortrefs="yes"?>
-<rfc xmlns:xi="http://www.w3.org/2001/XInclude" docName="draft-carney-regext-domainconnect-04" category="info" ipr="trust200902" submissionType="independent" xml:lang="en" version="3" >
+<rfc xmlns:xi="http://www.w3.org/2001/XInclude" docName="draft-kowalik-regext-domainconnect-00" category="std" ipr="trust200902" submissionType="IETF" xml:lang="en" version="3" >
   <front>
-    <title abbrev="Domain Connect">Domain Connect API - Communications between DNS Provider and Services</title>
-    <seriesInfo value="draft-carney-regext-domainconnect-04" status="Informational" stream="independent" name="Internet-Draft" asciiName="Internet-Draft"></seriesInfo>
-    <seriesInfo name="" value="" status="info"></seriesInfo>
-    <author initials="R" surname="Carney">
-      <organization>GoDaddy Inc.</organization>
+    <title abbrev="Domain Connect">Domain Connect Protocol - DNS provisioning between Services and DNS Providers</title>
+    <seriesInfo value="draft-kowalik-regext-domainconnect-00" status="Informational" stream="IETF" name="Internet-Draft" asciiName="Internet-Draft"></seriesInfo>
+    <seriesInfo name="" value="" status="standard"></seriesInfo>
+    <author initials="P" surname="Kowalik">
+      <organization>DENIC eG</organization>
       <address>
         <postal>
-          <street ascii="14455 N. Hayden Rd. #219">14455 N. Hayden Rd. #219</street>
-          <city ascii="Scottsdale">Scottsdale</city>
-          <country ascii="US">US</country>
+          <street ascii="Theodor-Stern-Kai 1">Theodor-Stern-Kai 1</street>
+          <city ascii="Frankfurt am Main">Frankfurt am Main</city>
+          <country ascii="DE">DE</country>
         </postal>
-        <email>rcarney@godaddy.com</email>
-        <uri>http://www.godaddy.com</uri>
+        <email>pawel.kowalik@denic.de</email>
+        <uri>https://denic.de</uri>
       </address>
     </author>
     <author initials="A" surname="Blinn">
       <address>
         <postal></postal>
         <email>arnold@arnoldblinn.com</email>
-        <uri></uri>
       </address>
     </author>
-    <author initials="P" surname="Kowalik">
-      <organization>IONOS SE</organization>
+    <author initials="J" surname="Kolker">
+      <organization>GoDaddy Inc.</organization>
       <address>
         <postal>
-          <street ascii="Elgendorfer Str. 57">Elgendorfer Str. 57</street>
-          <city ascii="Montabaur">Montabaur</city>
-          <country ascii="Germany">Germany</country>
+          <street ascii="14455 N. Hayden Rd. #219">14455 N. Hayden Rd. #219</street>
+          <city ascii="Scottsdale">Scottsdale</city>
+          <country ascii="US">US</country>
         </postal>
-        <email>pawel.kowalik@ionos.com</email>
-        <uri>https://ionos.com</uri>
+        <email>jkolker@godaddy.com</email>
+        <uri>https://www.godaddy.com</uri>
+      </address>
+    </author>
+    <author initials="S" surname="Kerola">
+      <organization>Cloudflare, Inc.</organization>
+      <address>
+        <postal>
+          <street ascii="101 Townsend St">101 Townsend St</street>
+          <city ascii="San Francisco">San Francisco</city>
+          <country ascii="US">US</country>
+        </postal>
+        <email>kerolasa@cloudflare.com</email>
+        <uri>https://cloudflare.com</uri>
       </address>
     </author>
     <area>Applications and Real-Time</area>
     <workgroup>Registration Protocols Extensions</workgroup>
-    <abstract anchor="_9e8f541d-a989-f79b-0a6d-541cd0d1d0fa">
+    <abstract anchor="_bbb6f541-c0a4-2b23-a3c5-544269e5d60c">
 
-<t anchor="_3850d256-350d-bfb1-cb32-0d8dc21c4a5a">This document provides information related to the Domain Connect API that was built to support communications between DNS Providers and Service Providers (hosting, social, email, hardware, etc.).</t>
+<t anchor="_49f78dd5-d0bd-d917-fcec-743e02b7db3b">This document provides specification of the Domain Connect Protocol that was built to support DNS configuration provisioning between Service Providers (hosting, social, email, hardware, etc.) and DNS Providers.</t>
 </abstract>
   </front>
   <middle>
+    <section anchor="_acknowledgments"><name>Acknowledgements</name>
+
+<t anchor="_ce81cefb-fba9-f9e7-bc76-5b5ed343d11b">The authors wish to thank the following persons for their feedback and suggestions as well as for the previous work on the standard:</t>
+
+<ul anchor="_f3073ce6-8d15-3c65-709a-3a55211f8e0f"><li>Roger Carney of GoDaddy Inc.</li>
+<li>Chris Ambler of GoDaddy Inc.</li>
+</ul>
+</section>
     <section anchor="_introduction"><name>Introduction</name>
 
 <t anchor="_fee13f8f-5eac-227c-11a9-e079a6fccf70">Configuring a service at a Service Provider to work with a domain has historically been a complex task that is difficult for users.</t>
@@ -68,103 +87,92 @@
 standard authentication protocols. The creation and modification of DNS
 settings will be done through the application of templates instead of
 direct manipulation of individual DNS records.</t>
+</section>
+    <section anchor="_terminology" toc="exclude"><name>Terminology</name>
 
-<section anchor="_terminology" toc="exclude"><name>Terminology</name>
-
-<t anchor="_582ca32c-029f-c0c9-4ed5-94d8e2bdcae7">The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<strong>NOT RECOMMENDED</strong>", "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described in BCP 14 <relref target="RFC2119" section="" relative=""></relref> <relref target="RFC8174" section="" relative=""></relref> when, and only when, they appear in all capitals, as shown here.</t>
+<t anchor="_a400db07-6001-fa2c-7dfd-b9de825a052d">The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described in BCP 14 <xref target="RFC2119" section="" relative=""></xref> <xref target="RFC8174" section="" relative=""></xref> when, and only when, they appear in all capitals, as shown here.</t>
 
-<dl anchor="_514fcafd-13b5-7ea7-a46a-b0aa358b294a"><dt>Service Providers</dt><dd><t anchor="_68360823-ae9c-1563-2973-ea9b566f22ca">refers to entities that provide products and
+<dl anchor="_a16328ee-e209-9cb0-806f-5a3acf08f689"><dt>Service Providers</dt><dd><t anchor="_6e12534d-8f8c-b1a1-48b0-6ba5ae409f2f">refers to entities that provide products and
 services attached to domain names. Examples include web hosting
 providers (such as Wix or SquareSpace), email Service Providers (such as
 Microsoft or Google) and potentially even hardware manufacturers with
 DNS-enabled devices like home routers or automation controls (such as
 Linksys, Nest, and Philips).</t>
-</dd><dt>DNS Providers</dt><dd><t anchor="_63d2a4ae-b8a4-9504-b7bf-b30023ba42c1">refers to entities that provide DNS services such as
+</dd><dt>DNS Providers</dt><dd><t anchor="_d034bf44-f752-767b-fa1e-89af8d3a30d9">refers to entities that provide DNS services such as
 registrars (such as GoDaddy or 1and1) or standalone DNS services (like
-CloudFlare).</t>
-</dd><dt>Registrar</dt><dd><t anchor="_16f48eeb-e908-666b-0095-f32de235d056">refers to entities that register domain names with registries.
+Cloudflare).</t>
+</dd><dt>Registrar</dt><dd><t anchor="_c49d07ef-1869-cabe-9a51-387e672697f9">refers to entities that register domain names with registries.
 It is noted that the DNS Provider and Registrar can be different entities for a
 given domain name and DNS Zone.</t>
-</dd><dt>Customer/User</dt><dd><t anchor="_f723ba01-964b-fb18-2604-3f02600ab55c">refers to the end-user of these services.</t>
-</dd><dt>Templates/Service Templates</dt><dd><t anchor="_63528c62-e25f-98e6-9f77-ad539bf7113f">refers to a file that describes a set of
+</dd><dt>Customer/User</dt><dd><t anchor="_819355a2-a019-d415-2c5b-290ec34822dd">refers to the end-user of these services.</t>
+</dd><dt>Templates/Service Templates</dt><dd><t anchor="_7b3aef15-117b-1024-6d19-a72f03727ddf">refers to a file that describes a set of
 changes to DNS and domain functionality to enable a specific service.</t>
-</dd><dt>Public Template Repository</dt><dd><t anchor="_9889de01-0ecc-bd22-b20c-55ccfb1004f2">refers to a public repository of Templates
+</dd><dt>Public Template Repository</dt><dd><t anchor="_eab5123d-6af0-edc9-043d-3e7b2f455ed7">refers to a public repository of Templates
 in a standarised format (read more: <xref target="repository-and-integrity"></xref>).</t>
-</dd><dt>Root Domain</dt><dd><t anchor="_5bc1d19a-d421-c968-1c14-047fde0a049d">refers to a registered domain (e.g. example.com or
+</dd><dt>Root Domain</dt><dd><t anchor="_3aef807b-1489-8cbe-011c-46afd589768d">refers to a registered domain (e.g. example.com or
 example.co.uk), or to a delegated zone in DNS.</t>
-</dd><dt>Sub Domain</dt><dd><t anchor="_bd86fbc8-d5db-fe51-5998-c6fd30cc9118">refers to a sub-domain of a root domain (e.g.
+</dd><dt>Sub Domain</dt><dd><t anchor="_68baaa3f-8f82-981b-1b2c-a99a4a4c85fe">refers to a sub-domain of a root domain (e.g.
 sub.example.com or sub.example.co.uk).</t>
 </dd></dl>
-</section>
 </section>
     <section anchor="_protocol_design"><name>Protocol design</name>
 
 <section anchor="_templates"><name>Templates</name>
 
-<t anchor="_e3c8781b-d140-8ebc-e0dd-fed41f68d5f5">Templates are core to Domain Connect, as they fully describe a service owned by
+<t anchor="_24885499-070b-90aa-2a17-edc766c6a584">Templates are core to Domain Connect, as they fully describe a service owned by
 a Service Provider and contain all of the information necessary to
 enable and operate/maintain the service in the form of a set of records.</t>
 
-<t anchor="_db8e025d-df29-b89d-e12c-7f34c557fb38">The individual records in a template may be identified by a groupId. This allows for
+<t anchor="_e0abb55e-75fb-46ea-6036-663ba7cd3959">The individual records in a template may be identified by a groupId. This allows for
 the application of templates in different stages. For example, an email
 provider might first set a TXT record to verify the domain, and later
 set an MX record to configure email delivery. While done separately,
 both changes are fundamentally part of the same service.</t>
 
-<t anchor="_284413d9-6c65-5a46-d9cf-cf2542cace0a">Templates may also contain variable portions, as often values of data in
+<t anchor="_0fdb0d1f-7353-9a55-2fc2-db6c6caf5687">Templates may also contain variable portions, as often values of data in
 DNS change based on the implementation and/or user of the
 service (e.g. the IP address of a service, a customer id,
 etc.).</t>
 
-<t anchor="_4645bb85-a23d-dc9e-10ba-22dbc3896209">The template is defined by the Service Provider and manually onboarded with the DNS
+<t anchor="_1bedbd5c-1c60-c3a4-163c-06dcf08aacc6">The template is defined by the Service Provider and manually onboarded with the DNS
 Provider, according to a template definition published in
 the <xref target="repository-and-integrity">Public Repository</xref> or agreed out-of-band between
 the Service Provider and the DNS Provider.</t>
 
-<t anchor="_7696fe61-b18a-942c-a033-77eb7caf686c">By basing the protocol on templates instead of DNS Records, several
+<t anchor="_963a389e-b996-5db6-699a-601198985abb">By basing the protocol on templates instead of DNS Records, several
 advantages are achieved. The DNS Provider has very explicit knowledge
 and control of the settings being changed to enable a service. And the
 system is more secure as templates are controlled and contained.</t>
 </section>
+</section>
+    <section anchor="_end_user_flows"><name>End User Flows</name>
 
-<section anchor="_end_user_flows"><name>End User Flows</name>
+<section anchor="_general_information"><name>General information</name>
 
-<t anchor="_4f1be81f-fc5d-1b05-2979-4a742aed0729">To attach a domain name to a service provided by a Service Provider, the
-customer would first enter their domain name.</t>
+<t anchor="_aa7d03f5-ab86-8bd2-2154-e27cd7df93d7">To attach a domain name to a service provided by a Service Provider, the customer would first enter their domain name.</t>
 
-<t anchor="_a4a46393-888e-90a4-568f-cefce7393adf">Instead of relying on examination of the nameservers and mapping these
-to DNS Providers, DNS Provider discovery is handled through simple
-records in DNS and an API. The Service Provider queries for a specific
-record in the zone that returns a REST endpoint to initiate the
-protocol. When this endpoint is called, a Domain Connect compliant DNS Provider returns
-information about that domain and how to configure it using Domain
-Connect.</t>
+<t anchor="_67176c5c-038b-ef33-5259-15f9792e8d66">Instead of relying on examination of the nameservers and mapping these to DNS Providers, DNS Provider discovery is handled through simple records in DNS and an API. The Service Provider queries for a specific record in the zone that returns a REST endpoint to initiate the protocol. When this endpoint is called, a Domain Connect compliant DNS Provider returns information about that domain and how to configure it using Domain Connect.</t>
 
-<t anchor="_c8adf833-eef8-9ee8-2f45-cd76a7d8b9a9">To apply the changes to DNS, there are two use cases. The
-first is a synchronous web flow, and the second is an asynchronous flow
-using oAuth and an API.</t>
+<t anchor="_e3063abe-6fe7-d623-7705-8c78640d8469">To apply the changes to DNS, there are two use cases. The
+first is a synchronous web flow, and the second is an asynchronous flow using OAuth and an API.</t>
 
-<t anchor="_a471a25c-0f75-66e3-bd19-0d2559d64fb5">It is noted that a DNS Provider may choose to only implement one
-of the flows. As a matter of practice many Service Providers are based
-on the synchronous flow, with only a handful of them based on the
-asynchronous oAuth flow. So many DNS providers may opt to only implement
-the synchronous flow.</t>
+<t anchor="_cc2d66fa-3544-0fbe-94c2-a8fb2b714ec7">It is noted that a DNS Provider may choose to only implement one of the flows. As a matter of practice many Service Providers are based on the synchronous flow, with only a handful of them based on the asynchronous OAuth flow. So many DNS providers may opt to only implement the synchronous flow.</t>
 
-<t anchor="_a3213d55-d1a4-43ce-c85b-16355a5975e6">It is also be noted that individual services may work with the
-synchronous flow only, the asynchronous flow only, or with both.</t>
+<t anchor="_5e487085-cb4a-7fd3-407f-2df89f82cf20">It is also be noted that individual services may work with the synchronous flow only, the asynchronous flow only, or with both.</t>
+</section>
 
 <section anchor="_the_synchronous_flow"><name>The Synchronous Flow</name>
 
-<t anchor="_3095ae6a-c4c6-3e64-9ec9-ed192488c38b">This flow is tailored for the Service Provider that requires a one time
+<t anchor="_a172a05e-6623-97c8-ca7d-f575a15a7318">This flow is tailored for the Service Provider that requires a one time
 synchronous change to DNS.</t>
 
-<t anchor="_d91b4f1f-90f2-072b-6e89-dfd1c5043ec8">The user first enters their domain name at the Service Provider
+<t anchor="_abddcc09-aa44-baf9-23ae-dfc3dd393853">The user first enters their domain name at the Service Provider
 website.</t>
 
-<figure anchor="_06a1945e-6e48-7fb8-d672-201a7cdc7afa">
+<figure anchor="_df779a35-ba62-d8b5-357b-d8e66166bc9e">
 
-<name>Service Provider domain input</name><artwork anchor="_98750cfe-c1aa-8c32-c82e-91909315b1bd" type="ascii-art"><![CDATA[+-----------------------------------------------+
-| http://acmewebsiteserviceprovider.com         |
+<name>Service Provider domain input</name><artwork anchor="_45a7c018-7e4a-f3c3-a295-c17cb9eaee73" type="ascii-art"><![CDATA[+-----------------------------------------------+
+| https://acmewebsiteserviceprovider.example    |
 +-----------------------------------------------+
 | ACME Web Site Service Provider                |
 |                                               |
@@ -181,14 +189,14 @@ website.</t>
 |                                               |
 +-----------------------------------------------+]]></artwork></figure>
 
-<t anchor="_4d1b0adb-2179-bdd6-7fe2-45de996aefa5">After the Service Provider determines the DNS Provider using discovery,
+<t anchor="_9e4e5eeb-09d5-4365-782f-abc659f440ea">After the Service Provider determines the DNS Provider using discovery,
 the Service Provider should display a link to the user indicating
 that they can "Connect their Domain" to the service.</t>
 
-<figure anchor="_94d405f7-b827-1bf0-af95-e93f69187ede">
+<figure anchor="_b71a2a64-d06e-ae94-520f-a9938f78b978">
 
-<name>Service Provider displays discovery results and offers setup with a DNS provider</name><artwork anchor="_0b818f4f-b25a-e9a0-f06c-a9ed4fcb2162" type="ascii-art"><![CDATA[+-----------------------------------------------+
-| http://acmewebsiteserviceprovider.com         |
+<name>Service Provider displays discovery results and offers setup with a DNS provider</name><artwork anchor="_06ba6d70-1a4d-8889-989f-7abfd1036452" type="ascii-art"><![CDATA[+-----------------------------------------------+
+| https://acmewebsiteserviceprovider.example    |
 +-----------------------------------------------+
 | ACME Web Site Service Provider                |
 |                                               |
@@ -202,27 +210,27 @@ that they can "Connect their Domain" to the service.</t>
 |                                               |
 +-----------------------------------------------+]]></artwork></figure>
 
-<t anchor="_a9a7a194-f8ba-e8dd-85cf-65598cb3c7d0">After clicking the link, the user is directed to a browser window on the
+<t anchor="_2a67c784-dd81-3a0f-0001-554056362380">After clicking the link, the user is directed to a browser window on the
 DNS Provider's site. This may be done in another tab or in a new
 browser window, but may also be an in place navigation with a return
 url. This link passes the domain name being modified, the service
 provider/template being enabled, and any additional parameters (variables)
 needed to apply the template and configure the service.</t>
 
-<t anchor="_3f8e8fac-3afd-fa71-39bf-1148e494d61c">Once at the DNS Provider site, the user is asked to authenticate
+<t anchor="_63d7b724-3c30-9556-60f6-fa435f60fd3a">Once at the DNS Provider site, the user is asked to authenticate
 if necessary.</t>
 
-<figure anchor="_b4dae187-1a4d-1a8a-ae05-82675fe63638">
+<figure anchor="_e035bf49-dd74-cdbf-aed7-2ee75c99478a">
 
-<name>DNS provider user authentication</name><artwork anchor="_908e5e5d-06f6-fde3-68c3-598a9592e2ed" type="ascii-art"><![CDATA[+-----------------------------------------------+
-| http://virtucondomains.com                    |
+<name>DNS provider user authentication</name><artwork anchor="_294f976a-3fc4-fb1b-b597-986ef18a0bf6" type="ascii-art"><![CDATA[+-----------------------------------------------+
+| https://virtucondomains.example               |
 +-----------------------------------------------+
 | Virtucon Domains                              |
 |                                               |
 | Please sign in to Virtucon domains            |
 |                                               |
 |                 +-------------------------+   |
-| Login           |user@xyz.com             |   |
+| Login           |user@xyz.example         |   |
 |                 +-------------------------+   |
 |                                               |
 |                 +-------------------------+   |
@@ -235,17 +243,17 @@ if necessary.</t>
 |                                               |
 +-----------------------------------------------+]]></artwork></figure>
 
-<t anchor="_f9f0779f-74fb-7e15-a32c-8a5e68fcc615">After authenticating at the DNS Provider, the DNS Provider must verify
+<t anchor="_f78d3c7c-1b9c-0cd9-05fa-b2ae59650032">After authenticating at the DNS Provider, the DNS Provider must verify
 the DNS zone of the domain name is controlled by the user. The DNS Provider must verify
 other parameters passed in are valid, and must prompt the user for consent to
 make the changes to DNS. The DNS Provider may also warn
 the user of services that would be disabled by applying this change to
 DNS.</t>
 
-<figure anchor="_55ffbfc5-3e9e-d778-c325-053335be1b58">
+<figure anchor="_9e3cacc5-872b-d059-f188-40bbdee8f8e6">
 
-<name>User authorization at the DNS provider of the DNS setup for ACME</name><artwork anchor="_2fcfccc1-6689-c894-2cad-022a2963d0da" type="ascii-art"><![CDATA[+-----------------------------------------------+
-| http://virtucondomains.com                    |
+<name>User authorization at the DNS provider of the DNS setup for ACME</name><artwork anchor="_dd4b41a7-19aa-de49-6908-31e9bb600ec9" type="ascii-art"><![CDATA[+-----------------------------------------------+
+| https://virtucondomains.example               |
 +-----------------------------------------------+
 | Virtucon Domains                              |
 |                                               |
@@ -260,84 +268,86 @@ DNS.</t>
 |                                               |
 +-----------------------------------------------+]]></artwork></figure>
 
-<t anchor="_743a51c8-dd2a-2bd7-ed27-2d4ab17280ec">Assuming the user grants this consent, the DNS changes are be applied.</t>
+<t anchor="_07ffcc91-0deb-e703-8049-8ff49cbdae73">Assuming the user grants this consent, the DNS changes are be applied.</t>
 
-<t anchor="_cf40275e-7b32-4b74-609a-5f045fc24e8c">If invoked in a pop-up window or tab, the browser window should be closed
+<t anchor="_c171778f-f764-4e02-c6d5-843351386a2f">If invoked in a pop-up window or tab, the browser window should be closed
 after the changes are applied. If invoked in place, the user must be navigated back
 to the Service Provider after the changes are applied.</t>
 </section>
 
 <section anchor="_the_asynchronous_flow"><name>The Asynchronous Flow</name>
 
-<t anchor="_300dd792-f9f7-b8d8-0258-fe3ff4af11a4">The asynchronous oAuth flow is tailored for the Service Provider that
+<t anchor="_1ff3e2e7-40d0-8a6f-debc-e758fca26b32">The asynchronous OAuth flow is tailored for the Service Provider that
 wishes to make changes to DNS asynchronously with respect to the user
 interaction, or wishes to make multiple or additional changes to DNS
 over time.</t>
 
-<t anchor="_3e131d06-2429-8412-aed0-9c76171da454">The asynchronous flow begins similarly
+<t anchor="_5751993e-1492-387e-c711-362ded16227c">The asynchronous flow begins similarly
 to the synchronous flow. The Service Provider determines the
 DNS Provider and links to a consent dialog at the DNS Provider. Once at
 the DNS Provider the user signs in, control of the DNS zone for the domain is
 verified, and consent is granted.</t>
 
-<t anchor="_c046ebc8-41c8-8772-5c7d-502dcfeb7199">Instead of applying the DNS changes on user consent, OAuth access is
+<t anchor="_c5ea83f1-dd1c-9a53-62d6-c81c5a247021">Instead of applying the DNS changes on user consent, OAuth access is
 granted to the Service Provider. An OAuth access code is generated and
 handed back to the Service Provider. The Service Provider then requests
 an access (bearer) token.</t>
 
-<t anchor="_4f8adb7b-9646-97b6-91a7-138694f51a03">The permission granted in the OAuth token is a right for the Service
+<t anchor="_83ea585a-7bec-6d67-c92e-d31ef9a2d97a">The permission granted in the OAuth token is a right for the Service
 Provider to apply a requested template (or templates) to the specific
 domain (and specific subdomains) DNS under control of a specific user at the DNS Provider.</t>
 
-<t anchor="_9ab2008c-6e2f-7878-4e19-5098f5ee20a0">The Service Provider would later call the an API to apply a template
+<t anchor="_517e544a-65db-e9d1-e5e3-0f36eb2d5344">The Service Provider would later call the API of the DNS provider to apply a template
 using the access token.</t>
 
-<t anchor="_840e8196-c359-cc0c-9bba-0495d48827ff">Additional parameters must be passed as name/value pairs when applying
+<t anchor="_24f8c822-b6db-10ea-4393-acdde4a6e385">Additional parameters must be passed as name/value pairs when applying
 the template.</t>
 </section>
-</section>
 </section>
     <section anchor="_dns_provider_discovery"><name>DNS Provider Discovery</name>
 
-<t anchor="_d3c8c9f8-786a-69d2-2435-235a97d8b4c9">To facilitate discovery of the DNS Provider from a domain name DNS is utilized. This is
+<t anchor="_07fc1c2b-330c-f8d3-ba25-75c9267498c8">To facilitate discovery of the DNS Provider from a domain name DNS is utilized. This is
 done by returning a TXT record for <em>_domainconnect</em> in the zone.</t>
 
-<t anchor="_a3fc9969-edac-c883-fda0-28fb0db66ae9">An example of the contents of this record:</t>
+<t anchor="_e4f582c4-e872-2a04-3710-c55a6cb92b48">An example of the contents of this record:</t>
 
-<sourcecode anchor="_3ef5b3e1-f8a1-9bec-cb5f-6f8cf9684fbc"><![CDATA[domainconnect.virtucondomains.com]]></sourcecode>
+<sourcecode anchor="_a75ab39d-e235-4ab6-6f63-cd506e7e9c77"><![CDATA[domainconnect.virtucondomains.example]]></sourcecode>
 
 
-<t anchor="_a46cbb10-3ba4-1248-119a-2aefd63e7c70">As a practical matter of implementation, the DNS Provider may or may not
+<t anchor="_771b709a-abb5-0354-abe1-37ac307fc54a">As a practical matter of implementation, the DNS Provider may or may not
 contain a copy of this data in each and every zone. Instead, the DNS
 Provider must simply respond to the DNS query for the
 <em>_domainconnect</em> TXT record with the appropriate data.</t>
 
-<t anchor="_321d397c-ba7b-2798-7f2a-651b358b65e6">How this is implemented is up to the DNS Provider.</t>
+<t anchor="_568d3c19-ee9e-16e9-ecd4-160ba92b11ba">How this is implemented is up to the DNS Provider.</t>
 
-<t anchor="_0920ea92-32a2-592c-4d66-5ed8f448fa94">For example, the DNS Provider may not store the data inside a TXT record
+<t anchor="_1b07a19a-ac4d-eb4a-63d7-20b8233b5fe3">For example, the DNS Provider may not store the data inside a TXT record
 for the domain, opting instead to put a CNAME in the zone and have the
 TXT record in the target of the CNAME. Another DNS Provider may simply
 respond with the appropriate records at the DNS layer without having the data in each
 zone.</t>
 
-<t anchor="_fefad84a-8d61-244c-2462-af1f322500ed">The URL prefix returned is subsequently used by the Service Provider to
+<t anchor="_e824b454-f6ce-5e68-1701-e4f43c15c59c">The URL prefix returned is subsequently used by the Service Provider to
 determine the additional settings for using Domain Connect on this
 domain at the DNS Provider. This is done by calling a REST API.</t>
 
-<sourcecode anchor="_178b39d1-816c-91ed-fbcf-4f8ede4e99e5"><![CDATA[GET
+<sourcecode anchor="_6ebcca94-e032-7aef-885a-a5da80469f84"><![CDATA[GET
 
 https://{_domainconnect}/v2/{domain}/settings]]></sourcecode>
 
 
-<t anchor="_269edbac-fcc1-e901-492b-621c207c7aa1">This must return a JSON structure containing the settings to use for Domain Connect on the domain name (passed in on the path) at the DNS Provider. This JSON structure must contain the following fields unless otherwise specified.</t>
+<t anchor="_9c072851-4349-4a2b-560e-b656bd0dbcae">This must return a JSON structure containing the settings to use for
+Domain Connect on the domain name (passed in on the path) at the DNS
+Provider. This JSON structure must contain the following fields unless
+otherwise specified.</t>
 
-<table anchor="_b5e0ca4f-3a9c-a28e-2ebd-6cd0b4cdf583"><name>properties of the settings data structure</name><thead><tr><th align="left"><strong>Field</strong></th><th align="left"><strong>Key</strong></th><th align="left"><strong>Type</strong></th><th align="left"><strong>Description</strong></th></tr></thead><tbody><tr><td align="left"><strong>Provider Id</strong></td><td align="left">providerId</td><td align="left">String</td><td align="left">Unique identifier for the DNS Provider. To ensure non-coordinated uniqueness,
-this should be the domain name of the DNS Provider (e.g. virtucom.com).</td></tr><tr><td align="left"><strong>Provider Name</strong></td><td align="left">providerName</td><td align="left">String</td><td align="left">The name of the DNS Provider.</td></tr><tr><td align="left"><strong>Provider Display Name</strong></td><td align="left">providerDisplayName</td><td align="left">String</td><td align="left">(OPTIONAL) The name of the DNS Provider that should be displayed by the Service Provider.
+<table anchor="_99a8adea-5cd2-3c08-b2f9-44d236d1d60d"><name>properties of the settings data structure</name><thead><tr><th align="left"><strong>Field</strong></th><th align="left"><strong>Key</strong></th><th align="left"><strong>Type</strong></th><th align="left"><strong>Description</strong></th></tr></thead><tbody><tr><td align="left"><strong>Provider Id</strong></td><td align="left">providerId</td><td align="left">String</td><td align="left">(REQUIRED) Unique identifier for the DNS Provider. To ensure non-coordinated uniqueness,
+this should be the domain name of the DNS Provider (e.g. virtucom.example).</td></tr><tr><td align="left"><strong>Provider Name</strong></td><td align="left">providerName</td><td align="left">String</td><td align="left">(REQUIRED) The name of the DNS Provider.</td></tr><tr><td align="left"><strong>Provider Display Name</strong></td><td align="left">providerDisplayName</td><td align="left">String</td><td align="left">(OPTIONAL) The name of the DNS Provider that should be displayed by the Service Provider.
 This may change per domain for some DNS Providers that power multiple brands.</td></tr><tr><td align="left"><strong>UX URL Prefix for Synchronous Flows</strong></td><td align="left">urlSyncUX</td><td align="left">String</td><td align="left">(OPTIONAL) The URL Prefix for linking to the UX of Domain Connect for the synchronous flow
 at the DNS Provider. If not returned, the DNS Provider is not supporting the synchronous
 flow on this domain.</td></tr><tr><td align="left"><strong>UX URL Prefix for Asynchronous Flows</strong></td><td align="left">urlAsyncUX</td><td align="left">String</td><td align="left">(OPTIONAL) The URL Prefix for linking to the UX elements of Domain Connect for the
 asynchronous flow at the DNS Provider. If not returned, the DNS Provider is not supporting
-the asynchronous flow on this domain.</td></tr><tr><td align="left"><strong>API URL Prefix</strong></td><td align="left">urlAPI</td><td align="left">String</td><td align="left">The URL Prefix for the REST API</td></tr><tr><td align="left"><strong>Width of Window</strong></td><td align="left">width</td><td align="left">Number</td><td align="left">(OPTIONAL) This is the desired width of the window for granting consent when navigated in a
+the asynchronous flow on this domain.</td></tr><tr><td align="left"><strong>API URL Prefix</strong></td><td align="left">urlAPI</td><td align="left">String</td><td align="left">(REQUIRED) The URL Prefix for the REST API</td></tr><tr><td align="left"><strong>Width of Window</strong></td><td align="left">width</td><td align="left">Number</td><td align="left">(OPTIONAL) This is the desired width of the window for granting consent when navigated in a
 popup. Default value if not returned should be 750px.</td></tr><tr><td align="left"><strong>Height of Window</strong></td><td align="left">height</td><td align="left">Number</td><td align="left">(OPTIONAL) This is the desired height of the window for granting consent when navigated in
 a popup. Default value if not returned should be 750px.</td></tr><tr><td align="left"><strong>UX URL Control Panel</strong></td><td align="left">urlControlPanel</td><td align="left">String</td><td align="left">(OPTIONAL) This is a URL to the control panel for editing DNS at the DNS Provider.
 This field allows a Service Provider whose template isn't supported at the DNS Provider
@@ -348,64 +358,64 @@ replaced with the domain name.</td></tr><tr><td align="left"><strong>Name Server
 authoritative. This does not indicate the authoritative nameservers; for this the registry
 would be queried.</td></tr></tbody></table>
 
-<t anchor="_f36d4693-4fdf-cca9-9b3c-9d4f70016b34">As an example, the JSON returned by this call might contain.</t>
-
-<sourcecode anchor="_f1f69f26-9b32-945c-37ac-6d44554a9f9d" type="json"><![CDATA[{
-    "providerId": "virtucondomains.com",
+<sourcecode anchor="_ceb0bed3-9db8-341c-f625-654eae01baec" type="json"><![CDATA[{
+    "providerId": "virtucondomains.example",
     "providerName": "Virtucon Domains",
     "providerDisplayName": "Virtucon Domains",
-    "urlSyncUX": "https://domainconnect.virtucondomains.com",
-    "urlAsyncUX": "https://domainconnect.virtucondomains.com",
-    "urlAPI": "https://api.domainconnect.virtucondomains.com",
+    "urlSyncUX": "https://domainconnect.virtucondomains.example",
+    "urlAsyncUX": "https://domainconnect.virtucondomains.example",
+    "urlAPI": "https://api.domainconnect.virtucondomains.example",
     "width": 750,
     "height": 750,
-    "urlControlPanel": "https://domaincontrolpanel.virtucondomains.com/?domain=%domain%",
-    "nameServers": ["ns01.virtucondomainsdns.com", "ns02.virtucondomainsdns.com"]
+    "urlControlPanel": "https://domaincontrolpanel.virtucondomains.ex
+    ample/?domain=%domain%",
+    "nameServers": ["ns01.virtucondomainsdns.example", "ns02.virtucon
+    domainsdns.example"]
 }]]></sourcecode>
 
 
-<t anchor="_0b822df8-0d4c-3b68-1394-d282c14a2ebf">Discovery must work on the root domain (zone) only. Bear in mind that
+<t anchor="_3f879246-e363-928b-60a5-31ec36882e03">Discovery must work on the root domain (zone) only. Bear in mind that
 zones can be delegated to other users, making this information valuable to
 Service Providers since DNS changes may be different for an apex zone vs.
 a sub-domain for an individual service.</t>
 
-<t anchor="_a9e1b6f6-d835-6340-2c6e-33b2e84dfe7c">The Service Provider must handle the condition when a query for the
+<t anchor="_ad145b7c-d3b0-3ded-8ea0-347ef87eec1d">The Service Provider must handle the condition when a query for the
 _domainconnect TXT record suceeds, but a call to query for the JSON fails.
 This can happen if the zone is hosted with another DNS Provider, but contains an
 incorrect _domainconnect TXT record.</t>
 
-<t anchor="_d2f43cf8-d7be-e39b-ec43-073b0920de09">The DNS Provider must return a 404 if they do not contain the zone.</t>
+<t anchor="_428f7bc7-d78b-fb0c-5ebe-cbc74d9af444">The DNS Provider must return a 404 if they do not contain the zone.</t>
 
-<table anchor="_fc416094-c7e7-5e38-c65a-f4e39474c4c1"><name>HTTP status codes for the settings end-point</name><thead><tr><th align="left">Status</th><th align="left">Response</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><strong>Success</strong></td><td align="left">2xx</td><td align="left">A response of an http status code of 2xx indicates that the
+<table anchor="_5051b19b-be1e-3ff6-5297-24459f8e6098"><name>HTTP status codes for the settings end-point</name><thead><tr><th align="left">Status</th><th align="left">Response</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><strong>Success</strong></td><td align="left">2xx</td><td align="left">A response of an http status code of 2xx indicates that the
 call was successful. The response is the JSON described above.</td></tr><tr><td align="left"><strong>Not Found</strong></td><td align="left">404</td><td align="left">A response of a 404 indicates that the DNS Provider does not have the zone.</td></tr></tbody></table>
 </section>
     <section anchor="_applying_domain_connect"><name>Applying Domain Connect</name>
 
 <section anchor="_endpoints"><name>Endpoints</name>
 
-<t anchor="_c4c654f9-5c03-cfb2-a4c2-b05a1c3ee45f">The Domain Connect endpoints returned in the JSON during
+<t anchor="_0a2fc914-ef53-a0ec-221f-73c1194594fb">The Domain Connect endpoints returned in the JSON during
 discovery are in the form of URLs.</t>
 
-<t anchor="_3bef9b95-9179-35a4-54f8-4c90ed94c063">The first set of endpoints are for the UX that the Service Provider
+<t anchor="_19eef5e5-15c3-9345-74ab-e5de8ab057c8">The first set of endpoints are for the UX that the Service Provider
 links to. These are for the synchronous flow where the user can click
 to grant consent and have changes applied, and for the
-asynchronous oAuth flow where the user can grant consent for
+asynchronous OAuth flow where the user can grant consent for
 OAuth access.</t>
 
-<t anchor="_998221ff-403e-e8c0-6abc-aed82c203fad">The second set of endpoints are for the REST API.</t>
+<t anchor="_92ab93ea-5ec6-2421-ac33-b0e15797f047">The second set of endpoints are for the REST API.</t>
 
-<t anchor="_50fa891a-a680-951b-6d83-652305c88480">All endpoints begin with a root URL for the DNS Provider such as:</t>
+<t anchor="_5969f1c6-a8ab-f4b6-2c0a-13eed456a299">All endpoints begin with a root URL for the DNS Provider such as:</t>
 
-<sourcecode anchor="_37130745-ce61-853a-b736-20468327eaa9"><![CDATA[https://connect.dnsprovider.com]]></sourcecode>
+<sourcecode anchor="_de0e3eee-c108-5d4a-e3f3-58153752d5d6"><![CDATA[https://connect.dnsprovider.example]]></sourcecode>
 
 
-<t anchor="_5951c182-9094-2f47-312a-8b27438219c2">They may also include any prefix at the discretion of the DNS Provider.
+<t anchor="_f0758586-474e-e0d6-d2c8-e43294bfaf92">They may also include any prefix at the discretion of the DNS Provider.
 For example:</t>
 
-<sourcecode anchor="_b40057ec-3e57-1190-ee5a-ce3ce8ddf281"><![CDATA[https://connect.dnsprovider.com/api]]></sourcecode>
+<sourcecode anchor="_aeaad295-d840-db70-2285-97bc4eabc4c2"><![CDATA[https://connect.dnsprovider.example/api]]></sourcecode>
 
 
-<t anchor="_efb806d8-c05e-3439-c70f-1c0c342dafa3">The root URLs for the UX endpoints and the API endpoints are returned in
+<t anchor="_fd665040-07a1-8d0b-cf2f-b92a0cb17b9e">The root URLs for the UX endpoints and the API endpoints are returned in
 the JSON payload during DNS Provider discovery.</t>
 </section>
 
@@ -413,40 +423,45 @@ the JSON payload during DNS Provider discovery.</t>
 
 <section anchor="_query_supported_template"><name>Query Supported Template</name>
 
-<sourcecode anchor="_0a28c215-08c3-e81b-6bde-fca0bf73f281"><![CDATA[GET
+<sourcecode anchor="_34ffffe5-ae2c-cb51-60cd-9149540f4f6d"><![CDATA[GET
 
-{urlAPI}/v2/domainTemplates/providers/{providerId}/services/{serviceId}]]></sourcecode>
+{urlAPI}/v2/domainTemplates/providers/{providerId}/services
+/{serviceId}]]></sourcecode>
 
 
-<t anchor="_fe310027-ae4e-a9df-eacb-c4632e88e04a">This URL is be used by the Service Provider to determine if the DNS
+<t anchor="_b0379ff3-f614-5033-2b46-5242803c7e36">This URL is be used by the Service Provider to determine if the DNS
 Provider supports a specific template through the synchronous flow.</t>
 
-<t anchor="_dfc25f46-6bf7-f219-de9f-1ba00088b4d2">Returning a status of 200 without a body indicates the template is supported.
+<t anchor="_70cce8e4-a0fd-6331-eae0-1bd35c521864">Returning a status of 200 without a body indicates the template is supported.
 The DNS provider may decide to disclose the version of the template
-in a JSON object with field <em>version</em> (see: <xref target="template-definition">version field</xref>)
+in a JSON object with field <em>version</em> (see: <xref target="template-definition">version field</xref>
 or the full JSON object of deployed template.</t>
 
-<t anchor="_a6de1417-edf2-4302-cacb-eb35cfbe6dcd">Returning a status of 404 indicates the template is not supported.</t>
+<t anchor="_cf699c5b-61ba-bfd6-7b63-0bafcb377b06">Returning a status of 404 indicates the template is not supported.</t>
 
-<table anchor="_1c4f995c-3fed-5c2e-04a2-12483d0ae502"><name>https status codes for the Query Supported Template end-point</name><thead><tr><th align="left">Status</th><th align="left">Response</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><strong>Success</strong></td><td align="left">2xx</td><td align="left">A response of an http status code of 2xx indicates that the
+<table anchor="_a90da9e7-6d0a-ac81-cec9-ec8526f16ed7"><name>https status codes for the Query Supported Template end-point</name><thead><tr><th align="left">Status</th><th align="left">Response</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><strong>Success</strong></td><td align="left">2xx</td><td align="left">A response of an http status code of 2xx indicates that the
 call was successful. The response OPTIONALLY contains the version or template.</td></tr><tr><td align="left"><strong>Not Found</strong></td><td align="left">404</td><td align="left">A response of a 404 indicates that the template is not supported</td></tr></tbody></table>
 </section>
 
 <section anchor="_apply_template"><name>Apply Template</name>
 
-<sourcecode anchor="_33770b22-4c9a-6645-81fd-460f996d7abc"><![CDATA[GET
+<section anchor="_apply_template_url"><name>Apply Template URL</name>
 
-{urlSyncUX}/v2/domainTemplates/providers/{providerId}/services/{serviceId}/apply?[properties]]]></sourcecode>
+<sourcecode anchor="_331c6b57-86ee-9804-338b-7efcb53f88b2"><![CDATA[GET
 
+{urlSyncUX}/v2/domainTemplates/providers/{providerId}/services
+/{serviceId}/apply?[properties]]]></sourcecode>
 
-<t anchor="_bbcf394f-2d66-eceb-d5f4-62f9259e7655">This is the URL where the user is sent to apply a template to a domain they own.
+
+<t anchor="_3cabe7eb-a279-0cbe-eb45-6a02fb456019">This is the URL where the user is sent to apply a template to a domain they own.
 It is called from the Service Provider to start the synchronous Domain Connect Protocol.</t>
 
-<t anchor="_c55582cd-427f-80bd-9474-937a40bf255e">This URL can be called in one of two ways.</t>
+<t anchor="_8cc52f60-74ce-218c-b8fb-a9a2bee52b46">This URL can be called in one of two ways.</t>
+</section>
 
 <section anchor="_new_browser_window"><name>New Browser Window</name>
 
-<t anchor="_cd43ed2c-a022-81fa-f49f-c2096b0a8cda">The first is through a new browser tab or in a popup browser window.
+<t anchor="_03d065a5-898f-3194-d4f1-e4a44c49e713">The first is through a new browser tab or in a popup browser window.
 The DNS Provider signs the user
 in if necessary, verifies domain ownership, and asks for confirmation
 before application of the template. After application of the template,
@@ -455,41 +470,41 @@ the DNS Provider should automatically close the browser tab or window.</t>
 
 <section anchor="_same_browser_window"><name>Same Browser Window</name>
 
-<t anchor="_2a6a1486-4358-cb8d-201d-66febc7fa644">The second is in the current browser tab/window. As above the DNS
+<t anchor="_947c872d-cf7b-ecae-bd27-bcf1acd33c13">The second is in the current browser tab/window. As above the DNS
 Provider signs the user in if necessary, verifies the user control of the DNS Zone for the domain,
 and asks for confirmation before application of the template. After
 application of the template (or cancellation by the user), the DNS
 Provider must redirect the browser to a return URL (redirect_uri).</t>
 
-<t anchor="_6581e4e0-658a-55ea-cbf9-eb125eadad7b">Several parameters must be appended to the end of this redirect_uri.</t>
+<t anchor="_037589fd-ba4d-1fea-a97a-b1555f674d86">Several parameters must be appended to the end of this redirect_uri.</t>
 
-<ul anchor="_de514174-9000-6571-5455-970c2bc2c8c0"><li><t anchor="_3905efcd-87e9-0d9e-f248-95c1565a1d19">State</t>
-<t anchor="_afd12b53-5a9d-44fe-3249-eee7fa4992d5">If a state parameter is passed in on the query string, this must be
+<ul anchor="_99dff3ee-5fbf-061b-96fb-86e149a90939"><li><t anchor="_e95247db-0366-5999-b72d-e84e2aca6d61">State</t>
+<t anchor="_d24c7c09-e7d1-0c22-220e-219c2bdd82a9">If a state parameter is passed in on the query string, this must be
 passed back as state= on the redirect_uri.</t>
 </li>
-<li><t anchor="_5b473933-d678-1e25-e03f-63bf68cd66c5">Error</t>
-<t anchor="_1d1dbd70-4cac-555c-30f9-4577a65723c1">If authorization could not be obtained or an error has occurred, the
+<li><t anchor="_a9e208bb-9566-f29d-3fcc-6370a85121db">Error</t>
+<t anchor="_63dfdd18-66fa-3e5e-1cb4-605d18d8615d">If authorization could not be obtained or an error has occurred, the
 parameter error= must be appended. For consistency with the asynchronous
 OAuth flows the valid values for the error parameter will be as
-specified in OAuth 2.0 RFC 6749 (4.1.2.1. Error Response - "error"
+specified in OAuth 2.0 <xref target="RFC6749" section="" relative=""></xref> (4.1.2.1. Error Response - "error"
 parameter). Valid values are: invalid_request, unauthorized_client,
 access_denied, unsupported_response_type, invalid_scope, server_error,
 and temporarily_unavailable.</t>
 </li>
-<li><t anchor="_19b94c38-370f-2226-6d45-1e5027266a93">Error Description</t>
-<t anchor="_7705a0cb-ae65-c1be-0757-95dbda8e7bbd">When an error occurs, an OPTIONAL error description containing a
+<li><t anchor="_8cc5a43a-de5b-2d75-20e3-6bbbf9539ec9">Error Description</t>
+<t anchor="_3ba52e13-f11f-4c9a-0743-3d9fefe0ee66">When an error occurs, an OPTIONAL error description containing a
 developer focused error description may be returned.</t>
 
-<t anchor="_dd177438-7d3e-18ad-14cb-415aaa8dd361">Under normal
+<t anchor="_b4df9a29-5da4-28e5-4c63-b622cc45051c">Under normal
 operation the access_denied error can be returned for a number of
 reasons. For example, the user may not have access to the account that
 owns the domain. Even if they do and successfully sign-in, the account
 or the domain may be suspended.</t>
 
-<t anchor="_2e45f601-46b7-2c63-6243-4dbb32c24d6f">It is unlikely that the DNS Provider would want to leak this information
+<t anchor="_95894261-85ea-ff33-75ae-76a9008fbbd6">It is unlikely that the DNS Provider would want to leak this information
 to the Service Provider, and as such the description may be vague.</t>
 
-<t anchor="_58943aee-5e5c-6f41-b250-1093d54bb110">There is one piece of information that may be interesting to communicate
+<t anchor="_4c272b28-07c4-0598-5cd1-a8dacd7d5dcd">There is one piece of information that may be interesting to communicate
 to the Service Provider. This is when the end user decided to cancel the
 operation. If the DNS Provider wishes to communicate this to the
 Service Provider, when the error=access_denied the error_description may
@@ -498,20 +513,20 @@ of the DNS Provider.</t>
 </li>
 </ul>
 
-<t anchor="_eb3bf813-9537-ea84-e3ab-a9abdbf01255">To prevent an open redirect, unless the request is digitally signed the redirect_uri
+<t anchor="_5cf8b909-795a-297c-43f1-88c73d866bc5">To prevent an open redirect, unless the request is digitally signed the redirect_uri
 must be within the domains specified in the template in syncRedirectDomain.</t>
 </section>
 
 <section anchor="_parametersproperties"><name>Parameters/properties</name>
 
-<table anchor="_5d7e1c9f-ba2b-4601-0613-b58dff2f1244"><name>query parameters of the apply call in the sync flow</name><thead><tr><th align="left">Property</th><th align="left">Request Parameter</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><strong>Domain</strong></td><td align="left">domain</td><td align="left">The domain name being configured. This is the root domain (the
+<table anchor="_e01f1eae-2447-cf75-a97d-5a4af3a0deba"><name>query parameters of the apply call in the sync flow</name><thead><tr><th align="left">Property</th><th align="left">Request Parameter</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><strong>Domain</strong></td><td align="left">domain</td><td align="left">(REQUIRED) The domain name being configured. This is the root domain (the
 registered domain or delegated zone).</td></tr><tr><td align="left"><strong>Host</strong></td><td align="left">host</td><td align="left">(OPTIONAL) This is the host name of the sub domain. If left blank, the template is being
 applied to the root domain. Otherwise the template is applied to the sub domain of the
 domain.</td></tr><tr><td align="left"><strong>Redirect URI</strong></td><td align="left">redirect_uri</td><td align="left">(OPTIONAL) The location to direct the client browser to upon successful authorization, or
 upon error. If omitted the DNS Provider will close the browser window upon
 completion. It must be scoped to the syncRedirectDomain from the template, or the request
 must be signed.</td></tr><tr><td align="left"><strong>State</strong></td><td align="left">state</td><td align="left">(OPTIONAL) A random and unique string passed along to prevent CSRF, or to pass back state.
-It must be returned as a parameter when redirecting to the redirect_uri described above.</td></tr><tr><td align="left"><strong>Name/Value Pairs</strong></td><td align="left">*</td><td align="left">Any key that will be used as a replacement for the "% surrounded" variables in the
+It must be returned as a parameter when redirecting to the redirect_uri described above.</td></tr><tr><td align="left"><strong>Name/Value Pairs</strong></td><td align="left">*</td><td align="left">(REQUIRED) Any key that will be used as a replacement for the "% surrounded" variables in the
 template. The name portion of this API call corresponds to
 the variable(s) specified in the template and the value corresponds to the value that will
 be used when applying the template.</td></tr><tr><td align="left"><strong>Provider Name</strong></td><td align="left">providerName</td><td align="left">(OPTIONAL) This parameter allows for the caller to provide additional text for display
@@ -523,18 +538,22 @@ with the template serviceName. It should be used to augment the serviceName valu
 from the template, not replace it. This parameter is only allowed when the
 "sharedServiceName" attribute is set in the template.</td></tr><tr><td align="left"><strong>Group Id</strong></td><td align="left">groupId</td><td align="left">(OPTIONAL) This parameter specifies the groups from the template to apply.
 If no group is specified, all groups are applied. Multiple groups may be specified in a
-comma delimited format.</td></tr><tr><td align="left"><strong>Signature</strong></td><td align="left">sig</td><td align="left">(OPTIONAL) A signature of the query string. See Security Considerations section below.</td></tr></tbody></table>
+comma delimited format.</td></tr><tr><td align="left"><strong>Signature</strong></td><td align="left">sig</td><td align="left">(OPTIONAL) A signature of the query string. See Security Considerations section below.</td></tr><tr><td align="left"><strong>Key</strong></td><td align="left">key</td><td align="left">(OPTIONAL) A value containing the host in DNS where the public key for the signature can be
+obtained. The domain for this host is in the template in syncPubKeyDomain. See Security
+Considerations section below.</td></tr></tbody></table>
 
-<t anchor="_d50ed220-6e57-2d16-3bba-db698b1725c9">An example query string:</t>
+<t anchor="_9a806e23-7c47-60f6-6183-3444af8cb8a4">An example query string:</t>
 
-<sourcecode anchor="_53973577-8f69-ae95-f4cc-30bc3008a171"><![CDATA[GET
+<sourcecode anchor="_173f8690-76b7-918e-4d4a-992eecece71e"><![CDATA[GET
 
-https://web-connect.dnsprovider.com/v2/domainTemplates/providers/exampleservice.domainconnect.org/services/template1/apply?domain=example.com&IP=192.168.42.42&RANDOMTEXT=shm%3A1542108821%3AHello]]></sourcecode>
+https://web-connect.dnsprovider.example/v2/domainTemplates/providers/
+exampleservice.example/services/template1/apply?domain=example.com
+&#x26;IP=192.168.42.42&#x26;RANDOMTEXT=shm%3A1542108821%3AHello]]></sourcecode>
 
 
-<t anchor="_5c68532e-7807-6beb-e63e-dc68244159e3">This call indicates that the Service Provider wishes to connect the
+<t anchor="_4744d586-213d-43d5-9e96-bf5cc4772789">This call indicates that the Service Provider wishes to connect the
 domain example.com to the service using the template identified by the
-composite key of the provider (exampleservice.domainconnect.org) and the service template
+composite key of the provider (exampleservice.example) and the service template
 owned by them (template1). In this example, there are two variables in this
 template, "IP" and "RANDOMTEXT". These variables are passed as name/value pairs.</t>
 </section>
@@ -542,10 +561,12 @@ template, "IP" and "RANDOMTEXT". These variables are passed as name/value pairs.
 
 <section anchor="_security_considerations"><name>Security Considerations</name>
 
-<t anchor="_b5ffa64e-2f8e-11c6-60c5-c0e922e832c6">By applying a template with parameters there is a security
+<section anchor="_risk_of_phishing_with_open_template_parameters"><name>Risk of phishing with open template parameters</name>
+
+<t anchor="_e2e83458-bb64-e998-65f8-1ed84d533d59">By applying a template with parameters there is a security
 consideration that must be taken into account.</t>
 
-<t anchor="_64b08d6f-4336-2606-aaac-3faf78d1a63f">Consider the template above where the IP address of the A record is
+<t anchor="_12444988-7410-7be6-6cd0-b9db33efe8f8">Consider the template above where the IP address of the A record is
 passed in through a variable. A bad actor could generate a URL with a
 malicious IP and phish users by sending out emails asking them to "re-configure" their
 service. If an end user is convinced to click on
@@ -553,12 +574,12 @@ this link, they would land on the DNS Provider site to confirm the
 change. To the user, this would appear to be a valid request to
 configure the domain. Yet the IP would be hijacking the service.</t>
 
-<t anchor="_ecf60627-9937-5ea2-d35f-359f22742ffd">Not all templates have this problem. But when they do, there are several
-options.</t>
+<t anchor="_e73be4f8-50c7-b643-fd70-62fd780f073c">Not all templates have this problem. But when they do, there are several options.</t>
+</section>
 
 <section anchor="_disable_synchronous"><name>Disable Synchronous</name>
 
-<t anchor="_6b0da676-d046-d392-a4bf-b4774a6ad817">One option is to disable the synchronous flow and use
+<t anchor="_1ebc34b1-a670-5c77-c89a-b1eb52b25687">One option is to disable the synchronous flow and use
 asynchronous OAuth. This can be controlled with the syncBlock
 value from the template. However, as will be seen below OAuth has a higher
 implementation burden and requires onboarding between each Service and
@@ -567,79 +588,91 @@ DNS Provider.</t>
 
 <section anchor="_digitally_sign_requests"><name>Digitally Sign Requests</name>
 
-<t anchor="_a92c4f93-f3fa-e9c5-55ca-753a04b27eb9">Another option is to digitally sign the query string. A
+<t anchor="_2366a7ed-aba9-3738-10e9-61ddd458ad5f">Another option is to digitally sign the query string. A
 signature is appended as an additional query string parameter,
 properly URL encoded and of the form:</t>
 
-<sourcecode anchor="_f887c8d7-f2ac-44fd-21b1-adceabb2d683"><![CDATA[sig=NLOQQm6ikGC2FlFvFZqIFNCZqlaC4B%2FQDwS6iCwIElMWhXMgRnRE17zhLtdLFieWkyqKa4I%2FOoFaAgd%2FAl%2ByzDd3sM2X1JVF5ELjTlj84jZ4KOEIdnbgkEeO%2FTkYRrPkwcmcHMwc4RuX%2Fqio8vKYxJaKLKeVGpUNSKo7zkq3XIRgyxoLSRKxmlSTHFAz4LvYXPWo6SHDoVcRvElWj18Um13sSXuX4KhtOLym2yImHpboEi4m2Ziigc%2BNHZE0VvHUR7wZgDaB01z8hFm5ATF%2B8swjandMRf2Lr4Syv4qTxMNT61r62EWFkt5t9nhxMgss6z4pfDVFZ3vYwSJDGuRpEQ%3D%3D]]></sourcecode>
+<sourcecode anchor="_457ddb8a-86a1-7101-d88a-4824ab5f1cbf"><![CDATA[sig=V2te9zWMU7G3plxBTsmYSJTvn2vzMvNwAjWQ%2BwTe91DxuJhdVf4cVc4vZBYfEYV
+7u5d7PzTO7se7OrkhyiB7TpoJJW1yB5qHR7HKM5SZldUsdtg5%2B1SzEtIX0Uq8b2mCmQ
+F%2FuJGXpqCyFrEajvpTM7fFKPk1kuctmtkjV7%2BATcvNPLWY7KyE4%2Bqc8jpfN61cP
+5l8iA4krAa3%2BfTro5cmWR8YUJ5yrnRs6KT4b5D71HFvOUk0sGEUddUUlsyRQKRHUFN6
+HjEya50YDHfZJlYHkHlK0xX6Yqeii9QZ2I35U9eJbSvZGQko5beqviWFXdsVDbvd3DYcb
+SHgJq9%2FXoMTTw%3D%3D]]></sourcecode>
 
 
-<t anchor="_545edd0c-c448-f701-9788-801899a5c474">The Service Provider generates this signature using a private key. As indicated,
+<t anchor="_716cee1a-b67a-07e9-d177-03bde6fd98fb">The Service Provider generates this signature using a private key. As indicated,
 this signature is generated from the query string properly URL encoded.</t>
 
-<t anchor="_6cd4a20d-4e15-52c0-5d1e-eebfbe8a9169">The Service provider must publish their public key and place it in a DNS TXT
+<t anchor="_6d795ab7-5080-ef10-ea26-354a06e33dca">The Service provider must publish their public key and place it in a DNS TXT
 record in a domain specified in the template in <strong>syncPubKeyDomain</strong>. To allow for key
 rotation, the host name of the TXT record must be appended as another variable on the query string of the form:</t>
 
-<sourcecode anchor="_7ff69049-7127-69df-276c-06b17523db68"><![CDATA[key=_dcpubkeyv1]]></sourcecode>
+<sourcecode anchor="_e19ff2e7-90c7-9c23-24f1-463f55b38642"><![CDATA[key=_dcpubkeyv1]]></sourcecode>
 
 
-<t anchor="_c59a62a1-272b-acfc-3c7b-1ebec395de1d">This example indicates that the public key can be found by doing a DNS
+<t anchor="_83268fc4-9c1f-0ed8-7e7a-4f54becc23c0">This example indicates that the public key can be found by doing a DNS
 query for a TXT record called _dcpubkeyv1 in the domain specified in the
 syncPubKeyDomain from the template.</t>
 
-<t anchor="_0be3055f-642d-ae71-9c05-8405289ca882">To account for DNS Servers with limits to the size of a TXT record, multiple
+<t anchor="_cb9b7041-0411-9365-c8d7-df446ee7ba2f">To account for DNS Servers with limits to the size of a TXT record, multiple
 records may exist for the DNS TXT query. For example, a public key of:</t>
 
-<sourcecode anchor="_ad5585bd-7343-e6ec-5125-08b1e27ad878"><![CDATA[MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1dCqv7JEzUOfbhWKB9mTRsv3O9Vzy1Tz3UQlIDGpnVrTPBJDQTXUhxUMREEOBKo+rOjHZqfYnSmlkgu1dnBEO8bsELQL8GjS4zsjdA53gRk2SDxuzcB4fK+NCDfnRHut5nG0S3U4cq4DuGrMDFVBwxH1duTsqDNgIOOfNTsFcWSVXoSSTqCCMGbj8Vt51umDhWQAj06lf50qP2/jMNs2G+KTlk3dBHx3wtqYLvdcop1Tk5xBD64BPJ9uwm8KlDNHe+8O+cC9j04Ji8B2K0/PzAj90xnb8XJy/EM124hpT9lMgpHKBUvdeurJYweC6oP41gsTf5LrpjnyIy9j5FHPCQIDAQAB]]></sourcecode>
+<sourcecode anchor="_c803e2da-9ac1-d2ab-3f3b-f62e7a307931"><![CDATA[MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA18SgvpmeasN4BHkkv0SBjAzIc
+4grYLjiAXRtNiBUiGUDMeTzQrKTsWvy9NuxU1dIHCZy9o1CrKNg5EzLIZLNyMfI6qiXnM
++HMd4byp97zs/3D39Q8iR5poubQcRaGozWx8yQpG0OcVdmEVcTfyR/XSEWC5u16EBNvRn
+NAOAvZYUdWqVyQvXsjnxQot8KcK0QP8iHpoL/1dbdRy2opRPQ2FdZpovUgknybq/6FkeD
+tW7uCQ6Mvu4QxcUa3+WP9nYHKtgWip/eFxpeb+qLvcLHf1h0JXtxLVdyy6OLk3f2JRYUX
+2ZZVDvG3biTpeJz6iRzjGg6MfGxXZHjI8weDjXrJwIDAQAB]]></sourcecode>
 
 
-<t anchor="_0e78abc8-5993-3e36-0279-054f726332af">may contain several TXT records. The records would be of the form:</t>
+<t anchor="_d03a8b6b-6454-b06e-3655-c870933faf8d">may contain several TXT records. The records would be of the form:</t>
 
-<sourcecode anchor="_d9ae684a-3a96-832e-abfc-3e893cf50c3a"><![CDATA[p=1,a=RS256,t=x509,d=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1dCqv7JEzUOfbhWKB9mTRsv3O9Vzy1Tz3UQlIDGpnVrTPBJDQTXUhxUMREEOBKo+rOjHZqfYnSmlkgu1dn
+<sourcecode anchor="_ea01e5de-7d2e-8f73-bd2e-0eb71daece52"><![CDATA[p=1,a=RS256,d=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA18SgvpmeasN
+4BHkkv0SBjAzIc4grYLjiAXRtNiBUiGUDMeTzQrKTsWvy9NuxU1dIHCZy9o1CrKNg5EzL
+IZLNyMfI6qiXnM+HMd4byp97zs/3D39Q8iR5poubQcRaGozWx8yQpG0OcVdmEVcTfy
 
-p=2,a=RS256,t=x509,d=BEO8bsELQL8GjS4zsjdA53gRk2SDxuzcB4fK+NCDfnRHut5nG0S3U4cq4DuGrMDFVBwxH1duTsqDNgIOOfNTsFcWSVXoSSTqCCMGbj8Vt51umDhWQAj06lf5
+p=2,a=RS256,d=R/XSEWC5u16EBNvRnNAOAvZYUdWqVyQvXsjnxQot8KcK0QP8iHpoL/1
+dbdRy2opRPQ2FdZpovUgknybq/6FkeDtW7uCQ6Mvu4QxcUa3+WP9nYHKtgWip/eFxpeb+
+qLvcLHf1h0JXtxLVdyy6OLk3f2JRYUX2ZZVDvG3biTpeJz6iRzjGg6MfGxXZHjI8
 
-p=3,a=RS256,t=x509,d=NCDfnRHut5nG0S3U4cq4DuGrMDFVBwxH1duTsqDNgIOOfNTsFcWSVXoSSTqCCMGbj8Vt51umDhWQAj06lf50qP2/jMNs2G+KTlk3dBHx3wtqYLvdcop1Tk5xBD64BPJ9
+p=3,a=RS256,d=weDjXrJwIDAQAB]]></sourcecode>
 
-p=4,a=RS256,t=x509,d=uwm8KlDNHe+8O+cC9j04Ji8B2K0/PzAj90xnb8XJy/EM124hpT9lMgpHKBUvdeurJYweC6oP41gsTf5LrpjnyIy9j5FHPCQIDAQAB]]></sourcecode>
 
-
-<t anchor="_9d048e03-20f6-043b-625a-e8ba10f80f24">Here the public key is broken into four records in DNS, and the data
+<t anchor="_b1c19488-868a-82c8-f640-7a947dc0bda9">Here the public key is broken into four records in DNS, and the data
 also indicates that the signing algorithm is an RSA Signature with
 SHA-256 using an x509 certificate. The value for "a" if omitted will be
 assumed to be RS256, and for "t" will be assumed to be x509.</t>
 
-<t anchor="_52e1936f-b94b-8843-e61a-c7b156547370">Note: The only algorithm currently supported is SHA-256 with x509 certificates. The values
+<t anchor="_6e8212d0-9b0c-4f20-5f83-fcd8737853d9">Note: The only algorithm currently supported is SHA-256 with x509 certificates. The values
 are placed here for future compatibility.</t>
 
-<t anchor="_1ba53350-9fd0-9b6c-9fca-ad1215c01c75">The above data was generated for a query string:</t>
+<t anchor="_eeb5e0fa-3eb2-fda0-6db0-4cdb7e48d4e7">The above data was generated for a query string:</t>
 
-<sourcecode anchor="_b4a6a834-e480-7ca9-e1a3-5ec9da9cf15b"><![CDATA[a=1&b=2&ip=10.10.10.10&domain=foobar.com]]></sourcecode>
+<sourcecode anchor="_b51f963e-0897-94ef-0d06-4abbdc6732eb"><![CDATA[a=1&b=2&ip=10.10.10.10&domain=example.net]]></sourcecode>
 
 
-<t anchor="_64ac005a-94b4-d9ba-818e-0078a5ccec83">Signing the query string by the Service Provider is OPTIONAL. Not
+<t anchor="_84966b85-11b7-6b0d-2e7c-b195d65ad763">Signing the query string by the Service Provider is OPTIONAL. Not
 all Services Provider templates require or are able to provide this level of security.
 Presence of the <strong>syncPubKeyDomain</strong> in the template indicates that the template requires
 signature verification.</t>
 
-<t anchor="_2e605f22-d4d7-8de9-ffa4-dffc40ab5604">Notes:</t>
+<t anchor="_3c2c9bd0-459c-b1ce-7020-988b21668f5a">Notes:</t>
 
-<t anchor="_9dacabb3-28ea-01c9-2283-f3ec45bb5721">The digital signature will be generated on the full query string only,
+<t anchor="_1db36654-973b-585a-4779-28d234a099b2">The digital signature will be generated on the full query string only,
 excluding the sig and key parameters. This is everything after the ?, except the sig and key values.</t>
 
-<t anchor="_c2939f47-ed58-dc0e-7ee8-2031a8349ba8">The values of each query string value key/value pair must be properly URL Encoded
+<t anchor="_8e7da9d3-3019-495b-33d5-cdbbf982f9d5">The values of each query string value key/value pair must be properly URL Encoded
 before the signature is generated.</t>
 </section>
 
 <section anchor="_warnings"><name>Warnings</name>
 
-<t anchor="_a6705d26-00a4-0390-2024-8116e88c470a">Some applications aren't able to use OAuth and/or sign requests.</t>
+<t anchor="_4aa33bd0-243e-6ada-ea1f-ef4961c6a5db">Some applications aren't able to use OAuth and/or sign requests.</t>
 
-<t anchor="_f4f2165e-238f-ee3d-cedd-ac2d5612ae3b">If the template require variables, and OAuth and signing isn't available,
+<t anchor="_52ed745f-4b7c-5a18-384a-d0365d32a87d">If the template require variables, and OAuth and signing isn't available,
 the flag <strong>warnPhishing</strong> must be set to true in the template.</t>
 
-<t anchor="_8107c438-cd7e-00f2-3107-bd738cd024d0">When set this indicates to the DNS Provider that they should display extra warnings to
+<t anchor="_d95461e9-dee9-e948-11b1-329c08af224e">When set this indicates to the DNS Provider that they should display extra warnings to
 the user to have them verify the link was/is from a reputable source before applying
 the template.</t>
 </section>
@@ -647,30 +680,30 @@ the template.</t>
 
 <section anchor="_shared_templates"><name>Shared Templates</name>
 
-<t anchor="_30032395-6660-4311-7f72-1993c5966026">Some templates can be called by multiple companies, or be used for different purposes.</t>
+<t anchor="_3349bcb1-0391-d73b-5881-133868886849">Some templates can be called by multiple companies, or be used for different purposes.</t>
 
-<t anchor="_1c2a7b1f-4838-4c6c-f43b-fc0a20369c81">For example, most services are sold and provided by the same company. However, some
+<t anchor="_f32000d6-a5da-43f3-a0bb-47a9a7d079ab">For example, most services are sold and provided by the same company. However, some
 Service Providers have a reseller channel. This allows the service to be
 provided by the Service Provider, but sold through third parties.
 It is often this third party reseller that configures DNS.</t>
 
-<t anchor="_4d651966-6d0e-eb44-e2a2-c6babbf08ecd">While each reseller could enable Domain Connect, this is inefficient for
+<t anchor="_f82210cc-ddc5-d07c-01d4-be6ecdf61cd4">While each reseller could enable Domain Connect, this is inefficient for
 the DNS Providers. Enabling a single template that is shared by multiple
 resellers would be more optimal.</t>
 
-<t anchor="_53187bb1-82b6-be96-05e0-1f674255ff80">As another example, some templates may be used for different purposes by the same company.</t>
+<t anchor="_f01822d8-7fee-1764-93c7-3ce3b6743ab0">As another example, some templates may be used for different purposes by the same company.</t>
 
-<t anchor="_47baddea-70ea-02c7-544f-5e6ec0f0b3e9">To facilitate these use cases, the ability to pass in additional context for the display
+<t anchor="_1924be4e-1558-d5d6-8c9c-751e36570bb3">To facilitate these use cases, the ability to pass in additional context for the display
 of the providerName and serviceName is enabled. This is only allowed when the template enables the capability
 through the sharedProviderName and/or sharedServiceName flags.</t>
 
-<t anchor="_94266c2d-0afa-f9e5-e372-15931f9cd7e9">Note: The shared flag used to be used for this purpose, but has been deprecated.</t>
+<t anchor="_ff09a0f3-6d9d-7269-30bb-8ba594a6fbaa">Note: The shared flag used to be used for this purpose, but has been deprecated.</t>
 
-<t anchor="_498c9e15-a875-240d-6e10-f1ce638c75fb">The exact message presented to the user is up to the DNS Provider. However it is recommended
+<t anchor="_a2a7c6aa-11e6-38da-ac13-9f6048c720df">The exact message presented to the user is up to the DNS Provider. However it is recommended
 that these fields be used to augment the display of the serviceName and providerName from the template,
 not replace it.</t>
 
-<t anchor="_11caaf55-8f1a-d0f6-efd2-b1b78ecc1006">Note: When a Service Provider has a large reseller channel, it is highly
+<t anchor="_b3b0004d-67dc-774c-0549-60c8c6881cea">Note: When a Service Provider has a large reseller channel, it is highly
 recommended that the Service Provider creates an API for their resellers
 to ease the implementation of Domain Connect. There are elements of convenience in doing
 this around Domain Discovery and URL Formatting. But this would be required
@@ -679,17 +712,17 @@ if the template required signatures.</t>
 
 <section anchor="_verification_of_changes"><name>Verification of Changes</name>
 
-<t anchor="_4a1585c9-b89c-3e97-123a-7a9b57752176">There are circumstances where the Service Provider may wish to verify
+<t anchor="_aa0fd61f-5312-881f-ed33-0e1881963d93">There are circumstances where the Service Provider may wish to verify
 that the template was successfully applied. Without Domain Donnect, this
 typically involved the Service Provider querying DNS to see if the
 changes to DNS had been made.</t>
 
-<t anchor="_e72d3679-0c65-85ef-89bc-f2dd753d757b">This same technique works with Domain Connect, and if necessary can be
+<t anchor="_0205ee00-4da1-2a9a-1551-27de33371bbc">This same technique works with Domain Connect, and if necessary can be
 triggered either manually on the Service Provider site or automatically
 upon page/window activation in the browser when the browser window for
 the DNS Provider is closed.</t>
 
-<t anchor="_80fddc90-0ffc-3a88-d122-6f33e931cc39">When the redirect_uri is used and an error is not present in the URI,
+<t anchor="_98a0a766-1076-c6ef-42d6-b299b36a3c64">When the redirect_uri is used and an error is not present in the URI,
 the Service Provider can not assume the changes were applied to DNS. While true in most
 circumstances, users can tamper with or alter the return
 url in the browser. As such it is recommend that enablement of a service
@@ -699,49 +732,52 @@ be based on verification of changes to DNS.</t>
 
 <section anchor="_asynchronous_flow_oauth"><name>Asynchronous Flow: OAuth</name>
 
-<t anchor="_af44f74b-17dc-ee33-7d88-1f7e5d14140c">Using the OAuth flow is a more advanced use case needed by Service
+<section anchor="_general_information_2"><name>General information</name>
+
+<t anchor="_698734b8-f258-3237-1039-046accee78e0">Using the OAuth flow is a more advanced use case needed by Service
 Providers that have more complex configurations that may require
 multiple steps and/or are asynchronous from the user's interaction.</t>
 
-<t anchor="_4a62823f-1d3c-81fd-6252-37152fe7379b">Details of an OAuth implementation are beyond the scope of this
+<t anchor="_23aaec6b-0bbb-0f44-be60-46cd42e6460b">Details of an OAuth implementation are beyond the scope of this
 specification. Instead, an overview of how OAuth is used by Domain
 Connect is given here.</t>
 
-<t anchor="_47106dda-5180-7c6e-b6a1-fe96fcef7cd9">Not all DNS Providers will support the asyncronous flow. As such it is
+<t anchor="_ec3fd116-ed47-2cf0-9e1e-e67daca19115">Not all DNS Providers will support the asyncronous flow. As such it is
 recommended that Service Providers relying on an OAuth implementation also
 implement a synchronous implementation.</t>
+</section>
 
 <section anchor="_oauth_flow_setup"><name>OAuth Flow: Setup</name>
 
-<t anchor="_3d1f3960-0273-a7f8-c58e-80b8c6e49609">Service providers wishing to use the OAuth flow must register as an
+<t anchor="_61f3ea9f-6ee4-725c-b9f9-e797d80b5573">Service providers wishing to use the OAuth flow must register as an
 OAuth client with each DNS provider. This is a manual
 process.</t>
 
-<t anchor="_16a127ad-f4ce-0f16-53fd-6f2d5e0e9447">To register, the Service Provider would provide (in addition to their
+<t anchor="_46196909-165c-823b-eb30-c8b6f08d1a8b">To register, the Service Provider would provide (in addition to their
 template) any configuration necessary for the DNS Providers OAuth
 implementation. This includes valid URLs and Domains for redirects upon
 success or errors.</t>
 
-<t anchor="_2a24d778-6e53-4acb-208d-4547c93ace33">Note: The validity of redirects are very important in any OAuth implementation.
+<t anchor="_821c13f0-f14c-99b4-830b-a6d0838d2929">Note: The validity of redirects are very important in any OAuth implementation.
 Most OAuth vulnerabilities are a combination of an open redirect and/or a
 compromised secret.</t>
 
-<t anchor="_d0c45268-d316-c04f-e4f4-5bb5c8a7275e">In return, the DNS provider will give the Service Provider a client id
+<t anchor="_1b09f5b2-700a-2a59-dbd9-13029d8ff136">In return, the DNS provider will give the Service Provider a client id
 and a secret which will be used when requesting tokens. For simplicity the client
 id should be the same as the providerId.</t>
 </section>
 
 <section anchor="_oauth_flow_getting_an_authorization_code"><name>OAuth Flow: Getting an Authorization Code</name>
 
-<sourcecode anchor="_c6a52787-32c9-fe2c-d8ee-cc9ebdc9dec4"><![CDATA[GET
+<sourcecode anchor="_7ca559df-0e7f-1b3c-f123-eb974dd1a8fd"><![CDATA[GET
 
 {urlAsyncUX}/v2/domainTemplates/providers/{providerId}]]></sourcecode>
 
 
-<t anchor="_993ba154-5ab1-7344-6489-151820bdb042">To initiate the OAuth flow the Service Provider first links to the DNS
+<t anchor="_593b6e18-f111-16e2-e497-b06ca8d4dc61">To initiate the OAuth flow the Service Provider first links to the DNS
 Provider to gain consent.</t>
 
-<t anchor="_792e167b-e7f4-21a4-3334-23b8df666796">This endpoint is similar to the synchronous flow described above. The DNS Provider
+<t anchor="_11a3a361-3ea7-10d4-a18b-b77110c21ead">This endpoint is similar to the synchronous flow described above. The DNS Provider
 must authenticate the user, verify the user has control of the DNS Zone for the domain, and ask the user for
 permission. Instead of permission to make a change to DNS, the permission
 is now to allow the Service Provider to
@@ -750,184 +786,187 @@ DNS Provider may warn the user that (the eventual)
 application of a template might change existing records and/or disrupt
 existing services attached to the domain.</t>
 
-<t anchor="_a39a475b-0780-ba7f-5556-f05071923641">While the variables for the applied template would be provided later,
+<t anchor="_b690b9d2-f0f0-f98b-b60b-5ef8b659f8ad">While the variables for the applied template would be provided later,
 the values of some variables may be necessary to determine conflicts. As
 such, any variables impacting conflicting records should be provided
 in the consent flow. Today this includes variables in hosts, and
 variables in the data portion for certain TXT records. As conflict
 resolution evolves, this list may grow.</t>
 
-<t anchor="_94e2e0da-3b4d-bf9d-3ac1-1a0ac2faf561">The protocol allows for the Service Provider to gain consent to apply
+<t anchor="_21daee93-928b-9efa-2dbc-749c9d926ebb">The protocol allows for the Service Provider to gain consent to apply
 multiple templates. These templates are specified in the <strong>scope</strong> parameter. It
 also allows for the Service Provider to gain consent to apply these templates to the domain
 or to the domain with multiple sub-domains. These are specified in the <strong>domain</strong> and <strong>host</strong>
 parameter. If conflict detection is implemented
 by the DNS Provider, they should account for all permutations.</t>
 
-<t anchor="_b31fedc6-ce2d-56b8-fb13-448b7fc7ec6f">The scope parameter is a space separated list (as per the OAuth protocol)
+<t anchor="_abcee595-e582-179c-98da-26e3c52f2ba0">The scope parameter is a space separated list (as per the OAuth protocol)
 of the template serviceIds. The host parameter is an OPTIONAL comma separated
 list of hosts. A blank entry for the host implies the template can be
 applied to the root domain. For example:</t>
 
-<table anchor="_c5f8d62d-0c2a-ebba-1a75-4a736c6a3870"><name>examples of scope and host parameter values in the async flow</name><thead><tr><th align="left"><strong>Query String</strong></th><th align="left"><strong>Description</strong></th></tr></thead><tbody><tr><td align="left">scope=t1+t2&amp;domain=example.com</td><td align="left">Templates "t1" and "t2" can be applied to example.com</td></tr><tr><td align="left">scope=t1+t2&amp;domain=example.com&amp;host=sub1,sub2</td><td align="left">Templates "t1" and "t2" can be applied to sub1.example.com or sub2.example.com</td></tr><tr><td align="left">scope=t1+t2&amp;domain=example.com&amp;host=sub1,</td><td align="left">Templates "t1" and "t2" can be applied to example.com or sub1.example.com</td></tr></tbody></table>
+<table anchor="_c95bb66b-5c8b-bf8e-d9bf-313cc91305b7"><name>examples of scope and host parameter values in the async flow</name><thead><tr><th align="left"><strong>Query String</strong></th><th align="left"><strong>Description</strong></th></tr></thead><tbody><tr><td align="left">scope=t1+t2=example.com</td><td align="left">Templates "t1" and "t2" can be applied to example.com</td></tr><tr><td align="left">scope=t1+t2=example.com=sub1,sub2</td><td align="left">Templates "t1" and "t2" can be applied to sub1.example.com or sub2.example.com</td></tr><tr><td align="left">scope=t1+t2=example.com=sub1,</td><td align="left">Templates "t1" and "t2" can be applied to example.com or sub1.example.com</td></tr></tbody></table>
 
-<t anchor="_757e843d-ef5d-6c5b-107c-cec2c5d4879b">Upon successful authorization/verification/consent from the user, the
+<t anchor="_60f7a4db-d6eb-7b77-a6a9-cacf58fd3594">Upon successful authorization/verification/consent from the user, the
 DNS Provider will direct the end user's browser to the redirect URI. The
 authorization code will be appended to this URI as a query parameter of
 "code=" as per the OAuth specification.</t>
 
-<t anchor="_3d9540d5-4a66-b534-1f40-a4e30673b27f">Similar to the synchronous flow, upon error the DNS provider may append
+<t anchor="_3bebdefc-15a5-497c-83e0-5063a5898d54">Similar to the synchronous flow, upon error the DNS provider may append
 an error code as query parameter "error". These errors are also from the
-oAuth 2.0 RFC 6749 (4.1.2.1. Error Response - "error" parameter). Valid
+OAuth 2.0 <xref target="RFC6749" section="" relative=""></xref> (4.1.2.1. Error Response - "error" parameter). Valid
 values include: invalid_request, unauthorized_client, access_denied,
 unsupported_response_type, invalid_scope, server_error, and
 temporarilly_unavailable. An OPTIONAL error_description suitable for
 developers may also be returned at the discretion of the DNS Provider.
 The same considerations as in the synchronous flow apply here.</t>
 
-<t anchor="_5a9a6e1d-9592-79ab-943a-fadbf69ce381">The state value passed into the call must be passed back on the query
+<t anchor="_fd3a53b5-1703-104b-c1ab-cc0a0adf27b4">The state value passed into the call must be passed back on the query
 string as "state=".</t>
 
-<t anchor="_515d5100-345e-e5ba-5241-6b9a8b124f11">The following table describes the values in the query
+<t anchor="_ad9c2f8c-ee26-9332-1a14-b1a0800a233b">The following table describes the values in the query
 string parameters for the request for the OAuth consent flow that must be included unless otherwise
 indicated</t>
 
-<table anchor="_264b6454-0ccb-ce9e-d221-d506e608633f"><name>query parameters of the authorization end-point in async flow</name><thead><tr><th align="left">Property</th><th align="left">Key</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><strong>Domain</strong></td><td align="left">domain</td><td align="left">The domain name being configured. This is the root domain (the registered domain or delegated zone).</td></tr><tr><td align="left"><strong>Host</strong></td><td align="left">host</td><td align="left">(OPTIONAL) An list of comma separated host names upon which the template may be applied. An empty string implies the root.</td></tr><tr><td align="left"><strong>Client Id</strong></td><td align="left">client_id</td><td align="left">The client id that was provided by the DNS provider to the service provider
-during registration. It is recommended that this should be the same as the providerId in the template.</td></tr><tr><td align="left"><strong>Redirect URI</strong></td><td align="left">redirect_uri</td><td align="left">The location to direct the client's browser upon successful authorization or upon error.
+<table anchor="_ad272029-2ff7-327a-2b5f-f176c7cce85d"><name>query parameters of the authorization end-point in async flow</name><thead><tr><th align="left">Property</th><th align="left">Key</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><strong>Domain</strong></td><td align="left">domain</td><td align="left">(REQUIRED) The domain name being configured. This is the root domain (the registered domain or delegated zone).</td></tr><tr><td align="left"><strong>Host</strong></td><td align="left">host</td><td align="left">(OPTIONAL) An list of comma separated host names upon which the template may be applied. An empty string implies the root.</td></tr><tr><td align="left"><strong>Client Id</strong></td><td align="left">client_id</td><td align="left">(REQUIRED) The client id that was provided by the DNS provider to the service provider
+during registration. It is recommended that this should be the same as the providerId in the template.</td></tr><tr><td align="left"><strong>Redirect URI</strong></td><td align="left">redirect_uri</td><td align="left">(REQUIRED) The location to direct the client's browser upon successful authorization or upon error.
 Validation of the redirect_uri will be done by the DNS Provider to match the values provided during onboarding.</td></tr><tr><td align="left"><strong>Response type</strong></td><td align="left">response_type</td><td align="left">(OPTIONAL) If included it must be the string 'code' to indicate an authorization code
-is being requested.</td></tr><tr><td align="left"><strong>Scope</strong></td><td align="left">scope</td><td align="left">The OAuth scope corresponds to the requested templates. This is list of space separated
+is being requested.</td></tr><tr><td align="left"><strong>Scope</strong></td><td align="left">scope</td><td align="left">(REQUIRED) The OAuth scope corresponds to the requested templates. This is list of space separated
 serviceIds.</td></tr><tr><td align="left"><strong>Provider Name</strong></td><td align="left">providerName</td><td align="left">(OPTIONAL) This parameter allows for the caller to provide additional text for display
 with the template providerName. This text should be used to augment the providerName value
 from the template, not replace it.</td></tr><tr><td align="left"><strong>Service Name</strong></td><td align="left">serviceName</td><td align="left">(OPTIONAL) This parameter allows for the caller to provide additional text for display
 with the template serviceName(s). It should be used to augment the serviceName value(s)
 from the template, not replace.</td></tr><tr><td align="left"><strong>State</strong></td><td align="left">state</td><td align="left">(OPTIONAL) This is a random, unique string passed along to prevent CSRF or
 to pass state value back to the caller. It will be returned as a parameter appended to
-the redirect_url described above.</td></tr></tbody></table>
+the redirect_url described above.</td></tr><tr><td align="left"><strong>Name/Value Pairs</strong></td><td align="left">*</td><td align="left">(OPTIONAL) Any key that will be used as a replacement for the "% surrounded" value(s) in a
+template required for conflict detection. This includes variables used in hosts and
+data in certain TXT records.</td></tr></tbody></table>
 </section>
 
-<section anchor="_oauth_flow_requesting_an_access_token"><name>oAuth Flow: Requesting an Access Token</name>
+<section anchor="_oauth_flow_requesting_an_access_token"><name>OAuth Flow: Requesting an Access Token</name>
 
-<sourcecode anchor="_51452a19-fdfa-54ad-4ea7-0f1cf51bcf73"><![CDATA[POST
+<sourcecode anchor="_c6909441-f465-228f-5e15-f4d39efd673e"><![CDATA[POST
 
 {urlAPI}/v2/oauth/access_token]]></sourcecode>
 
 
-<t anchor="_b65aaea8-2741-c151-3c5b-eba959e6ee8a">Once authorization has been granted, the Service Provider must use the
-Authorization Code provided to request an Access Token. The oAuth
+<t anchor="_584613a1-8c4e-3d84-f073-0c2166e6c400">Once authorization has been granted, the Service Provider must use the
+Authorization Code provided to request an Access Token. The OAuth
 specification recommends that the Authorization Code be a short lived
 token, and a reasonable recommended setting is ten minutes. As such this
 exchange needs to be completed before that time has expired or the
 process will need to be repeated.</t>
 
-<t anchor="_e0afecd1-697b-382c-200a-823ea0573b26">This token exchange is typically done via a server to server API call from the
+<t anchor="_c2426a1b-f6ab-bd8c-5ca6-de4a6fde5afe">This token exchange is typically done via a server to server API call from the
 Service Provider to the DNS Provider using a POST. When called in this manner a
 secret is provided
 along with the Authorization Code.</t>
 
-<t anchor="_f754114d-cabf-a39b-14aa-66d696034e13">OAuth does allow for retrieving the access token without a secret. This is typically
+<t anchor="_e1561674-fd29-d6e1-ffaa-50eec639abeb">OAuth does allow for retrieving the access token without a secret. This is typically
 done when the OAuth client is a client application.
 When onboarding with the DNS Provider this would need to be enabled.</t>
 
-<t anchor="_15e37249-6284-c424-0542-874f49650836">When the secret is provided (which is the normal case), care must be taken. A malicious
+<t anchor="_8beeb69f-8a02-7077-9089-22d56fe987a5">When the secret is provided (which is the normal case), care must be taken. A malicious
 user could create a domain that returns a false <em>_domainconnect</em> TXT record, and
 subsequently a JSON call to their own server for the API end point. By doing so, they
 could then run Domain Connect on their domain and retrieve the secret.</t>
 
-<t anchor="_b8c08dbf-6ba9-ca98-4ed5-5b3953eb18b9">As such the urlAPI used for oAuth by the Service Provider should be maintained per DNS
+<t anchor="_e10321c9-af14-1e4a-d195-fd4696b82083">As such the urlAPI used for OAuth by the Service Provider should be maintained per DNS
 Provider and not the value retrieved during discovery.</t>
 
-<t anchor="_9c2b8c51-1af6-9f7d-9a44-54d8b62fab12">The following table describes the POST parameters that must be included in the
+<t anchor="_c0cb3e98-44fe-12d6-8096-f7ef76ca5841">The following table describes the POST parameters that must be included in the
 request for the access token unless otherwise indicated.
 The parameters should be accepted via the
 query string or the body of the post. This is again particularly
 important for the client_secret, as passing secrets via a query string
 is generally frowned upon given that various systems often log URLs.</t>
 
-<t anchor="_5638f6fb-7abe-9716-dd3a-60ac5cff9987">The body of the post is application/json encoded.</t>
+<t anchor="_65214185-731a-daa6-0b74-80b403426d3a">The body of the post is application/json encoded.</t>
 
-<table anchor="_5692610c-891e-d6d4-d2b5-37bf56a26ee5"><name>parameters of the token end-point</name><thead><tr><th align="left">Property</th><th align="left">Key</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><strong>Authorization Code/Refresh Code</strong></td><td align="left">code/refresh_token</td><td align="left">The authorization code that was
+<table anchor="_76b39d85-7434-ae59-71e0-0bd0660baa33"><name>parameters of the token end-point</name><thead><tr><th align="left">Property</th><th align="left">Key</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><strong>Authorization Code/Refresh Code</strong></td><td align="left">code/refresh_token</td><td align="left">(REQUIRED) The authorization code that was
 provided in the previous step when the customer accepted the
 authorization request, or the refresh_token for a subsequent access
-token.</td></tr><tr><td align="left"><strong>Redirect URI</strong></td><td align="left">redirect_uri</td><td align="left">(OPTIONAL) This is required if a redirect_uri was
+token.</td></tr><tr><td align="left"><strong>Redirect URI</strong></td><td align="left">redirect_uri</td><td align="left">(OPTIONAL) This is REQUIRED if a redirect_uri was
 passed to request the authorization code. When included, it needs to be
-the same redirect_uri provided in this step.</td></tr><tr><td align="left"><strong>Grant type</strong></td><td align="left">grant_type</td><td align="left">The type of code in the request. Usually the string 'authorization_code' or 'refresh_token'</td></tr><tr><td align="left"><strong>Client ID</strong></td><td align="left">client_id</td><td align="left">This is the client id that was provided by the DNS provider to the Service Provider during
-registration</td></tr><tr><td align="left"><strong>Client Secret</strong></td><td align="left">client_secret</td><td align="left">The secret provided to the Service Provider during registration. Typically required
-unless the rare circumstance with secret-less oAuth.</td></tr></tbody></table>
+the same redirect_uri provided in this step.</td></tr><tr><td align="left"><strong>Grant type</strong></td><td align="left">grant_type</td><td align="left">(REQUIRED) The type of code in the request. Usually the string 'authorization_code' or 'refresh_token'</td></tr><tr><td align="left"><strong>Client ID</strong></td><td align="left">client_id</td><td align="left">(REQUIRED) This is the client id that was provided by the DNS provider to the Service Provider during
+registration</td></tr><tr><td align="left"><strong>Client Secret</strong></td><td align="left">client_secret</td><td align="left">(REQUIRED) The secret provided to the Service Provider during registration. Typically required
+unless the rare circumstance with secret-less OAuth.</td></tr></tbody></table>
 
-<t anchor="_18ad4e93-5c80-a27e-2f1d-2c4b4a322297">Upon successful token exchange, the DNS Provider will return a response
+<t anchor="_19d7f405-5593-e03b-1831-8bd1b148c82d">Upon successful token exchange, the DNS Provider will return a response
 with 4 properties in the body of the response.</t>
 
-<table anchor="_b1b8cb07-3963-8a6f-7c29-a9385da88f80"><name>properties of the token end-point response</name><thead><tr><th align="left">Property</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><strong>access_token</strong></td><td align="left">The access token to be used when making API requests</td></tr><tr><td align="left"><strong>token_type</strong></td><td align="left">Always the string "bearer"</td></tr><tr><td align="left"><strong>expires_in</strong></td><td align="left">The number of seconds until the access_token expires</td></tr><tr><td align="left"><strong>refresh_token</strong></td><td align="left">The token that can be used to request new access tokens when this one has expired.</td></tr></tbody></table>
+<table anchor="_62fa1efb-531b-f226-d8a7-d1c82804e1e3"><name>properties of the token end-point response</name><thead><tr><th align="left">Property</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><strong>access_token</strong></td><td align="left">The access token to be used when making API requests</td></tr><tr><td align="left"><strong>token_type</strong></td><td align="left">Always the string "bearer"</td></tr><tr><td align="left"><strong>expires_in</strong></td><td align="left">The number of seconds until the access_token expires</td></tr><tr><td align="left"><strong>refresh_token</strong></td><td align="left">The token that can be used to request new access tokens when this one has expired.</td></tr></tbody></table>
 
-<table anchor="_5fdbb0ce-ebf6-e835-c437-11359a6e77bd"><name>http status codes of the token end-point response</name><thead><tr><th align="left">Status</th><th align="left">Response</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><strong>Success</strong></td><td align="left">2xx</td><td align="left">A response of an http status code of 2xx indicates that the
+<table anchor="_8b000128-6216-8afb-18fb-69fa96ccab39"><name>http status codes of the token end-point response</name><thead><tr><th align="left">Status</th><th align="left">Response</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><strong>Success</strong></td><td align="left">2xx</td><td align="left">A response of an http status code of 2xx indicates that the
 call was successful. The response is the JSON described above.</td></tr><tr><td align="left"><strong>Errors</strong></td><td align="left">4**</td><td align="left">All other responses indicate an error.</td></tr></tbody></table>
 </section>
 
 <section anchor="_oauth_flow_making_requests_with_access_tokens"><name>OAuth Flow: Making Requests with Access Tokens</name>
 
-<t anchor="_69ae5d9b-fb07-7c2f-91d2-a2261ecf9826">Once the Service Provider has the access token, they can call the DNS
+<t anchor="_c5c93815-4045-214b-6663-ec8ac17aa414">Once the Service Provider has the access token, they can call the DNS
 Provider's API to make changes to DNS on the domain by applying and (OPTIONALLY)
 removing authorized templates. These templates can be applied to the
 root domain or to any sub-domain of the root domain that has been authorized.</t>
 
-<t anchor="_60b4eb5a-0e9b-daca-b44e-501ec8d8cff0">All calls to this API pass the access token in the Authorization Header
+<t anchor="_273197e2-705d-d434-640e-5971085a4a3b">All calls to this API pass the access token in the Authorization Header
 of the request to the call to the API. More details can be found in the
 OAuth specifications, but as an example:</t>
 
-<sourcecode anchor="_9418851b-7e97-52b8-2814-3cebe5cbafa0"><![CDATA[GET /resource/1 HTTP/1.1
+<sourcecode anchor="_6caaba40-82c0-6260-3791-7993a2d7a30c"><![CDATA[GET /resource/1 HTTP/1.1
 
 Host: example.com
 
 Authorization: Bearer mF_9.B5f-4.1JqM]]></sourcecode>
 
 
-<t anchor="_689068ce-3911-1f8c-0c72-ea8c6d7bc0b7">While the calls below do not have the same security consideration of
+<t anchor="_84f91c55-9ffd-00a5-85b4-86e302e6c9af">While the calls below do not have the same security consideration of
 passing the secret, it is recommend that the urlAPI be from a stored
 value vs. the value returned during discovery here as well.</t>
 </section>
 
 <section anchor="_oauth_flow_apply_template_to_domain"><name>OAuth Flow: Apply Template to Domain.</name>
 
-<sourcecode anchor="_9e901c1e-9c91-41f9-b664-fdb3a9ce78ea"><![CDATA[POST
+<sourcecode anchor="_44b6da15-0b75-6d05-0724-3307d7ae7a08"><![CDATA[POST
 
-{urlAPI}/v2/domainTemplates/providers/{providerId}/services/{serviceId}/apply?[properties]]]></sourcecode>
+{urlAPI}/v2/domainTemplates/providers/{providerId}/services
+/{serviceId}/apply?[properties]]]></sourcecode>
 
 
-<t anchor="_e5cfcd34-a98e-06ac-5d6f-98f2d6945ccb">The primary function of the API is to apply a template to a customer
+<t anchor="_8ae8141d-b166-2a71-1a2e-5bfcab2c9c4c">The primary function of the API is to apply a template to a customer
 domain.</t>
 
-<t anchor="_dc986a2b-915d-69b2-eb56-68a9923f1597">While the providerId is implied in the authorization, this is on the
+<t anchor="_2579abcf-72dd-816a-1bc6-431027d2e4db">While the providerId is implied in the authorization, this is on the
 path for consistency with the synchronous flows and other APIs. If not
 matching what was authorized, an error must be returned.</t>
 
-<t anchor="_dce4cc11-084c-41ca-e69d-a49596f64f0d">When applying a template to a domain, it is possible that a conflict may
+<t anchor="_80f22a24-6b97-8096-46fb-c3f191540f69">When applying a template to a domain, it is possible that a conflict may
 exist with previous settings. While it is recommended that conflicts be
 detected when the user grants consent, because OAuth is asynchronous it
 is possible that a new conflict was introduced by the user.</t>
 
-<t anchor="_8148ce14-9a62-9d40-1ba8-c542c167be2e">While it is up to the DNS Provider to determine what constitutes a
+<t anchor="_b6ec7dc5-071a-9261-3d73-4f0d6c462c6c">While it is up to the DNS Provider to determine what constitutes a
 conflict (see section on Conflicts below), when one is detected calling
 this API must return an error. This error should enumerate the
 conflicting records in a format described below.</t>
 
-<t anchor="_458b045c-695d-accf-1e89-9a10912e92cd">Because the user often isn't present at the time of this error, it is up the
+<t anchor="_e02c3feb-d4c3-8142-1e0e-20e2bf1c497c">Because the user often isn't present at the time of this error, it is up the
 Service Provider to determine how to handle this condition. Some providers
 may decide to notify the user. Others may decide to apply their template
 anyway using the "force" parameter. This parameter will bypass error
 checks for conflicts, and after the call the service will be in its
 desired state.</t>
 
-<t anchor="_c568cdfd-b6db-42b6-c11e-4f06ee6c6ad5">Calls to apply a template via OAuth require the following parameters
+<t anchor="_a977a5d9-a657-c06d-5435-36efe19b297e">Calls to apply a template via OAuth require the following parameters
 posted to the above URL unless otherwise indicated.
 The DNS Provider must accept parameters in query string or body of this
 post.</t>
 
-<t anchor="_38d7f344-d70c-f89f-43e2-bc3c1a6644e9">The body is application/json encoded.</t>
+<t anchor="_200f5ca9-7f34-6189-9291-7ecd758f56ea">The body is application/json encoded.</t>
 
-<table anchor="_babbbfe9-092e-6c92-f606-83e570546817"><name>query parameters of the apply end-point in the async flow</name><thead><tr><th align="left">Property</th><th align="left">Key</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><strong>Domain</strong></td><td align="left">domain</td><td align="left">The root domain name being configured. It must match the domain that was authorized
+<table anchor="_538dd35c-0971-5ecd-eea7-29a6021a819e"><name>query parameters of the apply end-point in the async flow</name><thead><tr><th align="left">Property</th><th align="left">Key</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><strong>Domain</strong></td><td align="left">domain</td><td align="left">(REQUIRED) The root domain name being configured. It must match the domain that was authorized
 in the token.</td></tr><tr><td align="left"><strong>Host</strong></td><td align="left">host</td><td align="left">(OPTIONAL) The host name of the sub domain of the root domain that was authorized in the
 token. If omitted or left blank, the template is being applied to the root
-domain.</td></tr><tr><td align="left"><strong>Name/Value Pairs</strong></td><td align="left">*</td><td align="left">Any variable fields consumed by
+domain.</td></tr><tr><td align="left"><strong>Name/Value Pairs</strong></td><td align="left">*</td><td align="left">(REQUIRED) Any variable fields consumed by
 this template. The name portion of this API call corresponds to the
 variable(s) specified in the record and the value corresponds to the
 value that must be used when applying the template as per the
@@ -945,26 +984,28 @@ in the template being applied.</td></tr><tr><td align="left"><strong>InstanceId<
 (see <xref target="template-definition">multiInstance</xref> template property). Allows for later
 removal of one template instance by DNS Providers storing this information.</td></tr></tbody></table>
 
-<t anchor="_a8de3da1-a6fe-edb0-be45-a8a0ff1429f8">An example call is below. In this example, it is contemplated that there
+<t anchor="_42dbd489-a5a7-db1a-e83e-e9e40f849a3f">An example call is below. In this example, it is contemplated that there
 are two variables in this template, "IP" and "RANDOMTEXT" which both require
 values. These variables are
 passed as name/value pairs.</t>
 
-<sourcecode anchor="_d66ad56e-23fc-eef2-4523-9f2c57f29eb8"><![CDATA[POST
+<sourcecode anchor="_03a66551-df62-5041-f977-c31924686596"><![CDATA[POST
 
-https://connect.dnsprovider.com/v2/domainTemplates/providers/exampleservice.domainconnect.org/services/template1/apply?IP=192.168.42.42&RANDOMTEXT=shm%3A1542108821%3AHello&force=1]]></sourcecode>
+https://connect.dnsprovider.example/v2/domainTemplates/providers/
+exampleservice.example/services/template1/apply?IP=192.0.2.42
+&#x26;RANDOMTEXT=shm%3A1542108821%3AHello&#x26;force=1]]></sourcecode>
 
 
-<t anchor="_9678e1c0-5df4-6a26-3f0d-3bfc358cdcf7">The API must validate the access token, and that the domain belongs to
+<t anchor="_a1b0c7f6-306d-b165-a2ff-8a679ca1aae7">The API must validate the access token, and that the domain belongs to
 the customer and is represented by the token being presented. Any errors
 with variables, conflicting templates, or problems with the state of the
 domain are returned; otherwise the template is applied.</t>
 
-<t anchor="_677ce658-e301-d5b0-dcef-db9255b4beea">Results of this call can include information indicating success or an
+<t anchor="_bf1bf9dc-f597-d3a6-726e-d897eab0e13a">Results of this call can include information indicating success or an
 error. Errors will be 400 status codes, with the following codes
 defined.</t>
 
-<table anchor="_820b85c4-3f4c-a626-4843-6b3ef4cc69d1"><name>http status codes of the apply end-point in the async flow</name><thead><tr><th align="left">Status</th><th align="left">Response</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><strong>Success</strong></td><td align="left">2xx</td><td align="left">A response of an http status code of 204 indicates that
+<table anchor="_0ffab5e3-cc09-2aa1-7883-d6ae21cfa403"><name>http status codes of the apply end-point in the async flow</name><thead><tr><th align="left">Status</th><th align="left">Response</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><strong>Success</strong></td><td align="left">2xx</td><td align="left">A response of an http status code of 204 indicates that
 call was successful and the template applied. Note that any 200 level
 code must be considered a success.</td></tr><tr><td align="left"><strong>Bad Request</strong></td><td align="left">400</td><td align="left">A response of a 400 indicates that the server cannot process the request because it
 was malformed or had errors. This response code is intended for programming errors.</td></tr><tr><td align="left"><strong>Unauthorized</strong></td><td align="left">401</td><td align="left">A response of a 401 indicates that caller is not
@@ -976,14 +1017,14 @@ not equal to 1.</td></tr><tr><td align="left"><strong>Error</strong></td><td ali
 applying the template problematic; most often something that is wrong with the account and
 requires attention.</td></tr></tbody></table>
 
-<t anchor="_1225671e-0a7e-f20f-4930-6c9207da874d">When a 409 is returned, the body of the response should contain details of
+<t anchor="_3720da50-401f-682d-c252-683625be85ac">When a 409 is returned, the body of the response should contain details of
 the conflicting records. This should be JSON containing the error code, a message
 suitable for developers, and an array of tuples containing the
 conflicting records type, host, and data element.</t>
 
-<t anchor="_1e14ebc8-f70a-385f-2a36-78edc0c9dc48">As an example:</t>
+<t anchor="_19d2c60d-0baf-40ba-717c-2f9896175a60">As an example:</t>
 
-<sourcecode anchor="_1caee516-e51f-700f-d303-f16d2f9ee8d5" type="json"><![CDATA[{
+<sourcecode anchor="_91c313ce-a803-e36c-e03c-ddac8cfa9191" type="json"><![CDATA[{
     "code": "409",
     "message": "Conflicting records",
     "records": [
@@ -1001,56 +1042,58 @@ conflicting records type, host, and data element.</t>
 }]]></sourcecode>
 
 
-<t anchor="_0117a093-e852-7de7-5b7f-dae45e27ea66">In this example, the Service Provider tried to apply a new hosting
+<t anchor="_11fa147a-3ed3-5643-2cbf-3eecb4fda671">In this example, the Service Provider tried to apply a new hosting
 template. The domain had an existing service applied for hosting.</t>
 </section>
 
 <section anchor="_oauth_flow_revert_template"><name>OAuth Flow: Revert Template</name>
 
-<t anchor="_43ae96a1-0907-1c17-cdfb-15ea03527a0c">This call reverts the application of a specific template from a domain.</t>
+<t anchor="_46bdf902-f34d-29a0-f354-f92def61e1b6">This call reverts the application of a specific template from a domain.</t>
 
-<t anchor="_8b4ee1b2-bfe5-6daf-8d08-6a070069e7a4">Implementation of this call is OPTIONAL. If not supported a 501 MUST be returned.</t>
+<t anchor="_f6b895bc-090e-4153-7330-38669c40d319">Implementation of this call is OPTIONAL. If not supported a 501 MUST be returned.</t>
 
-<sourcecode anchor="_935f5c37-977c-0434-19c3-e3e85e487b60"><![CDATA[POST
+<sourcecode anchor="_cbd636e1-ffdc-c1ef-2eb7-047d939b87ea"><![CDATA[POST
 
-{urlAPI}/v2/domainTemplates/providers/{providerId}/services/{serviceId}/revert?domain={domain}&host={host}]]></sourcecode>
+{urlAPI}/v2/domainTemplates/providers/{providerId}/services
+/{serviceId}/revert?domain={domain}&host={host}]]></sourcecode>
 
 
-<t anchor="_5aba34b2-9e23-931c-1d18-64aa2516b6ae">This API allows the removal of a template from a customer domain/host
+<t anchor="_36273a0d-f6b8-5c9e-30d2-d4f7a097cd22">This API allows the removal of a template from a customer domain/host
 using an OAuth request.</t>
 
-<t anchor="_2b81ca93-e6b8-5ca9-af64-fd130b75138b">The provider and service name in the URL must match the values provided during authorization.</t>
+<t anchor="_fb6e9ba3-ead5-69d4-17b9-747d66fe0c58">The provider and service name in the URL must match the values provided during authorization.</t>
 
-<t anchor="_05528a7f-0830-c7fe-f59f-61d2fef1d8d3">This call must validate that the template exists and has been
+<t anchor="_278e209f-dd7a-cd58-a1b5-15a5f3800df9">This call must validate that the template exists and has been
 applied to the domain by the Service Provider, or a warning must be
 returned that the call would have no effect.</t>
 
-<t anchor="_a561fa35-19e7-9730-9ed6-992db5c04ca0">An example query string might look like:</t>
+<t anchor="_79dc2b07-cb4d-557a-24c9-fe49e3473f0e">An example query string might look like:</t>
 
-<sourcecode anchor="_c09b981e-8cb1-6ed3-c2f9-273da7ecff2a"><![CDATA[POST
+<sourcecode anchor="_6c21fc60-4382-b2dd-6f95-f038e325acfe"><![CDATA[POST
 
-https://connect.dnsprovider.com/v2/domainTemplates/providers/exampleservice.domainconnect.org/services/template1/revert?domain=example.com]]></sourcecode>
+https://connect.dnsprovider.example/v2/domainTemplates/providers
+/exampleservice.example/services/template1/revert?domain=example.com]]></sourcecode>
 
 
-<t anchor="_4d16fabe-8f07-9607-e29f-c54c79483178">Allowed parameters:</t>
+<t anchor="_56cfdf56-d98b-8438-0646-5bac0a67b6fe">Allowed parameters:</t>
 
-<table anchor="_7152cdea-d3b3-62c1-3ff4-c78d7d0c2ddc"><name>query parameters of the revert end-point in the async flow</name><thead><tr><th align="left">Property</th><th align="left">Key</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><strong>Domain</strong></td><td align="left">domain</td><td align="left">The root domain name being configured. It
-must match the domain that was authorized in the token.</td></tr><tr><td align="left"><strong>Host</strong></td><td align="left">host</td><td align="left">The host name of the sub domain of the root domain that was authorized in the token.
+<table anchor="_4b2d0705-539a-bdb5-341c-39aca795ef38"><name>query parameters of the revert end-point in the async flow</name><thead><tr><th align="left">Property</th><th align="left">Key</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><strong>Domain</strong></td><td align="left">domain</td><td align="left">(REQUIRED) The root domain name being configured. It
+must match the domain that was authorized in the token.</td></tr><tr><td align="left"><strong>Host</strong></td><td align="left">host</td><td align="left">(OPTIONAL) The host name of the sub domain of the root domain that was authorized in the token.
 If omitted or left blank, the template is being applied to the root
 domain.</td></tr><tr><td align="left"><strong>InstanceId</strong></td><td align="left">instanceId</td><td align="left">(OPTIONAL) Only applicable to templates supporting multiple instances
 (see <xref target="template-definition">multiInstance</xref> template property). For DNS Provider
 storing information about applied templates allows removal of single instance
 of template. If missing all instances of template should be removed.</td></tr></tbody></table>
 
-<t anchor="_1ef131f0-a47c-e84c-112a-e447f7f12bdf">The DNS Provider should be able to accept these on the query string or in the body of the POST with <tt>application/json</tt> encoding.</t>
+<t anchor="_19cb2091-9fea-5737-1a7c-faede947d375">The DNS Provider should be able to accept these on the query string or in the body of the POST with <tt>application/json</tt> encoding.</t>
 
-<t anchor="_97fe1c40-b5a8-f8eb-f8e1-8974e2c06398">Response codes Success, Authorization, and Errors are identical to
+<t anchor="_90bfa03e-6323-dce8-7fe4-e3a30f815b3a">Response codes Success, Authorization, and Errors are identical to
 above with the addition of the 501 code.</t>
 </section>
 
 <section anchor="_oauth_flow_revoking_access"><name>OAuth Flow: Revoking access</name>
 
-<t anchor="_825cf0f5-c6a5-1c83-89a7-35fa99bdc602">Like all oAuth flows, the user may revoke the access at any time using
+<t anchor="_c9e4ba28-7f97-deaf-33d5-d429840e87b0">Like all OAuth flows, the user may revoke the access at any time using
 UX at the DNS Provider site. As such the Service Provider needs to be
 aware that their access to the API may be denied.</t>
 </section>
@@ -1060,21 +1103,21 @@ aware that their access to the API may be denied.</t>
 
 <section anchor="_template_versioning"><name>Template Versioning</name>
 
-<t anchor="_9d9e2c11-e7b8-f84a-9534-4c770c5babfd">If a breaking change is made to a template it is recommended that a new template be created. While on the surface versioning looks appealing, in reality this is rarely needed.</t>
+<t anchor="_e9fffcaf-adc4-6a65-3c34-91a9540a1610">If a breaking change is made to a template it is recommended that a new template be created. While on the surface versioning looks appealing, in reality this is rarely needed.</t>
 
-<t anchor="_39331568-f4fe-f9fd-a11f-50e4ff28bb79">Any changes to the template need to account for existing customers with settings in DNS, some applied through Domain Connect and some manual. So when changes are made, they are often backward compatible.</t>
+<t anchor="_e25810e2-ea69-54ef-fc06-063ed3aed474">Any changes to the template need to account for existing customers with settings in DNS, some applied through Domain Connect and some manual. So when changes are made, they are often backward compatible.</t>
 
-<t anchor="_78b7d1c2-7605-1075-169b-f3bc5796e27e">Note that when a template changes, it does need to be on-boarded with the DNS Providers.</t>
+<t anchor="_e4a2af8e-258a-2af0-da2b-ea6e29816c1b">Note that when a template changes, it does need to be on-boarded with the DNS Providers.</t>
 
-<t anchor="_8363e49c-a0b3-2aed-c4ef-89bc885dd566">The <xref target="template-definition">version field</xref> of the template definition serves the purpose of transparency between the DNS Provider and the Service Provider in case of such changes.</t>
+<t anchor="_930fc0ea-590e-390b-61dc-d72db7d60cf8">The <xref target="template-definition">version field</xref> of the template definition serves the purpose of transparency between the DNS Provider and the Service Provider in case of such changes.</t>
 </section>
 
 <section anchor="template-definition"><name>Template Definition</name>
 
-<t anchor="_a1396700-f639-f74b-575b-c32ea6a407c7">A template is defined as a standard JSON data structure containing the following data. Fields are required unless otherwise indicated.</t>
+<t anchor="_24a86343-5f6c-9d9c-1d2e-6a4cd7ad5f68">A template is defined as a standard JSON data structure containing the following data. Fields are required unless otherwise indicated.</t>
 
-<table anchor="_6d32540c-dbab-f149-65b4-9244b75ec5ee"><name>properties of the template definition</name><thead><tr><th align="left">Data Element</th><th align="left">Type</th><th align="left">Key</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><strong>Service Provider Id</strong></td><td align="left">String</td><td align="left">providerId</td><td align="left">The unique identifier of the Service Provider that created this template. This is used in the URLs to identify the Service Provider. To ensure non-coordinated uniqueness, this should be the domain name of the Service Provider (e.g. exampleservice.domainconnect.org).</td></tr><tr><td align="left"><strong>Service Provider Name</strong></td><td align="left">String</td><td align="left">providerName</td><td align="left">The name of the Service Provider suitable for display. This may be displayed to the user on the DNS Provider consent UX.</td></tr><tr><td align="left"><strong>Service Id</strong></td><td align="left">String</td><td align="left">serviceId</td><td align="left">The name or identifier of the template.
-This is used in URLs to identify the template. It is also used in the scope parameter for oAuth. It must not contain space characters, and must be URL friendly.</td></tr><tr><td align="left"><strong>Service Name</strong></td><td align="left">String</td><td align="left">serviceName</td><td align="left">The name of the service suitable for display to the user. This may be displayed to the user on the DNS Provider consent UX.</td></tr><tr><td align="left"><strong>Version</strong></td><td align="left">Integer</td><td align="left">version</td><td align="left">(OPTIONAL)
+<table anchor="_bb193fc9-46d2-9e7e-4c1e-f1e70224f978"><name>properties of the template definition</name><thead><tr><th align="left">Data Element</th><th align="left">Type</th><th align="left">Key</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><strong>Service Provider Id</strong></td><td align="left">String</td><td align="left">providerId</td><td align="left">(REQUIRED) The unique identifier of the Service Provider that created this template. This is used in the URLs to identify the Service Provider. To ensure non-coordinated uniqueness, this should be the domain name of the Service Provider (e.g. exampleservice.example).</td></tr><tr><td align="left"><strong>Service Provider Name</strong></td><td align="left">String</td><td align="left">providerName</td><td align="left">(REQUIRED) The name of the Service Provider suitable for display. This may be displayed to the user on the DNS Provider consent UX.</td></tr><tr><td align="left"><strong>Service Id</strong></td><td align="left">String</td><td align="left">serviceId</td><td align="left">(REQUIRED) The name or identifier of the template.
+This is used in URLs to identify the template. It is also used in the scope parameter for OAuth. It must not contain space characters, and must be URL friendly.</td></tr><tr><td align="left"><strong>Service Name</strong></td><td align="left">String</td><td align="left">serviceName</td><td align="left">(REQUIRED) The name of the service suitable for display to the user. This may be displayed to the user on the DNS Provider consent UX.</td></tr><tr><td align="left"><strong>Version</strong></td><td align="left">Integer</td><td align="left">version</td><td align="left">(OPTIONAL)
 If present this represents a version of the template and should be increased with each update of the template content. This value is mainly informational to improve communication and transparency between providers.</td></tr><tr><td align="left"><strong>Logo</strong></td><td align="left">String</td><td align="left">logoUrl</td><td align="left">(OPTIONAL) A graphical logo representing the Service Provider and/or Service for use in any web-based flow. If present this may be displayed to the user on the DNS Provider consent UX.</td></tr><tr><td align="left"><strong>Description</strong></td><td align="left">Text</td><td align="left">description</td><td align="left">(OPTIONAL) A textual description of what this template attempts to do. This is meant to assist developers and must not be displayed to the user.</td></tr><tr><td align="left"><strong>Variable Description</strong></td><td align="left">Text</td><td align="left">variableDescription</td><td align="left">(OPTIONAL) A textual description of what the variables are. This is meant to assist developers and must not be displayed to the user.</td></tr><tr><td align="left"><strong>Synchronous Block</strong></td><td align="left">Boolean</td><td align="left">syncBlock</td><td align="left">(OPTIONAL) Indicates that the synchronous protocol must be disabled for this template. The default for this is false.</td></tr><tr><td align="left"><strong>Shared</strong></td><td align="left">Boolean</td><td align="left">shared</td><td align="left">(OPTIONAL)
 This flag has been deprecated. It used to indicate that the template allowed a dynamic providerName on the query string. It is replaced with the sharedProviderName flag in v2.2 of the spec.</td></tr><tr><td align="left"><strong>Shared Provider Name</strong></td><td align="left">Boolean</td><td align="left">sharedProviderName</td><td align="left">(OPTIONAL)
 This flag indicates that the template allows the caller to pass in additional information for the providerName. This information should augment the display of the providerName from the template. The default for this is false. For backward compatability with DNS Providers not at V2.2 of the spec it is recommended that the shared flag also be set.</td></tr><tr><td align="left"><strong>Shared Service Name</strong></td><td align="left">Boolean</td><td align="left">sharedServiceName</td><td align="left">(OPTIONAL)
@@ -1087,104 +1130,96 @@ maintain template state in DNS.</td></tr><tr><td align="left"><strong>Warn Phish
 When present, this tells the DNS Provider that the template may contain
 variables susceptible to phishing attacks and the provider is unable to digitally sign the requests. When set the DNS Provider should display warnings to the user.
 The default value for this is false.</td></tr><tr><td align="left"><strong>Host Required</strong></td><td align="left">Boolean</td><td align="left">hostRequired</td><td align="left">(OPTIONAL)
-Defaults to false. When present this indicates that the template has been authored to work only when both domain and host are provided. An example where this would be true would be a template where CNAME is set on the fully qualified domain name. This is largely informational, as most DNS Providers already enforce such rules.</td></tr><tr><td align="left"><strong>Template Records</strong></td><td align="left">Array of Template Records</td><td align="left">records</td><td align="left">A list of records for the template.</td></tr></tbody></table>
+Defaults to false. When present this indicates that the template has been authored to work only when both domain and host are provided. An example where this would be true would be a template where CNAME is set on the fully qualified domain name. This is largely informational, as most DNS Providers already enforce such rules.</td></tr><tr><td align="left"><strong>Template Records</strong></td><td align="left">Array of Template Records</td><td align="left">records</td><td align="left">(REQUIRED) A list of records for the template.</td></tr></tbody></table>
 </section>
 
 <section anchor="template-record"><name>Template Record</name>
 
-<t anchor="_525c48a7-743b-fd11-63b4-e79e9e2770db">Each template record is an entry that contains a type and several
+<t anchor="_a042d8bf-9c7f-0787-a102-3ba7c2b0c3e5">Each template record is an entry that contains a type and several
 other values depending on the type.</t>
 
-<t anchor="_89cff121-c267-1b9e-1931-835ecd4409ed">Many of these values can contain variables. There are three built in variables.</t>
+<t anchor="_cc24645b-bdea-48de-3432-dc726a04ec71">Many of these values can contain variables. There are three built in variables.</t>
 
-<ul anchor="_df6d04bd-442c-66b8-1c8a-e7c32b949ea0"><li>%host%: This is the host passed from the query string</li>
+<ul anchor="_bd559c3c-9bf8-b0da-eb06-f44a6c88f04e"><li>%host%: This is the host passed from the query string</li>
 <li>%domain%: This is the domain passed from the query string</li>
 <li>%fqdn%: This is the fully qualified domain name e.g. [host.]domain</li>
 </ul>
 
-<t anchor="_6002a529-8e38-6d1d-5df0-d9a26bb6cdc2">The @ symbol has special meaning, and can be used in the host/name field or in
+<t anchor="_8ea1d6b4-2fe4-55e7-ab1b-9bb8a1f026af">The @ symbol has special meaning, and can be used in the host/name field or in
 the pointsTo/data field in isolation.</t>
 
-<t anchor="_afa1045c-62b9-1b7c-e352-e2162bf99ab4">For the host/name field it is a shortcut for the value "%fqdn%.". When applying the
+<t anchor="_9e825a73-4c48-7069-68ab-d6960b0a5385">For the host/name field it is a shortcut for the value "%fqdn%.". When applying the
 template to a domain only, it represents "example.com.". When applying with a sub-domain
 (host) it represents "subdomain.example.com.".</t>
 
-<t anchor="_d447cf2e-b595-bf3f-79fc-1a5e2c802dae">Note: The trailing dot here is similar to the bind protocol, which indicates the value
-is absolute. Without the trailing ".", the value in this field is relative to the [host.]domain.com
+<t anchor="_681394e1-84ec-aa31-aa33-cd2698b5b75d">Note: The trailing dot here is similar to the bind notation, which indicates the value
+is absolute. Without the trailing ".", the value in this field is relative to the [host.]example.com
 value.</t>
 
-<t anchor="_98119cae-2fbc-bb2f-227f-5d199e4209a9">For the pointsTo/data field it is a shortcut for for the "%fqdn%". When appling
+<t anchor="_d193214c-546f-0df7-fe84-8d7a8096d05a">For the pointsTo/data field it is a shortcut for for the "%fqdn%". When appling
 the template to a domain only, it represents "example.com". When applying with a sub-
 domain (host) it represents "subdomain.example.com".</t>
 
-<t anchor="_a7e8296d-faaf-df7a-ad97-c0acc5e2cfaf">Note: The pointsTo and data files are always absolute for these fields.</t>
+<t anchor="_e0932740-0d3b-299c-d686-c233cbbf1e83">Note: The pointsTo and data files are always absolute for these fields.</t>
 
-<t anchor="_b4dc646e-77cf-7668-5847-73ea9955f0e8">It is noted that as a best practice the variable portions should be constrained
+<t anchor="_9ff687a1-cbf3-f046-12ca-5a141836d193">It is noted that as a best practice the variable portions should be constrained
 to as small as possible a portion of the resulting DNS record.</t>
 
-<t anchor="_099a46c1-fbd9-7c7d-5ec4-c4c7c0f86a88">For example, say a Service Provider requires a CNAME of one of three
+<t anchor="_fa4e0f8e-3e55-6c71-dcae-890f1498a210">For example, say a Service Provider requires a CNAME of one of three
 values for their users: s01.example.com, s02.example.com, and
 s03.example.com.</t>
 
-<t anchor="_15c1ac41-1dce-ba3e-0e79-28e7fefb5d30">The value in the template could simply contain %servercluster%, and the
+<t anchor="_b0aff594-e277-bd78-211b-d396c35e4901">The value in the template could simply contain %servercluster%, and the
 fully qualified string passed in. Alternatively, the value in the
 template could contain %var%.example.com and a value of 01, 02, or 03 passed in.
 By placing more fixed data into the template, the template is more secure.</t>
 
-<t anchor="_ff29cd53-3690-507d-792e-68d29c09f000">Each record will contain the following elements.</t>
-
-<table anchor="_ad09fab9-9924-1980-9142-7851c075705a"><name>properties of the template record definition</name><thead><tr><th align="left">Data Element</th><th align="left">Type</th><th align="left">Key</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><strong>Type</strong></td><td align="left">enum</td><td align="left">type</td><td align="left">Describes the type of record in DNS, or the operation impacting DNS.
-
-Valid values include: A, AAAA, CNAME, MX, TXT, SRV, or SPFM
-
-For each type, additional fields would be required.
-
-A: host, pointsTo, TTL
-
-AAAA: host, pointsTo, TTL
-
-CNAME: host, pointsTo, TTL (host must not be null or @)
+<t anchor="_aca6c47f-0156-8370-111b-4a8b78205726">Each record will contain the following elements.</t>
 
-NS: host, pointsTo, TTL (host must not be null or @)
+<table anchor="_88cf7168-1e3b-7b96-8a3e-a12d62475b12"><name>properties of the template record definition</name><thead><tr><th align="left">Data Element</th><th align="left">Type</th><th align="left">Key</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><strong>Type</strong></td><td align="left">enum</td><td align="left">type</td><td align="left">(REQUIRED) Describes the type of record in DNS, or the operation impacting DNS.<br />
 
-TXT: host, data, TTL, txtConflictMatchingMode, txtConflictMatchingPrefix
+Valid values include: A, AAAA, CNAME, MX, TXT, SRV, or SPFM<br />
 
-MX: host, pointsTo, TTL, priority
-
-SRV: name, target, TTL, priority, protocol, service, weight, port
-
-SPFM: host, spfRules</td></tr><tr><td align="left"><strong>Group Id</strong></td><td align="left">String</td><td align="left">groupId</td><td align="left">(OPTIONAL)
+For each type, additional fields would be REQUIRED.<br />
+* A: host, pointsTo, TTL<br />
+* AAAA: host, pointsTo, TTL<br />
+* CNAME: host, pointsTo, TTL (host must not be null or @ unless <tt>hostRequired</tt> is defined <tt>true</tt> for the template)<br />
+* NS: host, pointsTo, TTL (host must not be null or @ unless <tt>hostRequired</tt> is defined <tt>true</tt> for the template)<br />
+* TXT: host, data, TTL, txtConflict-MatchingMode, txtConflict-MatchingPrefix<br />
+* MX: host, pointsTo, TTL, priority<br />
+* SRV: name, target, TTL, priority, protocol, service, weight, port<br />
+* SPFM: host, spfRules<br /></td></tr><tr><td align="left"><strong>Group Id</strong></td><td align="left">String</td><td align="left">groupId</td><td align="left">(OPTIONAL)
 This parameter identifies the group the record belongs to when applying changes. This must
 not contain variables.</td></tr><tr><td align="left"><strong>Essential</strong></td><td align="left">enum</td><td align="left">essential</td><td align="left">(OPTIONAL)
 This parameter indicates how the record is treated during conflict detection with
-existing templates.
+existing templates.<br />
 
-If the DNS Provider is not implementing applied template state in DNS this is ignored.
+If the DNS Provider is not implementing applied template state in DNS this is ignored.<br />
 
-Always (default) - record MUST be applied and kept with the template
+Always (default) - record MUST be applied and kept with the template<br />
 
 OnApply - record MUST be applied but can be later removed without dropping the whole
-template</td></tr><tr><td align="left"><strong>Host</strong></td><td align="left">String</td><td align="left">host</td><td align="left">The host for A, AAAA, CNAME, NS, TXT, and MX values.
+template<br /></td></tr><tr><td align="left"><strong>Host</strong></td><td align="left">String</td><td align="left">host</td><td align="left">(REQUIRED) The host for A, AAAA, CNAME, NS, TXT, and MX values.<br />
 
-This value is relative to the applied host and domain, unless trailed by a ".".
+This value is relative to the applied host and domain, unless trailed by a ".".<br />
 
 A value of empty or @ indicates the root of the applied host and domain. In other words
-"[host.]domain.com.".
+"[host.]example.com.".<br />
 
 This value should not contain variables unless absolutely necessary. This is discussed
-below.</td></tr><tr><td align="left"><strong>Name</strong></td><td align="left">String</td><td align="left">name</td><td align="left">The name for the SRV record.
+below.<br /></td></tr><tr><td align="left"><strong>Name</strong></td><td align="left">String</td><td align="left">name</td><td align="left">The name for the SRV record.<br />
 
 This value is relative to the applied host and domain. A value of empty or @ indicates
-the root of the applied host and domain.
+the root of the applied host and domain.<br />
 
 This value should not contain variables unless absolutely necessary. This is discussed
-below.</td></tr><tr><td align="left"><strong>Points To</strong></td><td align="left">String</td><td align="left">pointsTo</td><td align="left">The pointsTo location for A, AAAA, CNAME, NS and MX records.
+below.<br /></td></tr><tr><td align="left"><strong>Points To</strong></td><td align="left">String</td><td align="left">pointsTo</td><td align="left">The pointsTo location for A, AAAA, CNAME, NS and MX records.<br />
 
-A value of empty or @ indicates the host and domain name being applied or [host.]domain.com</td></tr><tr><td align="left"><strong>TTL</strong></td><td align="left">Int</td><td align="left">ttl</td><td align="left">The time-to-live for the record in DNS. Valid
+A value of empty or @ indicates the host and domain name being applied or [host.]example.com<br /></td></tr><tr><td align="left"><strong>TTL</strong></td><td align="left">Int</td><td align="left">ttl</td><td align="left">The time-to-live for the record in DNS. Valid
 for A, AAAA, CNAME, NS, TXT, MX, and SRV records. This must not contain variables.</td></tr><tr><td align="left"><strong>Data</strong></td><td align="left">String</td><td align="left">data</td><td align="left">The data for a TXT record in DNS.
 
-A value of empty or @ indicates the host and domain name being applied or [host.]domain.com</td></tr><tr><td align="left"><strong>TXT Conflict Matching Mode</strong></td><td align="left">String</td><td align="left">txtConflictMatchingMode</td><td align="left">Describes how conflicts on the TXT record are detected. Possible values are
-None, All, or Prefix. The default value is None. <xref target="record-types-conflicts">See below</xref>.</td></tr><tr><td align="left"><strong>TXT Conflict Matching Prefix</strong></td><td align="left">String</td><td align="left">txtConflictMatchingPrefix</td><td align="left">The prefix to detect conflicts when txtConflictMatchingMode is "Prefix". This
+A value of empty or @ indicates the host and domain name being applied or [host.]example.com</td></tr><tr><td align="left"><strong>TXT Conflict Matching Mode</strong></td><td align="left">String</td><td align="left">txtConflictMatchingMode</td><td align="left">Describes how conflicts on the TXT record are detected. Possible values are
+None, All, or Prefix. The default value is None. <xref target="record-types-conflicts">See below</xref>.</td></tr><tr><td align="left"><strong>TXT Conflict Matching Prefix</strong></td><td align="left">String</td><td align="left">txtConflictMatchingPrefix</td><td align="left">The prefix to detect conflicts when txtConflict-MatchingMode is "Prefix". This
 must not contain variables. <xref target="record-types-conflicts">See below</xref>.</td></tr><tr><td align="left"><strong>Priority</strong></td><td align="left">Int</td><td align="left">priority</td><td align="left">The priority for an MX or SRV record. This must not contain variables.</td></tr><tr><td align="left"><strong>Weight</strong></td><td align="left">Int</td><td align="left">weight</td><td align="left">The weight for the SRV record. This must not contain variables.</td></tr><tr><td align="left"><strong>Port</strong></td><td align="left">Int</td><td align="left">port</td><td align="left">The port for the SRV record. This must not contain variables.</td></tr><tr><td align="left"><strong>Protocol</strong></td><td align="left">String</td><td align="left">protocol</td><td align="left">The protocol for the SRV record.</td></tr><tr><td align="left"><strong>Service</strong></td><td align="left">String</td><td align="left">service</td><td align="left">The symbolic name for the SRV record.</td></tr><tr><td align="left"><strong>Target</strong></td><td align="left">String</td><td align="left">target</td><td align="left">The target for the SRV record.</td></tr><tr><td align="left"><strong>SPF Rules</strong></td><td align="left">String</td><td align="left">spfRules</td><td align="left">These are desired rules for the SPF TXT record. These rules will be merged with other
 SPFM records into final SPF TXT record. See <xref target="spf-record-merging"></xref>.</td></tr></tbody></table>
 </section>
@@ -1193,59 +1228,59 @@ SPFM records into final SPF TXT record. See <xref target="spf-record-merging"></
 
 <section anchor="_template_state_in_dns"><name>Template State in DNS</name>
 
-<t anchor="_002c13e3-2daa-c7c1-cb09-c06559ce89de">DNS Providers may chose to maintain state inside records in DNS indicating the templates
+<t anchor="_6329133f-85fb-14f3-4ed3-cab4d1f62162">DNS Providers may chose to maintain state inside records in DNS indicating the templates
 writing the records. Other providers may chose to not maintain this state.</t>
 
-<t anchor="_7e59711f-67ab-4edd-057d-10208d4f704e">A DNS Provider that maintains this state may be able to provide an improved experience for
+<t anchor="_7dd29f75-68ee-5ad2-18af-0518dac41ac4">A DNS Provider that maintains this state may be able to provide an improved experience for
 customers, telling them the services enabled. They also may be able to have more
 advanced handling of conflicts.</t>
 
-<t anchor="_d25d0d61-0812-5995-804f-fdc435432af7">To make the implementation burden reasonable for DNS Providers, Domain Connect does not dictate the approach.</t>
+<t anchor="_8714ec3c-bebd-e951-cc4d-a8d7d6384f25">To make the implementation burden reasonable for DNS Providers, Domain Connect does not dictate the approach.</t>
 </section>
 
 <section anchor="_disclosure_of_changes_and_conflicts"><name>Disclosure of Changes and Conflicts</name>
 
-<t anchor="_5bdb648e-d64d-49af-d39b-f8525620e4ea">It is left to the discretion of the DNS Provider to determine what is disclosed to the user
+<t anchor="_8db9b227-7f3f-bb75-61fe-dc094f305cc8">It is left to the discretion of the DNS Provider to determine what is disclosed to the user
 when granting permission and/or applying changes to DNS.
 This includes disclosing the records being applied and the records
 that may be overwritten.</t>
 
-<t anchor="_f57a68c5-1d11-7342-4cc5-fdd9e530e3a3">For changes being made, one DNS Provider
+<t anchor="_85c5501f-a4b1-d16f-7574-9caab1336b08">For changes being made, one DNS Provider
 may decide to simply tell the user the name of the service being enabled. Another
 may decide to display the records being set. And another
 may progressively display both.</t>
 
-<t anchor="_b8da646e-a7c3-2377-01b9-d974b5762a30">For conflict detection, one DNS Provider may simply overwrite
+<t anchor="_b2f552e0-a9e6-43c4-81b5-8278dd26df17">For conflict detection, one DNS Provider may simply overwrite
 changed records without warning. Another may detect conflicts and warn the user of the
 records that will change. And another may implement logic to further detect, warn, and
 remove any of the existing templates that overlap with the new template once applied
 (this assumes they are a DNS Provider that maintains template state in DNS).</t>
 
-<t anchor="_60af842a-1e94-5a0b-4a0b-9c1f58e207c0">As an example, consider applying a template that sets two records
+<t anchor="_e043ef22-d59d-c759-2196-e4ba5f94f9f2">As an example, consider applying a template that sets two records
 (recordA and recordB) into a zone. Next consider applying a second template that
 overlaps with the first template (recordB and recordC). If the DNS maintains template state
 and removes conflicting templates, applying the second template would remove the first
 template. Application of the second template would conflict with recordB and the entire
 first template would be removed.</t>
 
-<t anchor="_f6b5bd81-9781-ca95-3e5f-86810a670d87">Manual changes made by the user at the DNS Provider may also have
+<t anchor="_7948e0bf-6950-064d-69f0-46435eaed072">Manual changes made by the user at the DNS Provider may also have
 appropriate warnings in place to prevent unwanted changes; with
 overrides being possible and removal of conflicting templates.</t>
 
-<t anchor="_3cb272fb-4911-8446-eb16-95335fe285a3">For the synchronous flow, this happens while the user is present.</t>
+<t anchor="_ed681040-c672-5c36-d83e-d2c2adb8fbba">For the synchronous flow, this happens while the user is present.</t>
 
-<t anchor="_5af65ef0-9ee2-0102-c9bd-a9cd066029a6">For the asynchronous flow, the consent UX is similar. However, the changes are made later
+<t anchor="_f08fd71c-d8a8-2fa6-cd05-fa106e452a7c">For the asynchronous flow, the consent UX is similar. However, the changes are made later
 using the API and OAuth. The DNS Provider may decide to detect conflicts and
 return these from the API without applying the change using the proper response code.
 If the force parameter is set, the changes must be applied regardless of conflicts.</t>
 
-<t anchor="_671e16fd-d6f3-4b2c-4f9d-9ab262e20cf5">It is ultimately left to the DNS Provider to determine the amount of
+<t anchor="_177e91df-034e-eaa2-4a13-a862c1996c11">It is ultimately left to the DNS Provider to determine the amount of
 disclosure and/or conflict detection. The only requirement is that after
 a template is applied the new records must be applied in totality.</t>
 
-<t anchor="_7f3fe682-e9ca-6c67-b3c3-d3878ffe0f4f">A reasonable set of recommendations for the UX might consist of:</t>
+<t anchor="_b9237900-55e8-c463-ebe3-375681847c5e">A reasonable set of recommendations for the UX might consist of:</t>
 
-<ul anchor="_4986e748-7374-4a51-93ea-9839387d2a2f"><li>The consent UX should inform the customer of the service that will be
+<ul anchor="_56406cad-8098-a5fe-2a94-9e23a19ca024"><li>The consent UX should inform the customer of the service that will be
 enabled. If the customer want to know the specifics, the DNS
 Provider could provide a "show details" link to the user. This could
 display to them the specific records that are being set in DNS.</li>
@@ -1258,25 +1293,25 @@ records that would be deleted or overwritten. This could be progressively disclo
 
 <section anchor="record-types-conflicts"><name>Record Types and Conflicts</name>
 
-<t anchor="_bca32f71-55d2-a526-ed16-1776dd262353">Conflict detection done by the DNS provider prior to template application has to take
+<t anchor="_3f7f6296-a175-58d7-1dca-e16c06a038cc">Conflict detection done by the DNS provider prior to template application has to take
 into consideration specifics of each DNS record type. The rules outlined below
 ensure predictable conflict resolution between DNS providers. Each rule applies to
 the records on the very same host, unless specifed otherwise.</t>
 
-<ul anchor="_49709c94-dbba-8b9a-5083-625d18befcbd"><li>CNAME record conflicts with TXT, MX, AAAA, A and existing CNAME records, and any other records of these
+<ul anchor="_7ac558f8-a72b-10b2-31fb-f26f78ed333e"><li>CNAME record conflicts with TXT, MX, AAAA, A and existing CNAME records, and any other records of these
 types conflict with an existing CNAME record. Note: CNAME records cannot be at the root of the zone.</li>
 <li>NS records conflict with all other records. This includes of the same host, and for any record ending with the NS host. For example, an NS record of foo will conflict with any foo, www.foo, bar.foo, etc. Similarly all
 other record type conflict with NS records in the same manner.</li>
 <li>MX, SRV records always conflict with records of the same type</li>
 <li>A and AAAA records conflict with any other A and/or AAAA record, to avoid IPv4
 and IPv6 pointing to different services.</li>
-<li><t anchor="_bf45ba57-3b43-e3ba-3d79-1e7fcd9e4b54">TXT records conflict detection is handled looking at txtConflictMatchingMode
+<li><t anchor="_6702f1bf-e3be-680f-ea2a-362367b16e41">TXT records conflict detection is handled looking at txtConflictMatchingMode
 parameter</t>
-<ul anchor="_85cf6af1-eb95-638c-8974-843422151938"><li>None: This indicates that the TXT records do not conflict with any other TXT
+<ul anchor="_c629cdf4-a577-c001-f1a9-70c7e5a08c69"><li>None: This indicates that the TXT records do not conflict with any other TXT
 record. This is the default setting, if not specified.</li>
 <li>All: This indicates that the TXT records conflict with any other TXT record</li>
 <li>Prefix: This indicates that TXT record conflict with any other TXT containing value starting with
-txtConfictMatchingPrefix</li>
+txtConflictMatchingPrefix</li>
 </ul>
 </li>
 </ul>
@@ -1284,43 +1319,43 @@ txtConfictMatchingPrefix</li>
 
 <section anchor="_apply_re_apply_and_multi_instance"><name>Apply, Re-apply, and Multi-Instance</name>
 
-<t anchor="_dd5e4071-8003-8b37-047c-0a7268f6b070">There is an additional consideration for DNS Providers that maintain the state of an applied
+<t anchor="_c37c42e0-9a4f-1bf4-bb9f-e32e4dd7cce8">There is an additional consideration for DNS Providers that maintain the state of an applied
 template when re-applying a template.</t>
 
-<t anchor="_93cc49ef-96f7-ec41-9520-606e476e45c5">To avoid unnecessary conflict warnings to the user, under normal use when re-applying a
+<t anchor="_008301a0-6e10-877e-7501-8604ddc95077">To avoid unnecessary conflict warnings to the user, under normal use when re-applying a
 template such a DNS Provider should remove the previously applied template on the same host.</t>
 
-<t anchor="_1fb3484e-9f63-ae52-f181-6b444fc7ef8f">This may not be desireable for all templates, as a limited set of templates are designed to
+<t anchor="_3bcbb7b8-e234-dba4-0e32-14b21545710e">This may not be desireable for all templates, as a limited set of templates are designed to
 be applied multiple times. To faciliate this the template can have the flag <xref target="template-definition">multiInstance</xref>
 set. This tells the DNS Provider that the template is expected to be written multiple times
 and that a re-apply must not remove previous instances.</t>
 
-<t anchor="_96f0245d-53c3-804a-a821-464a7229c2d7">This setting only impacts DNS Providers that maintain applied template state. DNS Providers
+<t anchor="_375af312-d39f-8319-ce04-84ae0ad3025f">This setting only impacts DNS Providers that maintain applied template state. DNS Providers
 that do not maintain applied template state must rely on the normal conflict
 resolution rules, and this flag has no impact.</t>
 </section>
 
 <section anchor="non-essential-record"><name>Non-essential records</name>
 
-<t anchor="_e602047f-a14a-2607-7f11-7ce95793cc9b">Typically a template specifies a list of DNS records which are required for the service.
+<t anchor="_0ed0f19a-39ec-4cae-176a-6e020a04c695">Typically a template specifies a list of DNS records which are required for the service.
 There may be cases where some records are only required for a very short period of time,
 and removing or altering the record later (either by the end user or through application
 of another template) should not trigger conflict detection.</t>
 
-<t anchor="_551b84fe-b78c-6b3c-778a-0549d95fb9cd">This can be controlled by the <xref target="template-record">essential</xref> property of a record in
+<t anchor="_b0476117-3750-dc42-ea63-8b03a3074157">This can be controlled by the <xref target="template-record">essential</xref> property of a record in
 the template.</t>
 
-<t anchor="_2493c3c8-7ea5-772e-8107-b60a3edbcc15">Again, this setting only impacts DNS Providers that maintain applied template state.</t>
+<t anchor="_8c266452-7dcb-6390-233f-88f173c8cb9a">Again, this setting only impacts DNS Providers that maintain applied template state.</t>
 </section>
 
 <section anchor="_template_scope"><name>Template Scope</name>
 
-<t anchor="_95a8e342-ce02-7227-d5ee-fd7e3f8f2586">For DNS Providers that maintain template state, an individual template is scoped to the set of records applied to a
+<t anchor="_9f965488-e131-9f1d-ecc9-4df31e0a6eb2">For DNS Providers that maintain template state, an individual template is scoped to the set of records applied to a
 fully qualified domain. This includes the root domain and the host (aka
 sub-domain) at apply time.</t>
 
-<t anchor="_70fd40f0-8553-2375-e346-3964a710d8e2">As an example, if a template is applied on domain=example.com&amp;host=sub1
-a later application of the template on domain=example.com&amp;host=sub2 must be
+<t anchor="_3f7cda2f-008d-6137-6085-b8e1f35d0904">As an example, if a template is applied on domain=example.com=sub1
+a later application of the template on domain=example.com=sub2 must be
 treated as a distinct template. If a conflict is detected later
 with the records set into "sub2.example.com",
 only the records set with this template would be removed.</t>
@@ -1328,35 +1363,35 @@ only the records set with this template would be removed.</t>
 
 <section anchor="_hostname_in_template"><name>Host/Name in Template</name>
 
-<t anchor="_a171cc6a-da8d-4eb5-a406-5c1a68292a8b">Template records contain the host name of the record to set into the zone (called name
+<t anchor="_088f1ac6-6f83-47cd-309e-daa1e3c47148">Template records contain the host name of the record to set into the zone (called name
 for SRV records). This value must be considered relative to the domain/host when
 the template is applied, unless followed by a trailing ".".</t>
 
-<t anchor="_fc3069ad-c804-c218-ac4e-672b7d4f019c">Consider a template record of type A with a host value of "xyz". When the template is
-applied to a domain=foo.com and an empty host value, the resulting zone after the template
-is applied will contain an A record of "xyz" (or "xyz.foo.com." in bind format).</t>
+<t anchor="_8875afdd-b485-841a-18db-783a2406e938">Consider a template record of type A with a host value of "xyz". When the template is
+applied to a domain=example.com and an empty host value, the resulting zone after the template
+is applied will contain an A record of "xyz" (or "xyz.example.com." in bind format).</t>
 
-<t anchor="_c827df29-12c2-bc79-e6a0-aa92ab61e7ff">If the same template is applied to a domain=foo.com and host=bar, the zone will contain an A
-record of "xyz.bar" (or "xyz.bar.foo.com." in bind format).</t>
+<t anchor="_559c5575-e328-ae62-fe97-66089afaf692">If the same template is applied to a domain=example.com and host=bar, the zone will contain an A
+record of "xyz.bar" (or "xyz.bar.example.com." in bind format).</t>
 
-<t anchor="_b079b09f-7357-d202-ff99-b58e08857133">A value of @ for host in the template is a placeholder for an empty value. In other words @
-would point to "bar.foo.com." when the same template is applied to domain=foo.com and host=bar.</t>
+<t anchor="_a7f7d19a-d78a-44a3-2054-922558de8f7f">A value of @ for host in the template is a placeholder for an empty value. In other words @
+would point to "bar.example.com." when the same template is applied to domain=example.com and host=bar.</t>
 </section>
 
 <section anchor="_pointsto_in_template"><name>PointsTo in Template</name>
 
-<t anchor="_051fd3ac-a5b2-d03c-7e9b-043a53ec55dc">Template records of certain types contain the pointsTo value to set in the zone. For
+<t anchor="_8e103659-b5e7-758e-44c4-2d984b582c0e">Template records of certain types contain the pointsTo value to set in the zone. For
 record types such as CNAME where this can be a fully qualified domain name.</t>
 
-<t anchor="_b7a6116e-166d-61cb-0902-9fbe38b546ca">A value of @ in pointsTo field in the template is a shortcut for the fully qualified domain
+<t anchor="_a2ff4ac8-7a6b-e031-c6b0-48449d528e77">A value of @ in pointsTo field in the template is a shortcut for the fully qualified domain
 name of the domain/host being applied.</t>
 
-<t anchor="_2d31e165-de0a-8974-2db0-6b6a5148e8a4">Consider a template record of type CNAME with a pointsTo value of "@". After a template of
-domain=foo.com and an empty host is applied, the pointsTo value (or corresponding field) in
-the resulting zone would be "foo.com". After a template of domain=foo.com
-with host=bar is applied, the points to value would be "bar.foo.com".</t>
+<t anchor="_92b4ad6c-c826-d09c-4398-0bd140dc3c4f">Consider a template record of type CNAME with a pointsTo value of "@". After a template of
+domain=example.com and an empty host is applied, the pointsTo value (or corresponding field) in
+the resulting zone would be "example.com". After a template of domain=example.com
+with host=bar is applied, the points to value would be "bar.example.com".</t>
 
-<t anchor="_6b39da4b-396a-4913-1e74-1410a088e92b">Any domain in a pointsTo field in a template must be considered fully qualified and not
+<t anchor="_2d8b5c25-fd3a-581b-8f43-a611f9e5131a">Any domain in a pointsTo field in a template must be considered fully qualified and not
 relative.</t>
 </section>
 
@@ -1364,81 +1399,81 @@ relative.</t>
 
 <section anchor="variables-and-hosts"><name>Variables and Host/Name in Template</name>
 
-<t anchor="_db949e3a-bbbf-9bc4-e718-035f00a986cf">While templates do allow for variables in a host or name field values, these should be used
+<t anchor="_3aeb38f0-ed2c-099d-a77b-b657ef8becf9">While templates do allow for variables in a host or name field values, these should be used
 very sparingly.</t>
 
-<t anchor="_168cb20d-e7ac-3b28-2719-6c0e7cd75267">As an example, consider setting up hosting for a site. But instead of
+<t anchor="_1fb477c6-cced-4161-7f65-730ee61b4e46">As an example, consider setting up hosting for a site. But instead of
 applying the template to a domain/host, the name of the host is
 placed as a variable in the template.</t>
 
-<t anchor="_ae1c87b9-dbfe-33dd-b092-b0d3b3a91f6d">Such a template might contain an A record of the form:</t>
+<t anchor="_a4123deb-cc6f-cb72-1da7-f5696cc758e2">Such a template might contain an A record of the form:</t>
 
-<sourcecode anchor="_d6fb715c-ea0d-c288-ceac-17278510d41b" type="json"><![CDATA[{
+<sourcecode anchor="_f3594c8f-e7d0-580c-efa0-7cd39199e118" type="json"><![CDATA[{
     "type": "A",
     "host": "%var%",
-    "pointsTo": "2.2.2.2",
+    "pointsTo": "192.0.2.2",
     "ttl": 1800
 }]]></sourcecode>
 
 
-<t anchor="_a3449c63-645e-505b-c2b7-b4ba44d90b21">This template could be applied on a domain like example.com with the var set
+<t anchor="_0cf33909-75f2-0311-285c-6c1626b0c2bf">This template could be applied on a domain like example.com with the var set
 to "sub", "sub1", "sub2", etc.</t>
 
-<t anchor="_f43d2eba-708a-ff79-bdf5-2b80eb3a1e47">Application of this template would be at the domain level for
+<t anchor="_c28a2685-b694-e21e-f476-ea7fb20d1475">Application of this template would be at the domain level for
 "example.com". This causes problems for application/re-application
 of the template, conflict detection, and template removal.</t>
 
-<t anchor="_67c5dd9e-d9e6-f09e-5ee6-80f1ad2f8ace">Since this template would be applied to the domain only, DNS providers that maintain
+<t anchor="_a894eb51-846b-0f72-f8b3-8ecaadb5fb2b">Since this template would be applied to the domain only, DNS providers that maintain
 template state would remove previous instances of the template before re-application.
 This means applying this template with var=sub
 would result in the A record for sub.example.com to be set to
-the value 2.2.2.2. Later, applying the template on "example.com" with the
+the value 192.0.2.2. Later, applying the template on "example.com" with the
 var=sub2 should remove the old template before setting the new one. sub.example.com
 would be removed, and sub2.example.com would be set to the value
-2.2.2.2.</t>
+192.0.2.2.</t>
 
-<t anchor="_88996bb6-1b6d-9874-2e2b-a59612ec5fb9">Furthermore, determining conflicts would be impossible when the user is granting consent
+<t anchor="_7af0364a-28d5-649e-df78-6c560176d325">Furthermore, determining conflicts would be impossible when the user is granting consent
 for asynchronous operations (OAuth). This is because the host would be indeterminate.</t>
 
-<t anchor="_9955503b-8cd7-ff41-6bf2-93d1b111a3e0">To solve this problem, templates are scoped to a domain and a host
+<t anchor="_39bceb50-bf01-08f5-d188-6c7dedbb65b4">To solve this problem, templates are scoped to a domain and a host
 value. For synchronous operations, the host value is specified in the url.
 For asynchronous operations, permissions are granted for specific host values, whose value
 is later specified when applying the template.</t>
 
-<t anchor="_d680622b-4d63-ed0f-e279-3aa9aff59977">Note: There are some templates that utilize CNAME or TXT records with host values containing
+<t anchor="_34216470-292f-1777-cdf2-4c6002c713b6">Note: There are some templates that utilize CNAME or TXT records with host values containing
 some form of user identification for validation of domain ownership, and these are often
 passed in variables.</t>
 
-<t anchor="_5fd94fd0-bcdc-0712-5e79-44a1b79f6e1a">To support this use case, variables are allowed for the host name. But only in this
+<t anchor="_08d32464-6e68-01b8-6451-c00d9dd2cdc5">To support this use case, variables are allowed for the host name. But only in this
 limited circumstance.</t>
 </section>
 
 <section anchor="_variable_values"><name>Variable Values</name>
 
-<t anchor="_86d6bdf3-a0c2-06dc-b9ce-cd3318207d42">To allow for the use of the host name or domain name in templates, the
+<t anchor="_b1c4e9da-c92f-1538-20d2-65975d62de79">To allow for the use of the host name or domain name in templates, the
 values of %host% and %domain% are available. A third value of %fqdn% is also available. This
 value is the result of combining the host and domain name with the necessary ".".</t>
 
-<t anchor="_fd3aa143-f943-ec57-6cc7-331ca27cd85c">For example, with the query string "domain=example.com&amp;host=", %fqdn% in a template would be
+<t anchor="_0fa21af1-6b86-b9f9-30fb-d2ec7970d246">For example, with the query string "domain=example.com=", %fqdn% in a template would be
 "example.com", and with
-"domain=example.com&amp;host=sub1", %fqdn% in a template would be "sub1.example.com".</t>
+"domain=example.com=sub1", %fqdn% in a template would be "sub1.example.com".</t>
 </section>
 
 <section anchor="_variables_and_security"><name>Variables and Security</name>
 
-<t anchor="_479bdbe2-2d3e-b697-b622-4d9ff6cd6772">As discussed, with variables consideration is necessary to prevent certain styles of
+<t anchor="_addd6e14-2da3-9dcd-8665-52775e374167">As discussed, with variables consideration is necessary to prevent certain styles of
 phishing attacks.</t>
 
-<t anchor="_74708e5e-59d7-3814-d96e-bfcf847f91e3">The more static the value in the template record, the more secure the template. When static values are not possible, a carefully crafted link could hijack DNS settings.</t>
+<t anchor="_2bd2cdf3-5f65-3506-af5a-b2fb89afc9d3">The more static the value in the template record, the more secure the template. When static values are not possible, a carefully crafted link could hijack DNS settings.</t>
 
-<t anchor="_298ba756-dbae-cc6f-570d-2d36d2165ac6">Mitigations to this are discussed above.</t>
+<t anchor="_5931cb0a-577c-189d-19eb-8ca9e1c7133a">Mitigations to this are discussed above.</t>
 </section>
 
 <section anchor="_variable_examples"><name>Variable Examples</name>
 
-<t anchor="_546e3848-f3da-7c2b-0345-28a85e44b41c">Example template:</t>
+<t anchor="_3efb322d-a59e-e81c-c64e-a0a2412631f5">Example template:</t>
 
-<sourcecode anchor="_f7ac8ab9-8f6f-bdc7-db3e-8e8c86e38abe" type="json"><![CDATA[[{
+<sourcecode anchor="_438e2ddc-4bd6-8133-396c-12e7247d1d33" type="json"><![CDATA[[{
     "type": "CNAME",
     "host": "www",
     "pointsTo": "@",
@@ -1447,33 +1482,33 @@ phishing attacks.</t>
 {
     "type": "A",
     "host": "@",
-    "pointsTo": "1.1.1.1",
+    "pointsTo": "192.0.2.1",
     "ttl": 1800
 }]]]></sourcecode>
 
 
-<t anchor="_a3f59c73-a763-5fb6-290b-c9a9693f35d3">Template applied with <em>domain</em>=foo.com and <em>host</em> parameter missing or empty:</t>
+<t anchor="_d774d258-9bff-6614-2291-0a092400acb2">Template applied with <em>domain</em>=example.com and <em>host</em> parameter missing or empty:</t>
 
-<sourcecode anchor="_a0b2a7f7-2054-7f07-194a-c2623a41d0d9"><![CDATA[www 1800 IN CNAME foo.com.
-@   1800 IN A 1.1.1.1]]></sourcecode>
+<sourcecode anchor="_87c1acc2-0e27-3275-c139-f41d403dc1c8"><![CDATA[www 1800 IN CNAME example.com.
+@   1800 IN A 192.0.2.1]]></sourcecode>
 
 
-<t anchor="_1fd9a2a7-41c1-d462-091e-f0979bc6e4ec"><em>alternatively</em></t>
+<t anchor="_873cdfee-fa3e-16fe-10ae-57ede10f829e"><em>alternatively</em></t>
 
-<sourcecode anchor="_40a9508e-5d08-01e6-d67e-834a36675241"><![CDATA[www.foo.com.    1800 IN CNAME foo.com.
-foo.com.        1800 IN A 1.1.1.1]]></sourcecode>
+<sourcecode anchor="_6e9177ce-e1b3-3fc1-5e27-bb546dcebf79"><![CDATA[www.example.com.    1800 IN CNAME example.com.
+example.com.        1800 IN A 192.0.2.1]]></sourcecode>
 
 
-<t anchor="_8eed682a-b967-5f9a-756d-80e152b79981">Template applied with <em>domain</em>=foo.com and <em>host</em>=bar:</t>
+<t anchor="_43543793-3ff0-2f4c-d669-99f25a11a374">Template applied with <em>domain</em>=example.com and <em>host</em>=bar:</t>
 
-<sourcecode anchor="_e444aab2-15d1-b1f1-6281-9a34866c7ef5"><![CDATA[www.bar 1800 IN CNAME bar.foo.com.
-bar     1800 IN A 1.1.1.1]]></sourcecode>
+<sourcecode anchor="_4e7b9493-2573-fefd-eca2-5285f5b1bae4"><![CDATA[www.bar 1800 IN CNAME bar.example.com.
+bar     1800 IN A 192.0.2.1]]></sourcecode>
 
 
-<t anchor="_cca2a93d-67bf-9061-e51d-823e2af2e98c"><em>alternatively</em></t>
+<t anchor="_7ac4ef0f-ea45-2d4e-f86c-f82ae0b74f18"><em>alternatively</em></t>
 
-<sourcecode anchor="_b55be2ed-c707-5b19-725f-4da8f8bcb438"><![CDATA[www.bar.foo.com.    1800 IN CNAME bar.foo.com.
-bar.foo.com.        1800 IN A 1.1.1.1]]></sourcecode>
+<sourcecode anchor="_bce3efc3-9982-d82d-4991-5bab53b1a736"><![CDATA[www.bar.example.com.    1800 IN CNAME bar.example.com.
+bar.example.com.        1800 IN A 192.0.2.1]]></sourcecode>
 
 </section>
 </section>
@@ -1482,137 +1517,142 @@ bar.foo.com.        1800 IN A 1.1.1.1]]></sourcecode>
 
 <section anchor="_what_is_spf"><name>What is SPF?</name>
 
-<t anchor="_0f6e82c2-01a3-bc77-c3c7-e5d6ec83e78b">SPF stands for Sender Policy Framework specified in
-<relref target="RFC7208" section="" relative=""></relref>. It is a
+<t anchor="_1cacd893-f110-363a-0f85-ce105178e048">SPF stands for Sender Policy Framework specified in
+<xref target="RFC7208" section="" relative=""></xref>. It is a
 record that specifies a list of authorized host names and/or IP addresses from which mail
 can originate from for a given domain name.</t>
 
-<t anchor="_6a5c87db-cf9d-1ff8-f017-2d3b594339de">It manifests itself as a TXT record.  The format of which starts with v=spf1 followed by a list of "rules" of
+<t anchor="_7a24992f-ef53-cc61-9bb8-abeb8e1af5f3">It manifests itself as a TXT record.  The format of which starts with v=spf1 followed by a list of "rules" of
 what to include/exclude.  If a rule passes, the mail is allowed. If it fails, it moves to the next rule.
 Typical record might appear as:</t>
 
-<sourcecode anchor="_0e0d6542-df9a-2160-4e4c-0691846afd29"><![CDATA[v=spf1 include:policy.exampleprovider.com -all]]></sourcecode>
+<sourcecode anchor="_5f39bbe8-2204-9f33-cc64-58dc1b089ecb"><![CDATA[v=spf1 include:policy.exampleprovider.example -all]]></sourcecode>
 
 
-<t anchor="_57afd789-24ae-b415-b7e0-7e778ddee7f2">This is an SPF record with two rules.  The first rule indicates that the rules for SPF record
-<em>policy.exampleprovider.com be included in this record. The second rule is a catch all (_all</em>). The default modifier for a rule is <em>pass</em> (+). Other modifiers are <em>hard failure</em>(-), <em>soft failure</em> (~) and <em>neutral</em> (?).</t>
+<t anchor="_1ef0da64-71ce-e9c5-1031-b87b87b3807a">This is an SPF record with two rules.  The first rule indicates that the rules for SPF record
+<em>policy.exampleprovider.example be included in this record. The second rule is a catch all (_all</em>). The default modifier for a rule is <em>pass</em> (+). Other modifiers are <em>hard failure</em>(-), <em>soft failure</em> (~) and <em>neutral</em> (?).</t>
 
-<t anchor="_6dd42890-4857-50ea-56d8-136d64ca0e5b">Note: A failure in SPF doesn't mean delivery won't happen, however depending on the policies of the receiving
+<t anchor="_4eb75087-44d1-11a4-fd0b-c67320df5260">Note: A failure in SPF doesn't mean delivery won't happen, however depending on the policies of the receiving
 system, messages classified with <em>hard failure</em> or <em>soft failure</em> may not be delivered or marked as spam.</t>
 
-<t anchor="_d95529a0-286f-c0fb-a078-2a833cc9c002">The use of "all" at the end  is pretty common, although some providers mark it as ~ (soft fail) or ? (neutral).
+<t anchor="_6b834557-b42f-ba6d-c68a-a2892ef2dcae">The use of "all" at the end  is pretty common, although some providers mark it as ~ (soft fail) or ? (neutral).
 The reality is that a good SPF record is tuned based on what services are attached to a domain. Not just one
 individual service.</t>
 </section>
 
 <section anchor="multiple-services"><name>Multiple Services</name>
 
-<t anchor="_7e928e4c-ed90-b858-530f-071f31c3f1a9">If only one email sending service were active, the SPF record recommended by the provider is sufficient. But
+<t anchor="_0a0e9221-4692-74ee-3252-e8b7512c480d">If only one email sending service were active, the SPF record recommended by the provider is sufficient. But
 mail from a domain can often come from several different services.</t>
 
-<t anchor="_a07eaa0e-bb3a-de87-d105-3f9ae65378d7">A very typical use case might be end user mail and an email newsletter service.
+<t anchor="_87fbf50f-e588-d3a0-a9f2-e2ed095b62c5">A very typical use case might be end user mail and an email newsletter service.
 Let's look at the SPF records recommended for individual services.</t>
 
-<t anchor="_f740e942-8096-677f-1ecd-5b9225cda4c8">Mailer1: v=spf1 include:spf.mailer1.com -all
-Newsletter1: v=spf1 include:_spf.newsletter.net ~all</t>
+<t anchor="_b86ef6be-e92a-8637-3204-ae7ae79ea4f8">Mailer1: v=spf1 include:spf.mailer1.example -all
+Newsletter1: v=spf1 include:_spf.newsletter.example ~all</t>
 
-<t anchor="_9f6a0e08-5d7e-8a22-ef25-7baf68ea0df2">All of these examples use the include syntax. This is fairly common. The use of all at the end is common,
+<t anchor="_97a1a3f3-5a70-a30d-06b2-b7df7f0e75fd">All of these examples use the include syntax. This is fairly common. The use of all at the end is common,
 although is often inconsistent with the modifier.</t>
 
-<t anchor="_e1155def-aa33-0ab3-589a-c9e47e1e48fa">If a customer installed Mailer1 and Newsletter1, their combined SPF record ought to be something like:</t>
+<t anchor="_a27d1a7b-1b46-677a-3a4c-3ce481479408">If a customer installed Mailer1 and Newsletter1, their combined SPF record ought to be something like:</t>
 
-<sourcecode anchor="_876d2f0e-81de-b493-b556-223094d95c72"><![CDATA[v=spf1 include:spf.mailer1.com include:_spf.newsletter.net ~all]]></sourcecode>
+<sourcecode anchor="_d85934fa-4a6d-ee35-4227-e6e48188be04"><![CDATA[v=spf1 include:spf.mailer1.example include:_spf.newsletter.example
+ ~all]]></sourcecode>
 
 
-<t anchor="_93814591-3a07-1525-5f2b-da7ed81c37ab">We combined the two rules, and in this case picked the least restrictive all modifier.</t>
+<t anchor="_5dff0a3d-cf4d-595f-89c3-6a38025d94b6">We combined the two rules, and in this case picked the least restrictive all modifier.</t>
 </section>
 
 <section anchor="_spf_record_merging"><name>SPF Record Merging</name>
 
-<t anchor="_3a1f06ca-9238-26f6-0a31-370d8d35e38a">The challenge with SPF records and Domain Connect is that an individual service might recommend an SPF record. If only one service were active, this would be accurate. But with several services together only the DNS Provider is able to determine the valid shape of a SPF TXT record.</t>
+<t anchor="_e5a00c59-fdfd-9adb-fa4e-e8b535e148e0">The challenge with SPF records and Domain Connect is that an individual service might recommend an SPF record. If only one service were active, this would be accurate. But with several services together only the DNS Provider is able to determine the valid shape of a SPF TXT record.</t>
 
-<t anchor="_fa2de62a-4063-8d4b-5aab-d566d5ee1092">One solution to this problem is to merge all related records. At the highest level, this means taking everything between the "v=spf1" and the "all" from each of the records and merging them together, terminating with hard-coded modifier on <em>all</em> at the end.  For an SPF record to fulfill it's purpose of protection against malicious email delivery, Domain Connect advises a fixed modifier <em>"~"</em> advising lower rating of the messages from other sources not specified in SPF. This setup offers a reasonable level of protection of mail delivery, on the other side does not reject the message in case forwarding facility is in place.</t>
+<t anchor="_6549db41-1747-2db1-a7cd-9a34ecba2c07">One solution to this problem is to merge all related records. At the highest level, this means taking everything between the "v=spf1" and the "all" from each of the records and merging them together, terminating with hard-coded modifier on <em>all</em> at the end.  For an SPF record to fulfill it's purpose of protection against malicious email delivery, Domain Connect advises a fixed modifier <em>"~"</em> advising lower rating of the messages from other sources not specified in SPF. This setup offers a reasonable level of protection of mail delivery, on the other side does not reject the message in case forwarding facility is in place.</t>
 
-<sourcecode anchor="_55c810d2-22c4-2727-4563-63fd05ea83ae"><![CDATA[@ TXT v=spf1 include:spf.mailer1.com include:_spf.newsletter.net ~all]]></sourcecode>
+<sourcecode anchor="_f05e4bef-5968-bfc3-758c-a6fe985d859f"><![CDATA[@ TXT v=spf1 include:spf.mailer1.example include:_spf.newsletter.exam
+ple ~all]]></sourcecode>
 
 
-<t anchor="_5b6b7d8a-431e-a714-86e7-a13e92877f01">The other would be to write intermediate records, and reference these locally.</t>
+<t anchor="_e1a05ef9-cb9e-2634-8fba-87e4ef3b8af1">The other would be to write intermediate records, and reference these locally.</t>
 
-<sourcecode anchor="_45b2ebf8-78f1-e8a8-8f75-8762b818da45"><![CDATA[r1.example.com. TXT v=spf1 include:spf.mailer1.com ~all
-r2.example.com. TXT v=spf1 include:_spf.newsletter.net ~all
+<sourcecode anchor="_ba8c0d20-f366-c81e-8613-fce5005bd8ac"><![CDATA[r1.example.com. TXT v=spf1 include:spf.mailer1.example ~all
+r2.example.com. TXT v=spf1 include:_spf.newsletter.example ~all
 @ TXT v=spf1 include:r1.example.com include:r2.example.com ~all]]></sourcecode>
 
 
-<t anchor="_72cd531e-848b-94e0-d7c0-606317cc3f24">There are advantages and disadvantages to both approaches.  SPF records have a limit of 10 DNS lookups and record length is limited to 255 characters.  So depending on the embedded records both approaches might have advantages.</t>
+<t anchor="_9960ba23-b1d3-f5a5-021b-136f2fdca440">There are advantages and disadvantages to both approaches.  SPF records have a limit of 10 DNS lookups and record length is limited to 255 characters.  So depending on the embedded records both approaches might have advantages.</t>
 
-<t anchor="_e7db4302-8b46-9d58-d9cb-4f913c150a5f">The implementation would be left to the DNS Provider, but to facilitate this SPF records must NOT be included in templates.  Instead, we introduce a new pseudo-record type in the template called <em>SPFM</em>. This has the following attribute:</t>
+<t anchor="_3506ab8e-a076-95b6-da7b-ea266e82990d">The implementation would be left to the DNS Provider, but to facilitate this SPF records must NOT be included in templates.  Instead, we introduce a new pseudo-record type in the template called <em>SPFM</em>. This has the following attribute:</t>
 
-<dl anchor="_4a9c21dd-3aa9-1c1a-3608-4de7a88d2513"><dt>spfRules</dt><dd><t anchor="_38cbb2fe-a211-bbf3-dd1b-b54846b363ad">Determines the desired rules, basically everything but leading "v=spf1" and trailing <em>all</em> rule -  see: <xref target="template-record">SPF Rules</xref></t>
+<dl anchor="_661f62fd-6ae2-ae70-43ed-64bd5b7bc023"><dt>spfRules</dt><dd><t anchor="_5e12d990-5875-45f0-866e-083e9a0c32e9">Determines the desired rules, basically everything but leading "v=spf1" and trailing <em>all</em> rule -  see: <xref target="template-record">SPF Rules</xref></t>
 </dd></dl>
 
-<t anchor="_c6e58c39-c56a-b964-cdc0-aa29f4fa9cb3">When a template is added or removed with an <em>SPFM</em> record in the template, some code would need to take the aggregate value of all <em>SPFM</em> records in all templates applied as well as existing SPF TXT record on the host and recalculate the resulting SPF TXT record. In case several sources specify the same rule with a different policy DNS Provider SHOULD apply the least restrictive one as a result. <em>soft failure</em> SHOULD be preferred over <em>hard failure</em>, <em>neutral</em> SHOULD be preferred over <em>soft failure</em>.</t>
+<t anchor="_33d099eb-5bed-c885-fdf0-5e28b14645e7">When a template is added or removed with an <em>SPFM</em> record in the template, some code would need to take the aggregate value of all <em>SPFM</em> records in all templates applied as well as existing SPF TXT record on the host and recalculate the resulting SPF TXT record. In case several sources specify the same rule with a different policy DNS Provider SHOULD apply the least restrictive one as a result. <em>soft failure</em> SHOULD be preferred over <em>hard failure</em>, <em>neutral</em> SHOULD be preferred over <em>soft failure</em>.</t>
 
-<t anchor="_a310f8f2-bfb7-592b-19fd-7e45190294b4">DNS Provider SHOULD also allow the end user to modify the SPF record after merging.</t>
+<t anchor="_c55eb9cc-49c6-9a24-96df-4dc16f892a00">DNS Provider SHOULD also allow the end user to modify the SPF record after merging.</t>
 
-<t anchor="_b59cd3fb-c5c9-697c-b993-dcf57f956677">Due to merging step in between, the resulting SPF TXT records are considered non-essential (see: <xref target="non-essential-record"></xref>). That means the user may decide to override the final calculated value or remove the whole SPF record. This action must not lead to removal of any related templates in conflict detection and template integrity routines if implemented by the DNS provider.</t>
+<t anchor="_cbc1c114-a3e3-b337-c17f-b2ea3e6656a1">Due to merging step in between, the resulting SPF TXT records are considered non-essential (see: <xref target="non-essential-record"></xref>). That means the user may decide to override the final calculated value or remove the whole SPF record. This action must not lead to removal of any related templates in conflict detection and template integrity routines if implemented by the DNS provider.</t>
 
-<t anchor="_fb881bbf-ca0f-fe76-ac9a-4fa272714744">If the existing TXT record makes the merging operation not possible, the DNS provider must handle this situation the same way as a conflict and either let the end-user resolve it in the UX (both in Synchronous and Asynchronous flow) or return the conflict as an error in the Asynchronous flow unless the <em>force=true</em> parameter is used, effectively removing the existing record.</t>
+<t anchor="_ba6a0236-cbe9-04ee-def2-dc36b223aacd">If the existing TXT record makes the merging operation not possible, the DNS provider must handle this situation the same way as a conflict and either let the end-user resolve it in the UX (both in Synchronous and Asynchronous flow) or return the conflict as an error in the Asynchronous flow unless the <em>force=true</em> parameter is used, effectively removing the existing record.</t>
 
-<t anchor="_671e2760-75f2-3ded-8707-7e2596eb59ac">Service providers should avoid exact match checking content of TXT SPF record, as it might be strongly influenced by the DNS Provider merging strategy and user actions.</t>
+<t anchor="_5eab9d17-d380-2a94-e7c9-bc82693d4b0f">Service providers should avoid exact match checking content of TXT SPF record, as it might be strongly influenced by the DNS Provider merging strategy and user actions.</t>
 
-<t anchor="_c6c8205c-16f5-4e1f-b597-6a12fff5d3c2">See <xref target="example-spf-merge"></xref>.</t>
+<t anchor="_2cc60a00-c540-ed0e-d527-519b2877bfe2">See <xref target="example-spf-merge"></xref>.</t>
 </section>
 
 <section anchor="_alternatives"><name>Alternatives</name>
 
-<t anchor="_14f87d3c-7ec3-4f58-3ac9-50f99614495f">Some DNS Providers may decide not to support the SPFM record. The following alternative solution should allow general interoperability of the templates for those providers: onboard the templates with SPFM record in variable-compatible form using a regular TXT record with content <em>"v=spf1 %spfRules% ~all"</em>, using property <em>essential=OnApply</em> set to avoid removal of the whole template by a conflict.</t>
+<t anchor="_bebbf8a3-4438-266b-e2af-7b22fcffd35d">Some DNS Providers may decide not to support the SPFM record. The following alternative solution should allow general interoperability of the templates for those providers: onboard the templates with SPFM record in variable-compatible form using a regular TXT record with content <em>"v=spf1 %spfRules% ~all"</em>, using property <em>essential=OnApply</em> set to avoid removal of the whole template by a conflict.</t>
 </section>
 </section>
 
 <section anchor="repository-and-integrity"><name>Public Template Repository</name>
 
-<t anchor="_6ce5fa14-3b48-e1dc-0054-300f416f2ffe">The Public Template Repository is an open accessible location where Service Providers
+<section anchor="_general_information_3"><name>General information</name>
+
+<t anchor="_3471d989-85c1-532a-e088-4d513f6ea7d9">The Public Template Repository is an open accessible location where Service Providers
 MAY publish their Service Templates in the format specified in this specification.
 DNS Providers MAY support all of the published templates, just a subset or none of them according
 to own onboarding policies (see also: <xref target="onboarding-considerations"></xref>).</t>
 
-<t anchor="_63b38b06-90ea-e51a-3de6-76f7ff89ea4d">The template format is intended largely for documentation and communication between the DNS Providers and
+<t anchor="_3a16b2cd-3976-fdd5-454b-1f4d7eafd030">The template format is intended largely for documentation and communication between the DNS Providers and
 Service Providers, and there are no codified endpoints for creation or modification of these objects.
 Instead, Domain Connect references a template by ID.</t>
 
-<t anchor="_1c834208-2330-6f5a-0b60-50e22488d4ca">As such, DNS Providers may or may not use templates in this format in
+<t anchor="_8e3fd5cc-bd8c-2326-98ed-93437ea49424">As such, DNS Providers may or may not use templates in this format in
 their internal implementations. By defining a standard template format,
 it is believed it will make it easier for Service Providers to share
 their configuration across DNS Providers.</t>
+</section>
 
 <section anchor="_repository_location"><name>Repository Location</name>
 
-<t anchor="_2002eea5-c71f-f4bc-24ee-ba4d360ab812">The  repository of the templates is maintained under
+<t anchor="_797a15a8-7d51-5da3-b160-15aab9b9470b">The  repository of the templates is maintained under
 <eref target="https://github.com/Domain-Connect/templates"></eref>.</t>
 </section>
 
 <section anchor="repository-file-names-requirements"><name>File naming requirements</name>
 
-<t anchor="_c1f9d2b8-2a2d-4c5b-3667-54dbf8a64f3e">The file names in this repository MUST be all lower case, including the providerId
+<t anchor="_58130f40-0629-27db-a498-ae73b35a4755">The file names in this repository MUST be all lower case, including the providerId
 and serviceId. As a result, while the providerId and serviceId can be mixed case,
 all providerIds and serviceIds in this repository must be unique when lower case.</t>
 
-<t anchor="_aaa6d745-ee89-5a5a-ac8f-9fbc56370ecc">Templates MUST be named according the following pattern: <tt>providerId.serviceId.json</tt></t>
+<t anchor="_5a2244cb-22f0-cdc0-9254-2d3958b912e9">Templates MUST be named according the following pattern: <tt>providerId.serviceId.json</tt></t>
 
-<sourcecode anchor="_38a2e2f6-66a4-94d8-0f03-1ad3d034b802"><![CDATA[providerId: Acme.com
+<sourcecode anchor="_e83edb14-183a-5754-8be5-bb034f1d588a"><![CDATA[providerId: example.com
 serviceId: WebsiteBuilder
 
-Template file name: acme.com.websitebuilder.json]]></sourcecode>
+Template file name: example.com.websitebuilder.json]]></sourcecode>
 
 </section>
 
 <section anchor="_template_integrity"><name>Template Integrity</name>
 
-<t anchor="_d9ea6b4c-bb83-9075-4720-4b3756dd60d8">Implementers are responsible for data integrity and should use the
+<t anchor="_2782bad4-6d89-c628-3e53-303f2b8054d8">Implementers are responsible for data integrity and should use the
 record type field to validate that variable input meets the criteria for
 each different data type.</t>
 
-<t anchor="_027765e8-997c-a96f-b65d-470fb3590847">Hard-coded host names are the responsibility of the DNS Provider to
+<t anchor="_a6bc278f-eb31-0c2e-3f2b-5fd4ce274b7a">Hard-coded host names are the responsibility of the DNS Provider to
 protect. That is, DNS Providers are responsible for ensuring that host
 names do not interfere with known values (such as m. or www. or mail.)
 or internal names that provide critical functionality that is outside
@@ -1624,17 +1664,17 @@ the scope of this specification.</t>
 
 <section anchor="onboarding-considerations"><name>Onboarding</name>
 
-<t anchor="_033bc590-3f14-e734-8a76-876eaf3e0311">This specification is an open standard that describes the protocol, messages and formats
+<t anchor="_f2e756f0-e3dc-cf99-03f6-a6314222714a">This specification is an open standard that describes the protocol, messages and formats
 used to enable Domain Connect between a Service Provider and a DNS
 Provider.</t>
 
-<t anchor="_7c90ef0a-6b41-a019-8ef2-177d60771421">Any Service Provider is free to define and publish a template. However, the terms
+<t anchor="_431409f9-4ca7-98e1-35e8-2a18be6a21b7">Any Service Provider is free to define and publish a template. However, the terms
 and conditions for a DNS Provider onboarding a Service Provider
 template is beyond the scope of this document. A DNS Provider can
 be selective in what templates they support, can require a contractual
 relationship, or even charge a fee for onboarding.</t>
 
-<t anchor="_dfc831ab-edc4-2a26-5293-085b026edf7f">One way a Service Provider can be selective in which DNS Providers they accept is to
+<t anchor="_93aad956-9406-3e07-1540-77bc3963e6ca">One way a Service Provider can be selective in which DNS Providers they accept is to
 implement a whitelist of providerIds. A Service Provider who chooses to whitelist must
 use providerId to distinguish between unique DNS Providers. The DNS providerId is typically
 a domain name.</t>
@@ -1642,37 +1682,37 @@ a domain name.</t>
 
 <section anchor="_case_sensitivity"><name>Case Sensitivity</name>
 
-<t anchor="_fab18d86-1620-8b1b-370f-2405a269ae73">All values are case sensitive. This includes variable names, values, parameters and objects
+<t anchor="_16d68f80-3222-9ea9-491c-44413d9b937c">All values are case sensitive. This includes variable names, values, parameters and objects
 returned.</t>
 
-<t anchor="_93d8ef3e-f653-dcd4-a3a8-788f60848003">One exception is the domain/host name. This is because a fully qualified domain name is case insensitive.</t>
+<t anchor="_a7162a2d-7a88-28f7-2073-f0ef9413f057">One exception is the domain/host name. This is because a fully qualified domain name is case insensitive.</t>
 
-<t anchor="_630129fe-8f27-360a-370f-f87ac2b1f8ca">The values for providerId/serviceId in the template and passed through URIs in the path or query string are case sensitive. Different rules apply to the file naming in the <xref target="repository-file-names-requirements">Public Template Repository</xref>.</t>
+<t anchor="_b7bcecd8-aa27-9530-b8d2-e0f39174c626">The values for providerId/serviceId in the template and passed through URIs in the path or query string are case sensitive. Different rules apply to the file naming in the <xref target="repository-file-names-requirements">Public Template Repository</xref>.</t>
 </section>
 </section>
     <section anchor="_extensionsexclusions"><name>Extensions/Exclusions</name>
 
-<t anchor="_7a50fcde-2627-a832-5ffb-292fdc5bdd94">Additional record types and/or extensions to records in the template can
-be implemented on a per DNS Provider basis. However, care should be
-taken when defining extensions so as to not conflict with other
+<section anchor="_general_information_4"><name>General information</name>
+
+<t anchor="_aa3a4891-ca58-cdef-8b54-dbcf7af255f7">Additional record types and/or extensions to records in the template can be implemented on a per DNS Provider basis. However, care should be taken when defining extensions so as to not conflict with other
 protocols and standards. Certain record names are reserved for use in
-DNS for protocols like DNSSEC (DNSKEY, RRSIG) at the registry level.</t>
+DNS for protocols like DNSSEC (DNSKEY, RRSIG) <xref target="RFC9364" section="" relative=""></xref> at the registry level.</t>
 
-<t anchor="_0f6fb4cc-43e4-c92c-aae4-65a0d35fb73a">Defining these OPTIONAL extensions in an open manner as part of this
-specification is done to provide consistency. The following are the initial
-OPTIONAL extensions a DNS Provider/Service Provider may support.</t>
+<t anchor="_3e0a08b0-017d-051a-874d-cb2a499aaa8c">Defining these OPTIONAL extensions in an open manner as part of this
+specification is done to provide consistency. The following are the initial OPTIONAL extensions a DNS Provider/Service Provider may support.</t>
+</section>
 
 <section anchor="_apexcname"><name>APEXCNAME</name>
 
-<t anchor="_cb2750f6-8644-262c-3954-f418cc6505f3">Some Service Providers desire the behavior of a CNAME record, but in the
+<t anchor="_4f2fadcf-ff82-4301-405a-fe4df20bace6">Some Service Providers desire the behavior of a CNAME record, but in the
 apex record. This would allow for an A Record at the root of the domain
 but dynamically determined at runtime.</t>
 
-<t anchor="_9f89592f-d955-0bda-79e5-762c5d30092e">The recommended record type for DNS Providers that wish to support this
+<t anchor="_2fd75b30-482d-be4f-6374-d5657836de0c">The recommended record type for DNS Providers that wish to support this
 is an APEXCNAME record. Additional fields included with this record
 would include pointsTo and TTL.</t>
 
-<t anchor="_28ce068b-207b-b255-1ba9-ebe0ebe1b20e">Defining a standard for such functionality in DNS is beyond the scope of
+<t anchor="_838f6cf3-301d-8532-840b-79cc6cf4bc11">Defining a standard for such functionality in DNS is beyond the scope of
 this specification. But for DNS Providers that support this
 functionality, using the same record type name across DNS Providers
 allows template reuse.</t>
@@ -1680,76 +1720,70 @@ allows template reuse.</t>
 
 <section anchor="_redirection"><name>Redirection</name>
 
-<t anchor="_d3903607-20a9-750c-a0ac-ff2c1bfd85f5">Some Service Providers desire a redirection service associated with the
+<t anchor="_ec1d85bd-5681-186b-ee3a-aef524763b95">Some Service Providers desire a redirection service associated with the
 A Record. A typical example is a service that requires a redirect of the
 domain (e.g. example.com) to the www variant (www.example.com). The www
 would often contain a CNAME.</t>
 
-<t anchor="_06327d73-4470-9493-a2ea-16ef1f7ff20e">Since implementation of a redirection service is typically simple, it is
+<t anchor="_2633c35b-10d6-1752-abbd-68b9741858ed">Since implementation of a redirection service is typically simple, it is
 recommended that service providers implement redirection on their own.
 But for DNS Providers that have a redirection service, supporting simple
 templates with this functionality may be desired.</t>
 
-<t anchor="_391fbb99-aba0-4ac7-87fd-c22a69076351">While technically not a "record" in DNS, when supporting this OPTIONAL
+<t anchor="_1c6be30c-9482-8d3d-0852-71099c006810">While technically not a "record" in DNS, when supporting this OPTIONAL
 functionality it is recommended that this should be implemented using two new
 record types.</t>
 
-<t anchor="_c1be827b-c606-cb56-e631-7f98f114a7c5">REDIR301 and REDIR302 would implement 301 and 302 redirects
+<t anchor="_4a246beb-f57e-9f42-cad9-b6e14529db07">REDIR301 and REDIR302 would implement 301 and 302 redirects
 respectively. Associated with this record would be a single field called
 the "target", containing the target url of the redirect.</t>
 </section>
 
 <section anchor="_nameservers"><name>Nameservers</name>
 
-<t anchor="_caa32ae7-81ff-f8ce-4d8e-0a5a0d0ccc22">Several service providers have asked for functionality supporting an
+<t anchor="_6d2409e8-02a1-4b0c-2b37-ebfc4f5b5987">Several service providers have asked for functionality supporting an
 update to the nameserver records at the registry associated with the
 domain.</t>
 
-<t anchor="_3cf9af77-a952-0c79-9c31-5f20d4e698c1">When implementing this, two records should be provided. NS1 and NS2,
+<t anchor="_712820e4-573d-9670-d99b-8b20fec154c5">When implementing this, two records should be provided. NS1 and NS2,
 each containing a pointsTo argument.</t>
 
-<t anchor="_272f1e5a-ee68-b133-a881-f1c6af8c136d">It will be noted that a nameserver update would require that the DNS
+<t anchor="_ddbe7577-ee13-fc54-38c1-9703c1e4a8bb">It will be noted that a nameserver update would require that the DNS
 Provider is the registrar. This is not always the case.</t>
 
-<t anchor="_f7fcd661-f704-557e-e0f7-81c9d8d2072b">This functionality is again deemed as OPTIONAL and up to the DNS
+<t anchor="_ad7f8896-6c66-8364-08be-d75a3616e3f9">This functionality is again deemed as OPTIONAL and up to the DNS
 Provider to determine if they will support this.</t>
 </section>
 
 <section anchor="_ds_dnssec"><name>DS (DNSSEC)</name>
 
-<t anchor="_145af9a4-0b20-13c7-67e8-638d81ec8218">Requests have been made to allow for updates to the DS record for
+<t anchor="_fdcb8dfa-0af7-4564-edac-0e4b2d909666">Requests have been made to allow for updates to the DS record for
 DNSSEC. This record is required at the registry to enable DNSSEC, but
 can only be written by the registrar.</t>
 
-<t anchor="_49923603-0d7b-a084-3591-1b3130039a9e">For DNS Providers that support this record, the record type should be
+<t anchor="_2a9651dd-cbaf-be10-23af-dfc7472c925e">For DNS Providers that support this record, the record type should be
 DS. Values will be keyTag, algorithm, digestType, and digest.</t>
 
-<t anchor="_edb4f780-3819-38cf-d254-4e1209a015ea">Again it should be noted that a DS update would require that the DNS
-Provider is the registrar, and is again deemed as OPTIONAL and up to the
+<t anchor="_c95d6fda-1679-e9ed-57f9-cd8cce4820f9">Again it should be noted that a DS update would require that the DNS
+Provider is the registrar, and is again deemed as optional and up to the
 DNS Provider to determine if they will support.</t>
 </section>
 </section>
     <section anchor="_iana_considerations"><name>IANA Considerations</name>
 
-<t anchor="_660f7c55-9221-6c5a-2266-f3f904c5d72b">TODO</t>
-</section>
-    <section anchor="_acknowledgments"><name>Acknowledgments</name>
-
-<t anchor="_dea18904-bacd-a59b-e1d8-b75866da34a5">The authors wish to thank the following persons for their feedback and suggestions:</t>
-
-<ul anchor="_d200485b-3cce-9909-214c-5fc7773a0400"><li>Chris Ambler of GoDaddy Inc.</li>
-<li>Jody Kolker of GoDaddy Inc.</li>
-</ul>
+<t anchor="_2b651246-3b49-7205-7321-79ac38b8f44b">None.</t>
 </section>
     <section anchor="_change_history"><name>Change History</name>
 
 <section anchor="_change_from_03_to_04"><name>Change from 03 to 04</name>
 
+<figure anchor="_80162c4f-c5a6-1f90-c821-1ffbe0c39554"><artwork anchor="_c9c2a2ce-fe49-d844-abd9-fdf4de82b3bf" type="ascii-art"><![CDATA[Version synchronized with 2.2 version rev. 66 of the public Domain
+Connect specification.]]></artwork></figure>
 </section>
 
 <section anchor="_change_from_02_to_03"><name>Change from 02 to 03</name>
 
-<figure anchor="_299c560a-8aaa-365f-8d10-7d67615fcbf9"><artwork anchor="_839b923b-fdc4-08f9-021b-d54291e836b0" type="ascii-art"><![CDATA[Added width/height JSON values returned by DNS Provider Discovery.
+<figure anchor="_b69ca960-3da1-c0a3-5b65-fc0842c44e16"><artwork anchor="_54614d31-9ff3-6209-be9e-b068baefad03" type="ascii-art"><![CDATA[Added width/height JSON values returned by DNS Provider Discovery.
 Corrected text of GET method for getting the authorization token.
 Added clarifying text to Group ID description parameter of the apply
 template POST method.  Quite a few minor edits and clarifications
@@ -1759,108 +1793,69 @@ Implementation Considerations section.]]></artwork></figure>
 
 <section anchor="_change_from_01_to_02"><name>Change from 01 to 02</name>
 
-<figure anchor="_74d5e38c-c4c7-2b78-fa10-165d0a27c75a"><artwork anchor="_a205e4e0-54bc-a86b-c0bc-76ba0dc3b2d8" type="ascii-art"><![CDATA[Added new GET method for Service Providers to determine if the DNS
+<figure anchor="_7f8bb4ba-7dfa-eb93-e2ba-7516f1da196d"><artwork anchor="_822d98a3-8a70-5fe5-891b-92de04cb6732" type="ascii-art"><![CDATA[Added new GET method for Service Providers to determine if the DNS
 Provider supports a specific template.  Some other minor edits for
 clarification.]]></artwork></figure>
 </section>
 
 <section anchor="_change_from_00_to_01"><name>Change from 00 to 01</name>
 
-<figure anchor="_1009fb31-e8b4-e430-118a-6c27636e2b4e"><artwork anchor="_f5f9efe5-2fbd-861d-0952-8dff24cbc48f" type="ascii-art"><![CDATA[Minor edits and clarifications found during implementation.]]></artwork></figure>
+<figure anchor="_ff421bda-a429-301a-e0d2-b86ccb210565"><artwork anchor="_569c2bee-c9fb-707e-7ef7-ca8ffbe144ec" type="ascii-art"><![CDATA[Minor edits and clarifications found during implementation.]]></artwork></figure>
 </section>
 </section>
   </middle>
   <back>
     <references anchor="_normative_references">
       <name>Normative References</name>
-      <reference target="https://www.rfc-editor.org/info/rfc2119" anchor="RFC2119">
-        <front>
-          <title>Key words for use in RFCs to Indicate Requirement Levels</title>
-          <author fullname="S. Bradner" asciiFullname="S. Bradner"></author>
-          <date month="March" year="1997"></date>
-          <abstract>    <t anchor="_f3ce90c0-c4e6-d4b9-1021-7e06bb259c6d">In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
-  </abstract>
-        </front>
-        <format target="https://raw.githubusercontent.com/relaton/relaton-data-ietf/master/data/reference.RFC.2119.xml" type="xml"></format>
-        <format target="https://www.rfc-editor.org/info/rfc2119" type="src"></format>
-        <refcontent>RFC 2119</refcontent>
-        <seriesInfo value="2119" name="RFC"></seriesInfo>
-        <seriesInfo value="10.17487/RFC2119" name="DOI"></seriesInfo>
-      </reference>
+      <reference target="https://www.rfc-editor.org/info/rfc2119" anchor="RFC2119"><stream>IETF</stream> <front> <title>Key words for use in RFCs to Indicate Requirement Levels</title> <author fullname="S. Bradner" asciiFullname="S. Bradner"></author> <date month="March" year="1997"></date> <keyword>Standards</keyword><keyword>Track</keyword><keyword>Documents</keyword> <abstract>  <t anchor="_d880f395-e6d7-8f4a-03cf-d16fe47fb9c2">In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t></abstract> </front> <format target="https://www.rfc-editor.org/info/rfc2119" type="src"></format> <seriesInfo value=" 10.17487/RFC2119" name="DOI"></seriesInfo> <seriesInfo value="14" name="BCP"></seriesInfo> <seriesInfo value="2119" name="RFC"></seriesInfo></reference>
+      <reference target="https://www.rfc-editor.org/info/rfc7208" anchor="RFC7208"><stream>IETF</stream> <front> <title>Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1</title> <author fullname="S. Kitterman" asciiFullname="S. Kitterman"></author> <date month="April" year="2014"></date> <keyword>spoofing</keyword><keyword>spf</keyword><keyword>anti-forgery</keyword><keyword>authentication</keyword> <abstract>  <t anchor="_691735a1-68d4-f69b-2f00-56c5991f4bb4">Email on the Internet can be forged in a number of ways. In particular, existing protocols place no restriction on what a sending host can use as the "MAIL FROM" of a message or the domain given on the SMTP HELO/EHLO commands. This document describes version 1 of the Sender Policy Framework (SPF) protocol, whereby ADministrative Management Domains (ADMDs) can explicitly authorize the hosts that are allowed to use their domain names, and a receiving host can check such authorization.</t>  <t anchor="_b9155502-1b97-d28d-5d19-3860ecd07041">This document obsoletes RFC 4408.</t></abstract> </front> <format target="https://www.rfc-editor.org/info/rfc7208" type="src"></format> <seriesInfo value=" 10.17487/RFC7208" name="DOI"></seriesInfo> <seriesInfo value="7208" name="RFC"></seriesInfo></reference>
+      <reference target="https://www.rfc-editor.org/info/rfc6749" anchor="RFC6749"><stream>IETF</stream> <front> <title>The OAuth 2.0 Authorization Framework</title> <author fullname="D. Hardt" asciiFullname="D. Hardt"></author> <date month="October" year="2012"></date> <keyword>Client</keyword><keyword>Resource Owner</keyword><keyword>Authorization Server</keyword><keyword>Resource Server</keyword><keyword>Token Endpoint</keyword><keyword>Authorization Endpoint</keyword><keyword>Authorization Request</keyword><keyword>Authorization Grant</keyword><keyword>Protected Resource</keyword><keyword>Access Token</keyword><keyword>Refresh Token</keyword><keyword>Authorization Code</keyword><keyword>Implicit Grant</keyword><keyword>Client Identifier</keyword><keyword>Access Token Scope</keyword><keyword>Delegation</keyword> <abstract>  <t anchor="_819b4a34-631b-6988-2251-f26d90dbb21b">The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK]</t></abstract> </front> <format target="https://www.rfc-editor.org/info/rfc6749" type="src"></format> <seriesInfo value=" 10.17487/RFC6749" name="DOI"></seriesInfo> <seriesInfo value="6749" name="RFC"></seriesInfo></reference>
     </references>
     <references anchor="_informative_references">
       <name>Informative References</name>
-      <reference target="https://www.rfc-editor.org/info/rfc8174" anchor="RFC8174">
-        <front>
-          <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
-          <author fullname="B. Leiba" asciiFullname="B. Leiba"></author>
-          <date month="May" year="2017"></date>
-          <abstract>    <t anchor="_43f82580-2aba-a529-46e9-a5903ebe6d91">RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
-  </abstract>
-        </front>
-        <format target="https://raw.githubusercontent.com/relaton/relaton-data-ietf/master/data/reference.RFC.8174.xml" type="xml"></format>
-        <format target="https://www.rfc-editor.org/info/rfc8174" type="src"></format>
-        <refcontent>RFC 8174</refcontent>
-        <seriesInfo value="8174" name="RFC"></seriesInfo>
-        <seriesInfo value="10.17487/RFC8174" name="DOI"></seriesInfo>
-      </reference>
-      <reference target="https://www.rfc-editor.org/info/rfc7208" anchor="RFC7208">
-        <front>
-          <title>Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1</title>
-          <author fullname="S. Kitterman" asciiFullname="S. Kitterman"></author>
-          <date month="April" year="2014"></date>
-          <abstract>    <t anchor="_9ec28042-5296-69cc-821b-0e50cf12f1fa">Email on the Internet can be forged in a number of ways. In particular, existing protocols place no restriction on what a sending host can use as the "MAIL FROM" of a message or the domain given on the SMTP HELO/EHLO commands. This document describes version 1 of the Sender Policy Framework (SPF) protocol, whereby ADministrative Management Domains (ADMDs) can explicitly authorize the hosts that are allowed to use their domain names, and a receiving host can check such authorization.</t>
-    <t anchor="_b150ea01-020c-5a25-aa73-7eec92f0e504">This document obsoletes RFC 4408.</t>
-  </abstract>
-        </front>
-        <format target="https://raw.githubusercontent.com/relaton/relaton-data-ietf/master/data/reference.RFC.7208.xml" type="xml"></format>
-        <format target="https://www.rfc-editor.org/info/rfc7208" type="src"></format>
-        <refcontent>RFC 7208</refcontent>
-        <seriesInfo value="7208" name="RFC"></seriesInfo>
-        <seriesInfo value="10.17487/RFC7208" name="DOI"></seriesInfo>
-      </reference>
+      <reference target="https://www.rfc-editor.org/info/rfc8174" anchor="RFC8174"><stream>IETF</stream> <front> <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title> <author fullname="B. Leiba" asciiFullname="B. Leiba"></author> <date month="May" year="2017"></date> <abstract>  <t anchor="_43f82580-2aba-a529-46e9-a5903ebe6d91">RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t></abstract> </front> <format target="https://www.rfc-editor.org/info/rfc8174" type="src"></format> <seriesInfo value=" 10.17487/RFC8174" name="DOI"></seriesInfo> <seriesInfo value="14" name="BCP"></seriesInfo> <seriesInfo value="8174" name="RFC"></seriesInfo></reference>
+      <reference target="https://www.rfc-editor.org/info/rfc9364" anchor="RFC9364"><stream>IETF</stream> <front> <title>DNS Security Extensions (DNSSEC)</title> <author fullname="P. Hoffman" asciiFullname="P. Hoffman"></author> <date month="February" year="2023"></date> <keyword>DNSSEC</keyword><keyword>DNS Security Extensions</keyword><keyword>DNS</keyword> <abstract>  <t anchor="_a355b985-b893-5fce-97cf-8fe3703eb640">This document describes the DNS Security Extensions (commonly called "DNSSEC") that are specified in RFCs 4033, 4034, and 4035, as well as a handful of others. One purpose is to introduce all of the RFCs in one place so that the reader can understand the many aspects of DNSSEC. This document does not update any of those RFCs. A second purpose is to state that using DNSSEC for origin authentication of DNS data is the best current practice. A third purpose is to provide a single reference for other documents that want to refer to DNSSEC.</t></abstract> </front> <format target="https://www.rfc-editor.org/info/rfc9364" type="src"></format> <seriesInfo value=" 10.17487/RFC9364" name="DOI"></seriesInfo> <seriesInfo value="237" name="BCP"></seriesInfo> <seriesInfo value="9364" name="RFC"></seriesInfo></reference>
     </references>
     <section anchor="_examples"><name>Examples</name>
 
 <section anchor="_example_template"><name>Example Template</name>
 
-<sourcecode anchor="_e47f0d5f-e73b-95f3-d429-823df81ed444" type="json"><![CDATA[{
+<sourcecode anchor="_191efd0a-04f8-5a98-70dc-445d2282408d" type="json"><![CDATA[{
     "providerId": "example.com",
     "providerName": "Example Web Hosting",
     "serviceId": "hosting",
     "serviceName": "Wordpress by example.com",
     "version": 1,
     "logoUrl": "https://www.example.com/images/billthecat.jpg",
-    "description": "This connects your domain to our super cool web hosting",
-    "launchURL" : "https://www.example.com/connectlaunch",
+    "description": "This connects your domain to our web hosting",
     "records": [
         {
-            "groupId" : "service",
             "type": "A",
+            "groupId": "service",
             "host": "www",
             "pointsTo": "%var1%",
-            "ttl": "%var2%"
+            "ttl": 600
         },
         {
-            "groupId" : "service",
             "type": "A",
+            "groupId": "service",
             "host": "m",
-            "pointsTo": "%var3%",
-            "ttl": "%var2%"
+            "pointsTo": "%var2%",
+            "ttl": 600
         },
         {
-            "groupId" : "service",
             "type": "CNAME",
+            "groupId": "service",
             "host": "webmail",
-            "pointsTo": "%var4%",
-            "ttl": "%var2%"
+            "pointsTo": "%var3%",
+            "ttl": 600
         },
         {
-            "groupId" : "verification",
             "type": "TXT",
+            "groupId": "verification",
             "host": "example",
-            "data": "%var5%",
-            "ttl": "%var2%"
+            "ttl": 600,
+            "data": "%var4%"
         }
     ]
 }]]></sourcecode>
@@ -1873,17 +1868,17 @@ clarification.]]></artwork></figure>
 section of the template would have a single record of type "A" and could
 have a value of:</t>
 
-<sourcecode anchor="_a6fe5e30-e8b9-065d-7a9e-f747a1410339" type="json"><![CDATA[[{
+<sourcecode anchor="_6fa9ba4b-1c57-ff27-0412-876c38b9cffd" type="json"><![CDATA[[{
     "type": "A",
     "host": "www",
-    "pointsTo": "192.168.1.1",
+    "pointsTo": "192.0.2.1",
     "ttl": 600
 }]]]></sourcecode>
 
 
-<t anchor="_f0f0d155-5957-5fd4-6563-b3dc2c6e5e52">This would have no variable substitution and the application of this
+<t anchor="_5f2c547d-f995-20aa-907d-34869d1e0a28">This would have no variable substitution and the application of this
 template to a domain would simply set the host name "www" to the IP
-address "192.168.1.1"</t>
+address "192.0.2.1"</t>
 </section>
 
 <section anchor="_example_records_single_variable_host_record_for_a"><name>Example Records: Single variable host record for A</name>
@@ -1892,10 +1887,10 @@ address "192.168.1.1"</t>
 variable, the template would have a single record of type "A" and could
 have a value of:</t>
 
-<sourcecode anchor="_6901e1bc-764d-3645-407c-8f70276131a2" type="json"><![CDATA[[{
+<sourcecode anchor="_0eea237d-9d4f-1046-5fe9-7261f1eecde3" type="json"><![CDATA[[{
     "type": "A",
     "host": "@",
-    "pointsTo": "192.168.1.%srv%",
+    "pointsTo": "198.51.100.%srv%",
     "ttl": 600
 }]]]></sourcecode>
 
@@ -1905,8 +1900,8 @@ have a value of:</t>
 <sourcecode anchor="_5c9436cf-d5bc-cc04-cef6-0eb9a852c3bd"><![CDATA[srv=2]]></sourcecode>
 
 
-<t anchor="_90ccea0d-8bf8-ed04-acc6-2735aac1c0ee">would cause the application of this template to a domain to set the host
-name for the apex A record to the IP address "192.168.1.2" with a TTL of
+<t anchor="_29e1c9b0-f7be-4e51-9cf0-afd8cee7b848">would cause the application of this template to a domain to set the host
+name for the apex A record to the IP address "198.51.100.2" with a TTL of
 600</t>
 </section>
 
@@ -1914,58 +1909,59 @@ name for the apex A record to the IP address "192.168.1.2" with a TTL of
 
 <t anchor="_16909f0e-07c0-0093-5e8f-2ecf3ef3ce98">Consider a DNS Zone before a template application:</t>
 
-<sourcecode anchor="_beb25201-df1e-4e41-7caf-68a46027b0e5"><![CDATA[$ORIGIN test-domain.com.
+<sourcecode anchor="_02b83fbe-ae18-edde-a30e-ea851ea9e03d"><![CDATA[$ORIGIN example.com.
 
-@ 3600 IN SOA ns11.acme.net. support.acme.net. 2017050817 7200 1800
-1209600 3600
-@ 3600 IN NS ns11.acme.net.
-@ 3600 IN NS ns12.acme.net.
-@ 3600 IN A 1.1.1.1
-@ 3600 IN A 1.1.1.2
+@ 3600 IN SOA ns11.example.net. support.example.net. 2017050817 7200
+1800 1209600 3600
+@ 3600 IN NS ns11.example.net.
+@ 3600 IN NS ns12.example.net.
+@ 3600 IN A 192.0.2.1
+@ 3600 IN A 192.0.2.2
 @ 3600 IN AAAA 2001:db8:1234:0000:0000:0000:0000:0000
 @ 3600 IN AAAA 2001:db8:1234:0000:0000:0000:0000:0001
-@ 3600 IN MX 10 mx1.acme.net.
-@ 3600 IN MX 10 mx2.acme.net.
-@ 3600 IN TXT "v=spf1 a include:spf.acme.com ~all"
-www 3600 IN CNAME other.host.com.]]></sourcecode>
+@ 3600 IN MX 10 mx1.example.net.
+@ 3600 IN MX 10 mx2.example.net.
+@ 3600 IN TXT "v=spf1 a include:spf.example.org ~all"
+www 3600 IN CNAME other.host.example.]]></sourcecode>
 
 
 <t anchor="_cad92c59-6d08-4dfa-6fa7-5a9399613ea0">Now application of the following template:</t>
 
-<sourcecode anchor="_4c5ef042-58a0-fb37-e81e-faee1ad6c254" type="json"><![CDATA[[
+<sourcecode anchor="_e7d19a01-5433-6740-c4c3-80723a7278dc" type="json"><![CDATA[[
     {
         "type":"A",
         "host":"@",
-        "pointsTo":"2.2.2.2",
+        "pointsTo":"203.0.113.2",
         "ttl":"1800"
     },
     {
         "type":"A",
         "host":"www",
-        "pointsTo":"2.2.2.2",
+        "pointsTo":"203.0.113.2",
         "ttl":"1800"
     },
     {
         "type":"SPFM",
         "host":"@",
-        "spfRules":"a include:spf.hoster.com"
+        "spfRules":"a include:spf.hoster.example"
     }
 ]]]></sourcecode>
 
 
 <t anchor="_55c22736-a700-2e20-1595-78d174817ada">The following DNS Zone should be generated after the template is applied:</t>
 
-<sourcecode anchor="_299e8f02-e9d1-b144-d18a-91556694d7db"><![CDATA[$ORIGIN test-domain.com.
+<sourcecode anchor="_dc14f371-3b66-6184-7704-7f35483bc1bc"><![CDATA[$ORIGIN example.com.
 
-@ 3600 IN SOA ns11.acme.net. support.acme.net. 2017050920 7200 1800
-1209600 3600
-@ 3600 IN NS ns11.acme.net.
-@ 3600 IN NS ns12.acme.net.
-@ 1800 IN A 2.2.2.2
-@ 3600 IN MX 10 mx1.acme.net.
-@ 3600 IN MX 10 mx2.acme.net.
-@ 1800 IN TXT "v=spf1 a include:spf.acme.com include:spf.hoster.com ~all"
-www 1800 IN A 2.2.2.2]]></sourcecode>
+@ 3600 IN SOA ns11.example.net. support.example.net. 2017050920 7200
+1800 1209600 3600
+@ 3600 IN NS ns11.example.net.
+@ 3600 IN NS ns12.example.net.
+@ 1800 IN A 203.0.113.2
+@ 3600 IN MX 10 mx1.example.net.
+@ 3600 IN MX 10 mx2.example.net.
+@ 1800 IN TXT "v=spf1 a include:spf.example.org include:spf.hoster.ex
+ample ~all"
+www 1800 IN A 203.0.113.2]]></sourcecode>
 
 </section>
 
@@ -1973,75 +1969,77 @@ www 1800 IN A 2.2.2.2]]></sourcecode>
 
 <t anchor="_e0f231cb-09e8-836a-a74a-fd4b38ebf842">Consider a DNS Zone before a template application:</t>
 
-<sourcecode anchor="_37873257-5980-40a1-ee2a-514af103ea59"><![CDATA[$ORIGIN test-domain.com.
+<sourcecode anchor="_e34097a4-54e6-428a-66f0-9562d8d96aeb"><![CDATA[$ORIGIN example.com.
 
-@ 3600 IN SOA ns11.acme.net. support.acme.net. 2017050817 7200 1800
-1209600 3600
-@ 3600 IN NS ns11.acme.net.
-@ 3600 IN NS ns12.acme.net.]]></sourcecode>
+@ 3600 IN SOA ns11.example.net. support.example.net. 2017050817 7200
+1800 1209600 3600
+@ 3600 IN NS ns11.example.net.
+@ 3600 IN NS ns12.example.net.]]></sourcecode>
 
 
 <t anchor="_34470460-8d9d-ddbb-2bfa-e2f2d1b8c1a1">Now application of the following template of Mail service:</t>
 
-<sourcecode anchor="_37816afc-f2fc-e10a-e3eb-3e4f159417c7" type="json"><![CDATA[[
+<sourcecode anchor="_28f54cd7-2847-33cf-f9f1-12b3f3b5c074" type="json"><![CDATA[[
     {
         "type":"MX",
         "host":"@",
         "priority": "10",
-        "pointsTo":"mx1.acme.net",
+        "pointsTo":"mx1.example.net",
         "ttl":"1800"
     },
     {
         "type":"MX",
         "host":"www",
         "priority": "10",
-        "pointsTo":"mx2.acme.net",
+        "pointsTo":"mx2.example.net",
         "ttl":"1800"
     },
     {
         "type":"SPFM",
         "host":"@",
-        "spfRules":"a include:spf.acme.net"
+        "spfRules":"a include:spf.example.net"
     }
 ]]]></sourcecode>
 
 
 <t anchor="_3bf72938-d50a-22fb-99db-59ee714bffed">Expected result in the DNS Zone</t>
 
-<sourcecode anchor="_2a3344fd-1310-db28-3bf6-827b26eda390"><![CDATA[$ORIGIN test-domain.com.
+<sourcecode anchor="_33be2a21-f419-0c1d-750d-698b0e7376fc"><![CDATA[$ORIGIN example.com.
 
-@ 3600 IN SOA ns11.acme.net. support.acme.net. 2017050817 7200 1800
-1209600 3600
-@ 3600 IN NS ns11.acme.net.
-@ 3600 IN NS ns12.acme.net.
-@ 3600 IN MX 10 mx1.acme.net.
-@ 3600 IN MX 10 mx2.acme.net.
-@ 3600 IN TXT "v=spf1 a include:spf.acme.net ~all"]]></sourcecode>
+@ 3600 IN SOA ns11.example.net. support.example.net. 2017050817 7200
+1800 1209600 3600
+@ 3600 IN NS ns11.example.net.
+@ 3600 IN NS ns12.example.net.
+@ 3600 IN MX 10 mx1.example.net.
+@ 3600 IN MX 10 mx2.example.net.
+@ 3600 IN TXT "v=spf1 a include:spf.example.net ~all"]]></sourcecode>
 
 
 <t anchor="_e4ae8869-9344-0bdd-f332-aa0483a5cba6">In the next step application of the following template of Newsletter
 service:</t>
 
-<sourcecode anchor="_2bec7e7f-c6a8-6625-1ac4-fd6da710cd3d" type="json"><![CDATA[[
+<sourcecode anchor="_354eee43-7aa7-f570-d41c-1cd1c2262d64" type="json"><![CDATA[[
     {
         "type":"SPFM",
         "host":"@",
-        "spfRules":"include:_spf.newsletter.com"
+        "spfRules":"include:_spf.newsletter.example"
     }
 ]]]></sourcecode>
 
 
 <t anchor="_965ac019-171f-ae69-f909-7b7d62ed8277">Expected result in the DNS Zone</t>
 
-<sourcecode anchor="_359e1520-3e51-2295-a504-395d3252083d"><![CDATA[$ORIGIN test-domain.com.
-
-@ 3600 IN SOA ns11.acme.net. support.acme.net. 2017050817 7200 1800
-1209600 3600
-@ 3600 IN NS ns11.acme.net.
-@ 3600 IN NS ns12.acme.net.
-@ 3600 IN MX 10 mx1.acme.net.
-@ 3600 IN MX 10 mx2.acme.net.
-@ 3600 IN TXT "v=spf1 a include:spf.acme.net include:_spf.newsletter.com ~all"]]></sourcecode>
+<sourcecode anchor="_9f87bd04-c14d-69d0-f7a9-93111ef714a1"><![CDATA[$ORIGIN example.com.
+
+@ 3600 IN SOA ns11.example.net. support.example.net. 2017050817 7200
+1800 1209600 3600
+@ 3600 IN NS ns11.example.net.
+@ 3600 IN NS ns12.example.net.
+@ 3600 IN MX 10 mx1.example.net.
+@ 3600 IN MX 10 mx2.example.net.
+@ 3600 IN TXT "v=spf1 a include:spf.example.net include:_spf.newslett
+er.
+example ~all"]]></sourcecode>
 
 </section>
 </section>
diff --git a/draft-domain-connect-04.txt b/draft-kowalik-regext-domainconnect-00.txt
similarity index 62%
rename from draft-domain-connect-04.txt
rename to draft-kowalik-regext-domainconnect-00.txt
index 0702676..0c08d75 100644
--- a/draft-domain-connect-04.txt
+++ b/draft-kowalik-regext-domainconnect-00.txt
@@ -2,23 +2,27 @@
 
 
 
-Registration Protocols Extensions                              R. Carney
-Internet-Draft                                              GoDaddy Inc.
-Intended status: Informational                                  A. Blinn
-Expires: 29 October 2022                                                
-                                                              P. Kowalik
-                                                                IONOS SE
-                                                           27 April 2022
+Registration Protocols Extensions                             P. Kowalik
+Internet-Draft                                                  DENIC eG
+Intended status: Standards Track                                A. Blinn
+Expires: 23 January 2025                                                
+                                                               J. Kolker
+                                                            GoDaddy Inc.
+                                                               S. Kerola
+                                                        Cloudflare, Inc.
+                                                            22 July 2024
 
 
- Domain Connect API - Communications between DNS Provider and Services
-                  draft-carney-regext-domainconnect-04
+  Domain Connect Protocol - DNS provisioning between Services and DNS
+                               Providers
+                 draft-kowalik-regext-domainconnect-00
 
 Abstract
 
-   This document provides information related to the Domain Connect API
-   that was built to support communications between DNS Providers and
-   Service Providers (hosting, social, email, hardware, etc.).
+   This document provides specification of the Domain Connect Protocol
+   that was built to support DNS configuration provisioning between
+   Service Providers (hosting, social, email, hardware, etc.) and DNS
+   Providers.
 
 Status of This Memo
 
@@ -35,115 +39,138 @@ Status of This Memo
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."
 
-   This Internet-Draft will expire on 29 October 2022.
+   This Internet-Draft will expire on 23 January 2025.
 
 Copyright Notice
 
-   Copyright (c) 2022 IETF Trust and the persons identified as the
+   Copyright (c) 2024 IETF Trust and the persons identified as the
    document authors.  All rights reserved.
 
    This document is subject to BCP 78 and the IETF Trust's Legal
    Provisions Relating to IETF Documents (https://trustee.ietf.org/
    license-info) in effect on the date of publication of this document.
    Please review these documents carefully, as they describe your rights
-   and restrictions with respect to this document.
 
 
 
+Kowalik, et al.          Expires 23 January 2025                [Page 1]
+
+Internet-Draft               Domain Connect                    July 2024
+
 
+   and restrictions with respect to this document.  Code Components
+   extracted from this document must include Revised BSD License text as
+   described in Section 4.e of the Trust Legal Provisions and are
+   provided without warranty as described in the Revised BSD License.
 
+Table of Contents
 
-Carney, et al.           Expires 29 October 2022                [Page 1]
+   1.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   3
+   2.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   4
+   4.  Protocol design . . . . . . . . . . . . . . . . . . . . . . .   5
+     4.1.  Templates . . . . . . . . . . . . . . . . . . . . . . . .   5
+   5.  End User Flows  . . . . . . . . . . . . . . . . . . . . . . .   6
+     5.1.  General information . . . . . . . . . . . . . . . . . . .   6
+     5.2.  The Synchronous Flow  . . . . . . . . . . . . . . . . . .   6
+     5.3.  The Asynchronous Flow . . . . . . . . . . . . . . . . . .   9
+   6.  DNS Provider Discovery  . . . . . . . . . . . . . . . . . . .   9
+   7.  Applying Domain Connect . . . . . . . . . . . . . . . . . . .  13
+     7.1.  Endpoints . . . . . . . . . . . . . . . . . . . . . . . .  14
+     7.2.  Synchronous Flow  . . . . . . . . . . . . . . . . . . . .  14
+       7.2.1.  Query Supported Template  . . . . . . . . . . . . . .  14
+       7.2.2.  Apply Template  . . . . . . . . . . . . . . . . . . .  15
+       7.2.3.  Security Considerations . . . . . . . . . . . . . . .  19
+       7.2.4.  Shared Templates  . . . . . . . . . . . . . . . . . .  21
+       7.2.5.  Verification of Changes . . . . . . . . . . . . . . .  22
+     7.3.  Asynchronous Flow: OAuth  . . . . . . . . . . . . . . . .  22
+       7.3.1.  General information . . . . . . . . . . . . . . . . .  23
+       7.3.2.  OAuth Flow: Setup . . . . . . . . . . . . . . . . . .  23
+       7.3.3.  OAuth Flow: Getting an Authorization Code . . . . . .  23
+       7.3.4.  OAuth Flow: Requesting an Access Token  . . . . . . .  27
+       7.3.5.  OAuth Flow: Making Requests with Access Tokens  . . .  30
+       7.3.6.  OAuth Flow: Apply Template to Domain. . . . . . . . .  31
+       7.3.7.  OAuth Flow: Revert Template . . . . . . . . . . . . .  35
+       7.3.8.  OAuth Flow: Revoking access . . . . . . . . . . . . .  36
+   8.  Domain Connect Objects and Templates  . . . . . . . . . . . .  36
+     8.1.  Template Versioning . . . . . . . . . . . . . . . . . . .  37
+     8.2.  Template Definition . . . . . . . . . . . . . . . . . . .  37
+     8.3.  Template Record . . . . . . . . . . . . . . . . . . . . .  41
+   9.  Template Considerations . . . . . . . . . . . . . . . . . . .  46
+     9.1.  Template State in DNS . . . . . . . . . . . . . . . . . .  46
+     9.2.  Disclosure of Changes and Conflicts . . . . . . . . . . .  46
+     9.3.  Record Types and Conflicts  . . . . . . . . . . . . . . .  48
+     9.4.  Apply, Re-apply, and Multi-Instance . . . . . . . . . . .  48
+     9.5.  Non-essential records . . . . . . . . . . . . . . . . . .  49
+     9.6.  Template Scope  . . . . . . . . . . . . . . . . . . . . .  49
+     9.7.  Host/Name in Template . . . . . . . . . . . . . . . . . .  49
+     9.8.  PointsTo in Template  . . . . . . . . . . . . . . . . . .  50
+     9.9.  Variables . . . . . . . . . . . . . . . . . . . . . . . .  50
+       9.9.1.  Variables and Host/Name in Template . . . . . . . . .  50
+
+
+
+Kowalik, et al.          Expires 23 January 2025                [Page 2]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
+
+
+       9.9.2.  Variable Values . . . . . . . . . . . . . . . . . . .  51
+       9.9.3.  Variables and Security  . . . . . . . . . . . . . . .  52
+       9.9.4.  Variable Examples . . . . . . . . . . . . . . . . . .  52
+     9.10. SPF TXT Record  . . . . . . . . . . . . . . . . . . . . .  53
+       9.10.1.  What is SPF? . . . . . . . . . . . . . . . . . . . .  53
+       9.10.2.  Multiple Services  . . . . . . . . . . . . . . . . .  53
+       9.10.3.  SPF Record Merging . . . . . . . . . . . . . . . . .  54
+       9.10.4.  Alternatives . . . . . . . . . . . . . . . . . . . .  56
+     9.11. Public Template Repository  . . . . . . . . . . . . . . .  56
+       9.11.1.  General information  . . . . . . . . . . . . . . . .  56
+       9.11.2.  Repository Location  . . . . . . . . . . . . . . . .  56
+       9.11.3.  File naming requirements . . . . . . . . . . . . . .  56
+       9.11.4.  Template Integrity . . . . . . . . . . . . . . . . .  57
+   10. General considerations  . . . . . . . . . . . . . . . . . . .  57
+     10.1.  Onboarding . . . . . . . . . . . . . . . . . . . . . . .  57
+     10.2.  Case Sensitivity . . . . . . . . . . . . . . . . . . . .  57
+   11. Extensions/Exclusions . . . . . . . . . . . . . . . . . . . .  58
+     11.1.  General information  . . . . . . . . . . . . . . . . . .  58
+     11.2.  APEXCNAME  . . . . . . . . . . . . . . . . . . . . . . .  58
+     11.3.  Redirection  . . . . . . . . . . . . . . . . . . . . . .  58
+     11.4.  Nameservers  . . . . . . . . . . . . . . . . . . . . . .  59
+     11.5.  DS (DNSSEC)  . . . . . . . . . . . . . . . . . . . . . .  59
+   12. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  59
+   13. Change History  . . . . . . . . . . . . . . . . . . . . . . .  59
+     13.1.  Change from 03 to 04 . . . . . . . . . . . . . . . . . .  59
+     13.2.  Change from 02 to 03 . . . . . . . . . . . . . . . . . .  60
+     13.3.  Change from 01 to 02 . . . . . . . . . . . . . . . . . .  60
+     13.4.  Change from 00 to 01 . . . . . . . . . . . . . . . . . .  60
+   14. Normative References  . . . . . . . . . . . . . . . . . . . .  60
+   15. Informative References  . . . . . . . . . . . . . . . . . . .  60
+   Appendix A.  Examples . . . . . . . . . . . . . . . . . . . . . .  61
+     A.1.  Example Template  . . . . . . . . . . . . . . . . . . . .  61
+     A.2.  Example Records: Single static host record  . . . . . . .  62
+     A.3.  Example Records: Single variable host record for A  . . .  62
+     A.4.  Example: DNS Zone merging . . . . . . . . . . . . . . . .  62
+     A.5.  Example: SPF Record Merging . . . . . . . . . . . . . . .  64
+   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  65
+
+1.  Acknowledgements
+
+   The authors wish to thank the following persons for their feedback
+   and suggestions as well as for the previous work on the standard:
 
+   *  Roger Carney of GoDaddy Inc.
+
+   *  Chris Ambler of GoDaddy Inc.
 
-Table of Contents
 
-   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
-   2.  Protocol design . . . . . . . . . . . . . . . . . . . . . . .   5
-     2.1.  Templates . . . . . . . . . . . . . . . . . . . . . . . .   5
-     2.2.  End User Flows  . . . . . . . . . . . . . . . . . . . . .   5
-       2.2.1.  The Synchronous Flow  . . . . . . . . . . . . . . . .   6
-       2.2.2.  The Asynchronous Flow . . . . . . . . . . . . . . . .   9
-   3.  DNS Provider Discovery  . . . . . . . . . . . . . . . . . . .   9
-   4.  Applying Domain Connect . . . . . . . . . . . . . . . . . . .  13
-     4.1.  Endpoints . . . . . . . . . . . . . . . . . . . . . . . .  13
-     4.2.  Synchronous Flow  . . . . . . . . . . . . . . . . . . . .  14
-       4.2.1.  Query Supported Template  . . . . . . . . . . . . . .  14
-       4.2.2.  Apply Template  . . . . . . . . . . . . . . . . . . .  15
-       4.2.3.  Security Considerations . . . . . . . . . . . . . . .  18
-       4.2.4.  Shared Templates  . . . . . . . . . . . . . . . . . .  21
-       4.2.5.  Verification of Changes . . . . . . . . . . . . . . .  21
-     4.3.  Asynchronous Flow: OAuth  . . . . . . . . . . . . . . . .  22
-       4.3.1.  OAuth Flow: Setup . . . . . . . . . . . . . . . . . .  22
-       4.3.2.  OAuth Flow: Getting an Authorization Code . . . . . .  22
-       4.3.3.  oAuth Flow: Requesting an Access Token  . . . . . . .  26
-       4.3.4.  OAuth Flow: Making Requests with Access Tokens  . . .  29
-       4.3.5.  OAuth Flow: Apply Template to Domain. . . . . . . . .  30
-       4.3.6.  OAuth Flow: Revert Template . . . . . . . . . . . . .  34
-       4.3.7.  OAuth Flow: Revoking access . . . . . . . . . . . . .  35
-   5.  Domain Connect Objects and Templates  . . . . . . . . . . . .  36
-     5.1.  Template Versioning . . . . . . . . . . . . . . . . . . .  36
-     5.2.  Template Definition . . . . . . . . . . . . . . . . . . .  36
-     5.3.  Template Record . . . . . . . . . . . . . . . . . . . . .  39
-   6.  Template Considerations . . . . . . . . . . . . . . . . . . .  43
-     6.1.  Template State in DNS . . . . . . . . . . . . . . . . . .  43
-     6.2.  Disclosure of Changes and Conflicts . . . . . . . . . . .  44
-     6.3.  Record Types and Conflicts  . . . . . . . . . . . . . . .  45
-     6.4.  Apply, Re-apply, and Multi-Instance . . . . . . . . . . .  46
-     6.5.  Non-essential records . . . . . . . . . . . . . . . . . .  46
-     6.6.  Template Scope  . . . . . . . . . . . . . . . . . . . . .  46
-     6.7.  Host/Name in Template . . . . . . . . . . . . . . . . . .  47
-     6.8.  PointsTo in Template  . . . . . . . . . . . . . . . . . .  47
-     6.9.  Variables . . . . . . . . . . . . . . . . . . . . . . . .  48
-       6.9.1.  Variables and Host/Name in Template . . . . . . . . .  48
-       6.9.2.  Variable Values . . . . . . . . . . . . . . . . . . .  49
-       6.9.3.  Variables and Security  . . . . . . . . . . . . . . .  49
-       6.9.4.  Variable Examples . . . . . . . . . . . . . . . . . .  49
-     6.10. SPF TXT Record  . . . . . . . . . . . . . . . . . . . . .  50
-       6.10.1.  What is SPF? . . . . . . . . . . . . . . . . . . . .  50
-       6.10.2.  Multiple Services  . . . . . . . . . . . . . . . . .  51
-       6.10.3.  SPF Record Merging . . . . . . . . . . . . . . . . .  51
-       6.10.4.  Alternatives . . . . . . . . . . . . . . . . . . . .  53
-
-
-
-Carney, et al.           Expires 29 October 2022                [Page 2]
-
-Internet-Draft               Domain Connect                   April 2022
-
-
-     6.11. Public Template Repository  . . . . . . . . . . . . . . .  53
-       6.11.1.  Repository Location  . . . . . . . . . . . . . . . .  53
-       6.11.2.  File naming requirements . . . . . . . . . . . . . .  53
-       6.11.3.  Template Integrity . . . . . . . . . . . . . . . . .  54
-   7.  General considerations  . . . . . . . . . . . . . . . . . . .  54
-     7.1.  Onboarding  . . . . . . . . . . . . . . . . . . . . . . .  54
-     7.2.  Case Sensitivity  . . . . . . . . . . . . . . . . . . . .  54
-   8.  Extensions/Exclusions . . . . . . . . . . . . . . . . . . . .  55
-     8.1.  APEXCNAME . . . . . . . . . . . . . . . . . . . . . . . .  55
-     8.2.  Redirection . . . . . . . . . . . . . . . . . . . . . . .  55
-     8.3.  Nameservers . . . . . . . . . . . . . . . . . . . . . . .  56
-     8.4.  DS (DNSSEC) . . . . . . . . . . . . . . . . . . . . . . .  56
-   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  56
-   10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .  56
-   11. Change History  . . . . . . . . . . . . . . . . . . . . . . .  57
-     11.1.  Change from 03 to 04 . . . . . . . . . . . . . . . . . .  57
-     11.2.  Change from 02 to 03 . . . . . . . . . . . . . . . . . .  57
-     11.3.  Change from 01 to 02 . . . . . . . . . . . . . . . . . .  57
-     11.4.  Change from 00 to 01 . . . . . . . . . . . . . . . . . .  57
-   12. Normative References  . . . . . . . . . . . . . . . . . . . .  57
-   13. Informative References  . . . . . . . . . . . . . . . . . . .  57
-   Appendix A.  Examples . . . . . . . . . . . . . . . . . . . . . .  58
-     A.1.  Example Template  . . . . . . . . . . . . . . . . . . . .  58
-     A.2.  Example Records: Single static host record  . . . . . . .  59
-     A.3.  Example Records: Single variable host record for A  . . .  59
-     A.4.  Example: DNS Zone merging . . . . . . . . . . . . . . . .  59
-     A.5.  Example: SPF Record Merging . . . . . . . . . . . . . . .  61
-   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  62
-
-1.  Introduction
+
+
+
+Kowalik, et al.          Expires 23 January 2025                [Page 3]
+
+Internet-Draft               Domain Connect                    July 2024
+
+
+2.  Introduction
 
    Configuring a service at a Service Provider to work with a domain has
    historically been a complex task that is difficult for users.
@@ -160,16 +187,6 @@ Internet-Draft               Domain Connect                   April 2022
    might include help text, screen shots, or even links to the
    appropriate tools.
 
-
-
-
-
-
-Carney, et al.           Expires 29 October 2022                [Page 3]
-
-Internet-Draft               Domain Connect                   April 2022
-
-
    Discovery of the DNS Provider in this manner is unreliable, and
    providing instructions to users would present a number of
    technologies (DNS record types, TTLs, Hostnames, etc.) and processes
@@ -187,12 +204,12 @@ Internet-Draft               Domain Connect                   April 2022
    of DNS settings will be done through the application of templates
    instead of direct manipulation of individual DNS records.
 
-1.1.  Terminology
+3.  Terminology
 
    The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "*NOT RECOMMENDED*", "MAY",
-   and "OPTIONAL" in this document are to be interpreted as described in
-   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
+   "OPTIONAL" in this document are to be interpreted as described in BCP
+   14 [RFC2119] [RFC8174] when, and only when, they appear in all
    capitals, as shown here.
 
    Service Providers  refers to entities that provide products and
@@ -202,9 +219,16 @@ Internet-Draft               Domain Connect                   April 2022
       manufacturers with DNS-enabled devices like home routers or
       automation controls (such as Linksys, Nest, and Philips).
 
+
+
+Kowalik, et al.          Expires 23 January 2025                [Page 4]
+
+Internet-Draft               Domain Connect                    July 2024
+
+
    DNS Providers  refers to entities that provide DNS services such as
       registrars (such as GoDaddy or 1and1) or standalone DNS services
-      (like CloudFlare).
+      (like Cloudflare).
 
    Registrar  refers to entities that register domain names with
       registries.  It is noted that the DNS Provider and Registrar can
@@ -217,14 +241,7 @@ Internet-Draft               Domain Connect                   April 2022
       service.
 
    Public Template Repository  refers to a public repository of
-      Templates in a standarised format (read more: Section 6.11).
-
-
-
-Carney, et al.           Expires 29 October 2022                [Page 4]
-
-Internet-Draft               Domain Connect                   April 2022
-
+      Templates in a standarised format (read more: Section 9.11).
 
    Root Domain  refers to a registered domain (e.g. example.com or
       example.co.uk), or to a delegated zone in DNS.
@@ -232,9 +249,9 @@ Internet-Draft               Domain Connect                   April 2022
    Sub Domain  refers to a sub-domain of a root domain (e.g.
       sub.example.com or sub.example.co.uk).
 
-2.  Protocol design
+4.  Protocol design
 
-2.1.  Templates
+4.1.  Templates
 
    Templates are core to Domain Connect, as they fully describe a
    service owned by a Service Provider and contain all of the
@@ -254,34 +271,30 @@ Internet-Draft               Domain Connect                   April 2022
 
    The template is defined by the Service Provider and manually
    onboarded with the DNS Provider, according to a template definition
-   published in the Public Repository (Section 6.11) or agreed out-of-
+   published in the Public Repository (Section 9.11) or agreed out-of-
    band between the Service Provider and the DNS Provider.
 
+
+
+
+Kowalik, et al.          Expires 23 January 2025                [Page 5]
+
+Internet-Draft               Domain Connect                    July 2024
+
+
    By basing the protocol on templates instead of DNS Records, several
    advantages are achieved.  The DNS Provider has very explicit
    knowledge and control of the settings being changed to enable a
    service.  And the system is more secure as templates are controlled
    and contained.
 
-2.2.  End User Flows
+5.  End User Flows
+
+5.1.  General information
 
    To attach a domain name to a service provided by a Service Provider,
    the customer would first enter their domain name.
 
-
-
-
-
-
-
-
-
-
-Carney, et al.           Expires 29 October 2022                [Page 5]
-
-Internet-Draft               Domain Connect                   April 2022
-
-
    Instead of relying on examination of the nameservers and mapping
    these to DNS Providers, DNS Provider discovery is handled through
    simple records in DNS and an API.  The Service Provider queries for a
@@ -292,18 +305,18 @@ Internet-Draft               Domain Connect                   April 2022
 
    To apply the changes to DNS, there are two use cases.  The first is a
    synchronous web flow, and the second is an asynchronous flow using
-   oAuth and an API.
+   OAuth and an API.
 
    It is noted that a DNS Provider may choose to only implement one of
    the flows.  As a matter of practice many Service Providers are based
    on the synchronous flow, with only a handful of them based on the
-   asynchronous oAuth flow.  So many DNS providers may opt to only
+   asynchronous OAuth flow.  So many DNS providers may opt to only
    implement the synchronous flow.
 
    It is also be noted that individual services may work with the
    synchronous flow only, the asynchronous flow only, or with both.
 
-2.2.1.  The Synchronous Flow
+5.2.  The Synchronous Flow
 
    This flow is tailored for the Service Provider that requires a one
    time synchronous change to DNS.
@@ -311,8 +324,22 @@ Internet-Draft               Domain Connect                   April 2022
    The user first enters their domain name at the Service Provider
    website.
 
+
+
+
+
+
+
+
+
+
+Kowalik, et al.          Expires 23 January 2025                [Page 6]
+
+Internet-Draft               Domain Connect                    July 2024
+
+
    +-----------------------------------------------+
-   | http://acmewebsiteserviceprovider.com         |
+   | https://acmewebsiteserviceprovider.example    |
    +-----------------------------------------------+
    | ACME Web Site Service Provider                |
    |                                               |
@@ -331,19 +358,12 @@ Internet-Draft               Domain Connect                   April 2022
 
                   Figure 1: Service Provider domain input
 
-
-
-Carney, et al.           Expires 29 October 2022                [Page 6]
-
-Internet-Draft               Domain Connect                   April 2022
-
-
    After the Service Provider determines the DNS Provider using
    discovery, the Service Provider should display a link to the user
    indicating that they can "Connect their Domain" to the service.
 
    +-----------------------------------------------+
-   | http://acmewebsiteserviceprovider.com         |
+   | https://acmewebsiteserviceprovider.example    |
    +-----------------------------------------------+
    | ACME Web Site Service Provider                |
    |                                               |
@@ -367,42 +387,25 @@ Internet-Draft               Domain Connect                   April 2022
    provider/template being enabled, and any additional parameters
    (variables) needed to apply the template and configure the service.
 
-   Once at the DNS Provider site, the user is asked to authenticate if
-   necessary.
-
-
-
-
-
 
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-Carney, et al.           Expires 29 October 2022                [Page 7]
+Kowalik, et al.          Expires 23 January 2025                [Page 7]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
 
 
+   Once at the DNS Provider site, the user is asked to authenticate if
+   necessary.
+
    +-----------------------------------------------+
-   | http://virtucondomains.com                    |
+   | https://virtucondomains.example               |
    +-----------------------------------------------+
    | Virtucon Domains                              |
    |                                               |
    | Please sign in to Virtucon domains            |
    |                                               |
    |                 +-------------------------+   |
-   | Login           |user@xyz.com             |   |
+   | Login           |user@xyz.example         |   |
    |                 +-------------------------+   |
    |                                               |
    |                 +-------------------------+   |
@@ -425,7 +428,7 @@ Internet-Draft               Domain Connect                   April 2022
    disabled by applying this change to DNS.
 
    +-----------------------------------------------+
-   | http://virtucondomains.com                    |
+   | https://virtucondomains.example               |
    +-----------------------------------------------+
    | Virtucon Domains                              |
    |                                               |
@@ -440,16 +443,16 @@ Internet-Draft               Domain Connect                   April 2022
    |                                               |
    +-----------------------------------------------+
 
-     Figure 4: User authorization at the DNS provider of the DNS setup
-                                  for ACME
-
 
 
-Carney, et al.           Expires 29 October 2022                [Page 8]
+Kowalik, et al.          Expires 23 January 2025                [Page 8]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
 
 
+     Figure 4: User authorization at the DNS provider of the DNS setup
+                                  for ACME
+
    Assuming the user grants this consent, the DNS changes are be
    applied.
 
@@ -458,9 +461,9 @@ Internet-Draft               Domain Connect                   April 2022
    must be navigated back to the Service Provider after the changes are
    applied.
 
-2.2.2.  The Asynchronous Flow
+5.3.  The Asynchronous Flow
 
-   The asynchronous oAuth flow is tailored for the Service Provider that
+   The asynchronous OAuth flow is tailored for the Service Provider that
    wishes to make changes to DNS asynchronously with respect to the user
    interaction, or wishes to make multiple or additional changes to DNS
    over time.
@@ -481,13 +484,13 @@ Internet-Draft               Domain Connect                   April 2022
    domain (and specific subdomains) DNS under control of a specific user
    at the DNS Provider.
 
-   The Service Provider would later call the an API to apply a template
-   using the access token.
+   The Service Provider would later call the API of the DNS provider to
+   apply a template using the access token.
 
    Additional parameters must be passed as name/value pairs when
    applying the template.
 
-3.  DNS Provider Discovery
+6.  DNS Provider Discovery
 
    To facilitate discovery of the DNS Provider from a domain name DNS is
    utilized.  This is done by returning a TXT record for
@@ -495,16 +498,15 @@ Internet-Draft               Domain Connect                   April 2022
 
    An example of the contents of this record:
 
-   domainconnect.virtucondomains.com
-
 
 
 
-
-Carney, et al.           Expires 29 October 2022                [Page 9]
+Kowalik, et al.          Expires 23 January 2025                [Page 9]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
+
 
+   domainconnect.virtucondomains.example
 
    As a practical matter of implementation, the DNS Provider may or may
    not contain a copy of this data in each and every zone.  Instead, the
@@ -535,33 +537,34 @@ Internet-Draft               Domain Connect                   April 2022
    +==============+=====================+========+=====================+
    | *Field*      | *Key*               | *Type* | *Description*       |
    +==============+=====================+========+=====================+
-   | *Provider    | providerId          | String | Unique identifier   |
-   | Id*          |                     |        | for the DNS         |
-   |              |                     |        | Provider.  To       |
+   | *Provider    | providerId          | String | (REQUIRED) Unique   |
+   | Id*          |                     |        | identifier for the  |
+   |              |                     |        | DNS Provider.  To   |
    |              |                     |        | ensure non-         |
    |              |                     |        | coordinated         |
    |              |                     |        | uniqueness, this    |
    |              |                     |        | should be the       |
    |              |                     |        | domain name of the  |
    |              |                     |        | DNS Provider (e.g.  |
-   |              |                     |        | virtucom.com).      |
+   |              |                     |        | virtucom.example).  |
    +--------------+---------------------+--------+---------------------+
-   | *Provider    | providerName        | String | The name of the     |
-   | Name*        |                     |        | DNS Provider.       |
+   | *Provider    | providerName        | String | (REQUIRED) The      |
+   | Name*        |                     |        | name of the DNS     |
+   |              |                     |        | Provider.           |
    +--------------+---------------------+--------+---------------------+
    | *Provider    | providerDisplayName | String | (OPTIONAL) The      |
    | Display      |                     |        | name of the DNS     |
-   | Name*        |                     |        | Provider that       |
-   |              |                     |        | should be           |
-   |              |                     |        | displayed by the    |
 
 
 
-Carney, et al.           Expires 29 October 2022               [Page 10]
+Kowalik, et al.          Expires 23 January 2025               [Page 10]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
 
 
+   | Name*        |                     |        | Provider that       |
+   |              |                     |        | should be           |
+   |              |                     |        | displayed by the    |
    |              |                     |        | Service Provider.   |
    |              |                     |        | This may change     |
    |              |                     |        | per domain for      |
@@ -596,8 +599,9 @@ Internet-Draft               Domain Connect                   April 2022
    |              |                     |        | asynchronous flow   |
    |              |                     |        | on this domain.     |
    +--------------+---------------------+--------+---------------------+
-   | *API URL     | urlAPI              | String | The URL Prefix for  |
-   | Prefix*      |                     |        | the REST API        |
+   | *API URL     | urlAPI              | String | (REQUIRED) The URL  |
+   | Prefix*      |                     |        | Prefix for the      |
+   |              |                     |        | REST API            |
    +--------------+---------------------+--------+---------------------+
    | *Width of    | width               | Number | (OPTIONAL) This is  |
    | Window*      |                     |        | the desired width   |
@@ -606,18 +610,18 @@ Internet-Draft               Domain Connect                   April 2022
    |              |                     |        | when navigated in   |
    |              |                     |        | a popup.  Default   |
    |              |                     |        | value if not        |
-   |              |                     |        | returned should be  |
-   |              |                     |        | 750px.              |
-   +--------------+---------------------+--------+---------------------+
-   | *Height of   | height              | Number | (OPTIONAL) This is  |
 
 
 
-Carney, et al.           Expires 29 October 2022               [Page 11]
+Kowalik, et al.          Expires 23 January 2025               [Page 11]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
 
 
+   |              |                     |        | returned should be  |
+   |              |                     |        | 750px.              |
+   +--------------+---------------------+--------+---------------------+
+   | *Height of   | height              | Number | (OPTIONAL) This is  |
    | Window*      |                     |        | the desired height  |
    |              |                     |        | of the window for   |
    |              |                     |        | granting consent    |
@@ -662,31 +666,31 @@ Internet-Draft               Domain Connect                   April 2022
    |              |                     |        | nameservers; for    |
    |              |                     |        | this the registry   |
    |              |                     |        | would be queried.   |
-   +--------------+---------------------+--------+---------------------+
 
-             Table 1: properties of the settings data structure
 
 
-
-
-Carney, et al.           Expires 29 October 2022               [Page 12]
+Kowalik, et al.          Expires 23 January 2025               [Page 12]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
 
 
-   As an example, the JSON returned by this call might contain.
+   +--------------+---------------------+--------+---------------------+
+
+             Table 1: properties of the settings data structure
 
    {
-       "providerId": "virtucondomains.com",
+       "providerId": "virtucondomains.example",
        "providerName": "Virtucon Domains",
        "providerDisplayName": "Virtucon Domains",
-       "urlSyncUX": "https://domainconnect.virtucondomains.com",
-       "urlAsyncUX": "https://domainconnect.virtucondomains.com",
-       "urlAPI": "https://api.domainconnect.virtucondomains.com",
+       "urlSyncUX": "https://domainconnect.virtucondomains.example",
+       "urlAsyncUX": "https://domainconnect.virtucondomains.example",
+       "urlAPI": "https://api.domainconnect.virtucondomains.example",
        "width": 750,
        "height": 750,
-       "urlControlPanel": "https://domaincontrolpanel.virtucondomains.com/?domain=%domain%",
-       "nameServers": ["ns01.virtucondomainsdns.com", "ns02.virtucondomainsdns.com"]
+       "urlControlPanel": "https://domaincontrolpanel.virtucondomains.ex
+       ample/?domain=%domain%",
+       "nameServers": ["ns01.virtucondomainsdns.example", "ns02.virtucon
+       domainsdns.example"]
    }
 
    Discovery must work on the root domain (zone) only.  Bear in mind
@@ -714,49 +718,51 @@ Internet-Draft               Domain Connect                   April 2022
 
           Table 2: HTTP status codes for the settings end-point
 
-4.  Applying Domain Connect
+7.  Applying Domain Connect
 
-4.1.  Endpoints
-
-   The Domain Connect endpoints returned in the JSON during discovery
-   are in the form of URLs.
 
 
 
 
 
-Carney, et al.           Expires 29 October 2022               [Page 13]
+Kowalik, et al.          Expires 23 January 2025               [Page 13]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
+
 
+7.1.  Endpoints
+
+   The Domain Connect endpoints returned in the JSON during discovery
+   are in the form of URLs.
 
    The first set of endpoints are for the UX that the Service Provider
    links to.  These are for the synchronous flow where the user can
    click to grant consent and have changes applied, and for the
-   asynchronous oAuth flow where the user can grant consent for OAuth
+   asynchronous OAuth flow where the user can grant consent for OAuth
    access.
 
    The second set of endpoints are for the REST API.
 
    All endpoints begin with a root URL for the DNS Provider such as:
 
-   https://connect.dnsprovider.com
+   https://connect.dnsprovider.example
 
    They may also include any prefix at the discretion of the DNS
    Provider.  For example:
 
-   https://connect.dnsprovider.com/api
+   https://connect.dnsprovider.example/api
 
    The root URLs for the UX endpoints and the API endpoints are returned
    in the JSON payload during DNS Provider discovery.
 
-4.2.  Synchronous Flow
+7.2.  Synchronous Flow
 
-4.2.1.  Query Supported Template
+7.2.1.  Query Supported Template
 
    GET
 
-   {urlAPI}/v2/domainTemplates/providers/{providerId}/services/{serviceId}
+   {urlAPI}/v2/domainTemplates/providers/{providerId}/services
+   /{serviceId}
 
    This URL is be used by the Service Provider to determine if the DNS
    Provider supports a specific template through the synchronous flow.
@@ -764,7 +770,7 @@ Internet-Draft               Domain Connect                   April 2022
    Returning a status of 200 without a body indicates the template is
    supported.  The DNS provider may decide to disclose the version of
    the template in a JSON object with field _version_ (see: version
-   field (Section 5.2)) or the full JSON object of deployed template.
+   field (Section 8.2) or the full JSON object of deployed template.
 
    Returning a status of 404 indicates the template is not supported.
 
@@ -775,15 +781,9 @@ Internet-Draft               Domain Connect                   April 2022
 
 
 
-
-
-
-
-
-
-Carney, et al.           Expires 29 October 2022               [Page 14]
+Kowalik, et al.          Expires 23 January 2025               [Page 14]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
 
 
       +===========+==========+======================================+
@@ -801,11 +801,14 @@ Internet-Draft               Domain Connect                   April 2022
             Table 3: https status codes for the Query Supported
                              Template end-point
 
-4.2.2.  Apply Template
+7.2.2.  Apply Template
+
+7.2.2.1.  Apply Template URL
 
    GET
 
-   {urlSyncUX}/v2/domainTemplates/providers/{providerId}/services/{serviceId}/apply?[properties]
+   {urlSyncUX}/v2/domainTemplates/providers/{providerId}/services
+   /{serviceId}/apply?[properties]
 
    This is the URL where the user is sent to apply a template to a
    domain they own.  It is called from the Service Provider to start the
@@ -813,7 +816,7 @@ Internet-Draft               Domain Connect                   April 2022
 
    This URL can be called in one of two ways.
 
-4.2.2.1.  New Browser Window
+7.2.2.2.  New Browser Window
 
    The first is through a new browser tab or in a popup browser window.
    The DNS Provider signs the user in if necessary, verifies domain
@@ -821,7 +824,7 @@ Internet-Draft               Domain Connect                   April 2022
    template.  After application of the template, the DNS Provider should
    automatically close the browser tab or window.
 
-4.2.2.2.  Same Browser Window
+7.2.2.3.  Same Browser Window
 
    The second is in the current browser tab/window.  As above the DNS
    Provider signs the user in if necessary, verifies the user control of
@@ -832,16 +835,15 @@ Internet-Draft               Domain Connect                   April 2022
 
    Several parameters must be appended to the end of this redirect_uri.
 
-   *  State
-
-
 
 
-Carney, et al.           Expires 29 October 2022               [Page 15]
+Kowalik, et al.          Expires 23 January 2025               [Page 15]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
 
 
+   *  State
+
       If a state parameter is passed in on the query string, this must
       be passed back as state= on the redirect_uri.
 
@@ -850,7 +852,7 @@ Internet-Draft               Domain Connect                   April 2022
       If authorization could not be obtained or an error has occurred,
       the parameter error= must be appended.  For consistency with the
       asynchronous OAuth flows the valid values for the error parameter
-      will be as specified in OAuth 2.0 RFC 6749 (4.1.2.1.  Error
+      will be as specified in OAuth 2.0 [RFC6749] (4.1.2.1.  Error
       Response - "error" parameter).  Valid values are: invalid_request,
       unauthorized_client, access_denied, unsupported_response_type,
       invalid_scope, server_error, and temporarily_unavailable.
@@ -881,24 +883,31 @@ Internet-Draft               Domain Connect                   April 2022
    the redirect_uri must be within the domains specified in the template
    in syncRedirectDomain.
 
-4.2.2.3.  Parameters/properties
 
-   +=============+==============+======================================+
-   | Property    | Request      | Description                          |
-   |             | Parameter    |                                      |
-   +=============+==============+======================================+
-   | *Domain*    | domain       | The domain name being configured.    |
-   |             |              | This is the root domain (the         |
-   |             |              | registered domain or delegated       |
 
 
 
-Carney, et al.           Expires 29 October 2022               [Page 16]
+
+
+
+
+
+
+Kowalik, et al.          Expires 23 January 2025               [Page 16]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
+
 
+7.2.2.4.  Parameters/properties
 
-   |             |              | zone).                               |
+   +=============+==============+======================================+
+   | Property    | Request      | Description                          |
+   |             | Parameter    |                                      |
+   +=============+==============+======================================+
+   | *Domain*    | domain       | (REQUIRED) The domain name being     |
+   |             |              | configured.  This is the root        |
+   |             |              | domain (the registered domain or     |
+   |             |              | delegated zone).                     |
    +-------------+--------------+--------------------------------------+
    | *Host*      | host         | (OPTIONAL) This is the host name of  |
    |             |              | the sub domain.  If left blank, the  |
@@ -924,19 +933,27 @@ Internet-Draft               Domain Connect                   April 2022
    |             |              | when redirecting to the              |
    |             |              | redirect_uri described above.        |
    +-------------+--------------+--------------------------------------+
-   | *Name/Value | *            | Any key that will be used as a       |
-   | Pairs*      |              | replacement for the "% surrounded"   |
-   |             |              | variables in the template.  The      |
-   |             |              | name portion of this API call        |
-   |             |              | corresponds to the variable(s)       |
-   |             |              | specified in the template and the    |
-   |             |              | value corresponds to the value that  |
-   |             |              | will be used when applying the       |
-   |             |              | template.                            |
+   | *Name/Value | *            | (REQUIRED) Any key that will be      |
+   | Pairs*      |              | used as a replacement for the "%     |
+   |             |              | surrounded" variables in the         |
+   |             |              | template.  The name portion of this  |
+   |             |              | API call corresponds to the          |
+   |             |              | variable(s) specified in the         |
+   |             |              | template and the value corresponds   |
+   |             |              | to the value that will be used when  |
+   |             |              | applying the template.               |
    +-------------+--------------+--------------------------------------+
    | *Provider   | providerName | (OPTIONAL) This parameter allows     |
    | Name*       |              | for the caller to provide            |
    |             |              | additional text for display with     |
+
+
+
+Kowalik, et al.          Expires 23 January 2025               [Page 17]
+
+Internet-Draft               Domain Connect                    July 2024
+
+
    |             |              | the template providerName.  This     |
    |             |              | text should be used to augment the   |
    |             |              | providerName value from the          |
@@ -946,14 +963,6 @@ Internet-Draft               Domain Connect                   April 2022
    |             |              | set in the template.  Note: this     |
    |             |              | used to be controlled by the         |
    |             |              | "shared" attribute in the template,  |
-
-
-
-Carney, et al.           Expires 29 October 2022               [Page 17]
-
-Internet-Draft               Domain Connect                   April 2022
-
-
    |             |              | which has been deprecated.           |
    +-------------+--------------+--------------------------------------+
    | *Service    | serviceName  | (OPTIONAL) This parameter allows     |
@@ -977,24 +986,46 @@ Internet-Draft               Domain Connect                   April 2022
    | *Signature* | sig          | (OPTIONAL) A signature of the query  |
    |             |              | string.  See Security                |
    |             |              | Considerations section below.        |
+   +-------------+--------------+--------------------------------------+
+   | *Key*       | key          | (OPTIONAL) A value containing the    |
+   |             |              | host in DNS where the public key     |
+   |             |              | for the signature can be obtained.   |
+   |             |              | The domain for this host is in the   |
+   |             |              | template in syncPubKeyDomain.  See   |
+   |             |              | Security Considerations section      |
+   |             |              | below.                               |
    +-------------+--------------+--------------------------------------+
 
         Table 4: query parameters of the apply call in the sync flow
 
    An example query string:
 
+
+
+
+
+
+Kowalik, et al.          Expires 23 January 2025               [Page 18]
+
+Internet-Draft               Domain Connect                    July 2024
+
+
    GET
 
-   https://web-connect.dnsprovider.com/v2/domainTemplates/providers/exampleservice.domainconnect.org/services/template1/apply?domain=example.com&IP=192.168.42.42&RANDOMTEXT=shm%3A1542108821%3AHello
+   https://web-connect.dnsprovider.example/v2/domainTemplates/providers/
+   exampleservice.example/services/template1/apply?domain=example.com
+   &#x26;IP=192.168.42.42&#x26;RANDOMTEXT=shm%3A1542108821%3AHello
 
    This call indicates that the Service Provider wishes to connect the
    domain example.com to the service using the template identified by
-   the composite key of the provider (exampleservice.domainconnect.org)
-   and the service template owned by them (template1).  In this example,
-   there are two variables in this template, "IP" and "RANDOMTEXT".
-   These variables are passed as name/value pairs.
+   the composite key of the provider (exampleservice.example) and the
+   service template owned by them (template1).  In this example, there
+   are two variables in this template, "IP" and "RANDOMTEXT".  These
+   variables are passed as name/value pairs.
+
+7.2.3.  Security Considerations
 
-4.2.3.  Security Considerations
+7.2.3.1.  Risk of phishing with open template parameters
 
    By applying a template with parameters there is a security
    consideration that must be taken into account.
@@ -1002,14 +1033,6 @@ Internet-Draft               Domain Connect                   April 2022
    Consider the template above where the IP address of the A record is
    passed in through a variable.  A bad actor could generate a URL with
    a malicious IP and phish users by sending out emails asking them to
-
-
-
-Carney, et al.           Expires 29 October 2022               [Page 18]
-
-Internet-Draft               Domain Connect                   April 2022
-
-
    "re-configure" their service.  If an end user is convinced to click
    on this link, they would land on the DNS Provider site to confirm the
    change.  To the user, this would appear to be a valid request to
@@ -1018,7 +1041,7 @@ Internet-Draft               Domain Connect                   April 2022
    Not all templates have this problem.  But when they do, there are
    several options.
 
-4.2.3.1.  Disable Synchronous
+7.2.3.2.  Disable Synchronous
 
    One option is to disable the synchronous flow and use asynchronous
    OAuth.  This can be controlled with the syncBlock value from the
@@ -1026,13 +1049,29 @@ Internet-Draft               Domain Connect                   April 2022
    implementation burden and requires onboarding between each Service
    and DNS Provider.
 
-4.2.3.2.  Digitally Sign Requests
+7.2.3.3.  Digitally Sign Requests
 
    Another option is to digitally sign the query string.  A signature is
    appended as an additional query string parameter, properly URL
    encoded and of the form:
 
-   sig=NLOQQm6ikGC2FlFvFZqIFNCZqlaC4B%2FQDwS6iCwIElMWhXMgRnRE17zhLtdLFieWkyqKa4I%2FOoFaAgd%2FAl%2ByzDd3sM2X1JVF5ELjTlj84jZ4KOEIdnbgkEeO%2FTkYRrPkwcmcHMwc4RuX%2Fqio8vKYxJaKLKeVGpUNSKo7zkq3XIRgyxoLSRKxmlSTHFAz4LvYXPWo6SHDoVcRvElWj18Um13sSXuX4KhtOLym2yImHpboEi4m2Ziigc%2BNHZE0VvHUR7wZgDaB01z8hFm5ATF%2B8swjandMRf2Lr4Syv4qTxMNT61r62EWFkt5t9nhxMgss6z4pfDVFZ3vYwSJDGuRpEQ%3D%3D
+
+
+
+
+
+
+Kowalik, et al.          Expires 23 January 2025               [Page 19]
+
+Internet-Draft               Domain Connect                    July 2024
+
+
+   sig=V2te9zWMU7G3plxBTsmYSJTvn2vzMvNwAjWQ%2BwTe91DxuJhdVf4cVc4vZBYfEYV
+   7u5d7PzTO7se7OrkhyiB7TpoJJW1yB5qHR7HKM5SZldUsdtg5%2B1SzEtIX0Uq8b2mCmQ
+   F%2FuJGXpqCyFrEajvpTM7fFKPk1kuctmtkjV7%2BATcvNPLWY7KyE4%2Bqc8jpfN61cP
+   5l8iA4krAa3%2BfTro5cmWR8YUJ5yrnRs6KT4b5D71HFvOUk0sGEUddUUlsyRQKRHUFN6
+   HjEya50YDHfZJlYHkHlK0xX6Yqeii9QZ2I35U9eJbSvZGQko5beqviWFXdsVDbvd3DYcb
+   SHgJq9%2FXoMTTw%3D%3D
 
    The Service Provider generates this signature using a private key.
    As indicated, this signature is generated from the query string
@@ -1054,25 +1093,34 @@ Internet-Draft               Domain Connect                   April 2022
    multiple records may exist for the DNS TXT query.  For example, a
    public key of:
 
-   MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1dCqv7JEzUOfbhWKB9mTRsv3O9Vzy1Tz3UQlIDGpnVrTPBJDQTXUhxUMREEOBKo+rOjHZqfYnSmlkgu1dnBEO8bsELQL8GjS4zsjdA53gRk2SDxuzcB4fK+NCDfnRHut5nG0S3U4cq4DuGrMDFVBwxH1duTsqDNgIOOfNTsFcWSVXoSSTqCCMGbj8Vt51umDhWQAj06lf50qP2/jMNs2G+KTlk3dBHx3wtqYLvdcop1Tk5xBD64BPJ9uwm8KlDNHe+8O+cC9j04Ji8B2K0/PzAj90xnb8XJy/EM124hpT9lMgpHKBUvdeurJYweC6oP41gsTf5LrpjnyIy9j5FHPCQIDAQAB
+   MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA18SgvpmeasN4BHkkv0SBjAzIc
+   4grYLjiAXRtNiBUiGUDMeTzQrKTsWvy9NuxU1dIHCZy9o1CrKNg5EzLIZLNyMfI6qiXnM
+   +HMd4byp97zs/3D39Q8iR5poubQcRaGozWx8yQpG0OcVdmEVcTfyR/XSEWC5u16EBNvRn
+   NAOAvZYUdWqVyQvXsjnxQot8KcK0QP8iHpoL/1dbdRy2opRPQ2FdZpovUgknybq/6FkeD
+   tW7uCQ6Mvu4QxcUa3+WP9nYHKtgWip/eFxpeb+qLvcLHf1h0JXtxLVdyy6OLk3f2JRYUX
+   2ZZVDvG3biTpeJz6iRzjGg6MfGxXZHjI8weDjXrJwIDAQAB
 
    may contain several TXT records.  The records would be of the form:
 
+   p=1,a=RS256,d=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA18SgvpmeasN
+   4BHkkv0SBjAzIc4grYLjiAXRtNiBUiGUDMeTzQrKTsWvy9NuxU1dIHCZy9o1CrKNg5EzL
+   IZLNyMfI6qiXnM+HMd4byp97zs/3D39Q8iR5poubQcRaGozWx8yQpG0OcVdmEVcTfy
 
+   p=2,a=RS256,d=R/XSEWC5u16EBNvRnNAOAvZYUdWqVyQvXsjnxQot8KcK0QP8iHpoL/1
+   dbdRy2opRPQ2FdZpovUgknybq/6FkeDtW7uCQ6Mvu4QxcUa3+WP9nYHKtgWip/eFxpeb+
+   qLvcLHf1h0JXtxLVdyy6OLk3f2JRYUX2ZZVDvG3biTpeJz6iRzjGg6MfGxXZHjI8
 
+   p=3,a=RS256,d=weDjXrJwIDAQAB
 
-Carney, et al.           Expires 29 October 2022               [Page 19]
-
-Internet-Draft               Domain Connect                   April 2022
 
 
-   p=1,a=RS256,t=x509,d=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1dCqv7JEzUOfbhWKB9mTRsv3O9Vzy1Tz3UQlIDGpnVrTPBJDQTXUhxUMREEOBKo+rOjHZqfYnSmlkgu1dn
 
-   p=2,a=RS256,t=x509,d=BEO8bsELQL8GjS4zsjdA53gRk2SDxuzcB4fK+NCDfnRHut5nG0S3U4cq4DuGrMDFVBwxH1duTsqDNgIOOfNTsFcWSVXoSSTqCCMGbj8Vt51umDhWQAj06lf5
 
-   p=3,a=RS256,t=x509,d=NCDfnRHut5nG0S3U4cq4DuGrMDFVBwxH1duTsqDNgIOOfNTsFcWSVXoSSTqCCMGbj8Vt51umDhWQAj06lf50qP2/jMNs2G+KTlk3dBHx3wtqYLvdcop1Tk5xBD64BPJ9
 
-   p=4,a=RS256,t=x509,d=uwm8KlDNHe+8O+cC9j04Ji8B2K0/PzAj90xnb8XJy/EM124hpT9lMgpHKBUvdeurJYweC6oP41gsTf5LrpjnyIy9j5FHPCQIDAQAB
+Kowalik, et al.          Expires 23 January 2025               [Page 20]
+
+Internet-Draft               Domain Connect                    July 2024
+
 
    Here the public key is broken into four records in DNS, and the data
    also indicates that the signing algorithm is an RSA Signature with
@@ -1084,7 +1132,7 @@ Internet-Draft               Domain Connect                   April 2022
 
    The above data was generated for a query string:
 
-   a=1&b=2&ip=10.10.10.10&domain=foobar.com
+   a=1&b=2&ip=10.10.10.10&domain=example.net
 
    Signing the query string by the Service Provider is OPTIONAL.  Not
    all Services Provider templates require or are able to provide this
@@ -1100,7 +1148,7 @@ Internet-Draft               Domain Connect                   April 2022
    The values of each query string value key/value pair must be properly
    URL Encoded before the signature is generated.
 
-4.2.3.3.  Warnings
+7.2.3.4.  Warnings
 
    Some applications aren't able to use OAuth and/or sign requests.
 
@@ -1112,17 +1160,7 @@ Internet-Draft               Domain Connect                   April 2022
    extra warnings to the user to have them verify the link was/is from a
    reputable source before applying the template.
 
-
-
-
-
-
-Carney, et al.           Expires 29 October 2022               [Page 20]
-
-Internet-Draft               Domain Connect                   April 2022
-
-
-4.2.4.  Shared Templates
+7.2.4.  Shared Templates
 
    Some templates can be called by multiple companies, or be used for
    different purposes.
@@ -1133,6 +1171,13 @@ Internet-Draft               Domain Connect                   April 2022
    third parties.  It is often this third party reseller that configures
    DNS.
 
+
+
+Kowalik, et al.          Expires 23 January 2025               [Page 21]
+
+Internet-Draft               Domain Connect                    July 2024
+
+
    While each reseller could enable Domain Connect, this is inefficient
    for the DNS Providers.  Enabling a single template that is shared by
    multiple resellers would be more optimal.
@@ -1161,23 +1206,13 @@ Internet-Draft               Domain Connect                   April 2022
    Formatting.  But this would be required if the template required
    signatures.
 
-4.2.5.  Verification of Changes
+7.2.5.  Verification of Changes
 
    There are circumstances where the Service Provider may wish to verify
    that the template was successfully applied.  Without Domain Donnect,
    this typically involved the Service Provider querying DNS to see if
    the changes to DNS had been made.
 
-
-
-
-
-
-Carney, et al.           Expires 29 October 2022               [Page 21]
-
-Internet-Draft               Domain Connect                   April 2022
-
-
    This same technique works with Domain Connect, and if necessary can
    be triggered either manually on the Service Provider site or
    automatically upon page/window activation in the browser when the
@@ -1189,7 +1224,17 @@ Internet-Draft               Domain Connect                   April 2022
    return url in the browser.  As such it is recommend that enablement
    of a service be based on verification of changes to DNS.
 
-4.3.  Asynchronous Flow: OAuth
+7.3.  Asynchronous Flow: OAuth
+
+
+
+
+Kowalik, et al.          Expires 23 January 2025               [Page 22]
+
+Internet-Draft               Domain Connect                    July 2024
+
+
+7.3.1.  General information
 
    Using the OAuth flow is a more advanced use case needed by Service
    Providers that have more complex configurations that may require
@@ -1203,7 +1248,7 @@ Internet-Draft               Domain Connect                   April 2022
    is recommended that Service Providers relying on an OAuth
    implementation also implement a synchronous implementation.
 
-4.3.1.  OAuth Flow: Setup
+7.3.2.  OAuth Flow: Setup
 
    Service providers wishing to use the OAuth flow must register as an
    OAuth client with each DNS provider.  This is a manual process.
@@ -1221,21 +1266,29 @@ Internet-Draft               Domain Connect                   April 2022
    id and a secret which will be used when requesting tokens.  For
    simplicity the client id should be the same as the providerId.
 
-4.3.2.  OAuth Flow: Getting an Authorization Code
+7.3.3.  OAuth Flow: Getting an Authorization Code
 
    GET
 
    {urlAsyncUX}/v2/domainTemplates/providers/{providerId}
 
+   To initiate the OAuth flow the Service Provider first links to the
+   DNS Provider to gain consent.
 
 
-Carney, et al.           Expires 29 October 2022               [Page 22]
-
-Internet-Draft               Domain Connect                   April 2022
 
 
-   To initiate the OAuth flow the Service Provider first links to the
-   DNS Provider to gain consent.
+
+
+
+
+
+
+
+Kowalik, et al.          Expires 23 January 2025               [Page 23]
+
+Internet-Draft               Domain Connect                    July 2024
+
 
    This endpoint is similar to the synchronous flow described above.
    The DNS Provider must authenticate the user, verify the user has
@@ -1285,35 +1338,34 @@ Internet-Draft               Domain Connect                   April 2022
 
 
 
-Carney, et al.           Expires 29 October 2022               [Page 23]
-
-Internet-Draft               Domain Connect                   April 2022
 
 
-   +===============================================+==================+
-   | *Query String*                                | *Description*    |
-   +===============================================+==================+
-   | scope=t1+t2&domain=example.com                | Templates "t1"   |
-   |                                               | and "t2" can be  |
-   |                                               | applied to       |
-   |                                               | example.com      |
-   +-----------------------------------------------+------------------+
-   | scope=t1+t2&domain=example.com&host=sub1,sub2 | Templates "t1"   |
-   |                                               | and "t2" can be  |
-   |                                               | applied to       |
-   |                                               | sub1.example.com |
-   |                                               | or               |
-   |                                               | sub2.example.com |
-   +-----------------------------------------------+------------------+
-   | scope=t1+t2&domain=example.com&host=sub1,     | Templates "t1"   |
-   |                                               | and "t2" can be  |
-   |                                               | applied to       |
-   |                                               | example.com or   |
-   |                                               | sub1.example.com |
-   +-----------------------------------------------+------------------+
 
-       Table 5: examples of scope and host parameter values in the
-                                async flow
+Kowalik, et al.          Expires 23 January 2025               [Page 24]
+
+Internet-Draft               Domain Connect                    July 2024
+
+
+        +===================================+=====================+
+        | *Query String*                    | *Description*       |
+        +===================================+=====================+
+        | scope=t1+t2=example.com           | Templates "t1" and  |
+        |                                   | "t2" can be applied |
+        |                                   | to example.com      |
+        +-----------------------------------+---------------------+
+        | scope=t1+t2=example.com=sub1,sub2 | Templates "t1" and  |
+        |                                   | "t2" can be applied |
+        |                                   | to sub1.example.com |
+        |                                   | or sub2.example.com |
+        +-----------------------------------+---------------------+
+        | scope=t1+t2=example.com=sub1,     | Templates "t1" and  |
+        |                                   | "t2" can be applied |
+        |                                   | to example.com or   |
+        |                                   | sub1.example.com    |
+        +-----------------------------------+---------------------+
+
+          Table 5: examples of scope and host parameter values in
+                               the async flow
 
    Upon successful authorization/verification/consent from the user, the
    DNS Provider will direct the end user's browser to the redirect URI.
@@ -1322,7 +1374,7 @@ Internet-Draft               Domain Connect                   April 2022
 
    Similar to the synchronous flow, upon error the DNS provider may
    append an error code as query parameter "error".  These errors are
-   also from the oAuth 2.0 RFC 6749 (4.1.2.1.  Error Response - "error"
+   also from the OAuth 2.0 [RFC6749] (4.1.2.1.  Error Response - "error"
    parameter).  Valid values include: invalid_request,
    unauthorized_client, access_denied, unsupported_response_type,
    invalid_scope, server_error, and temporarilly_unavailable.  An
@@ -1341,86 +1393,98 @@ Internet-Draft               Domain Connect                   April 2022
 
 
 
-Carney, et al.           Expires 29 October 2022               [Page 24]
-
-Internet-Draft               Domain Connect                   April 2022
-
-
-   +===========+===============+=======================================+
-   | Property  | Key           | Description                           |
-   +===========+===============+=======================================+
-   | *Domain*  | domain        | The domain name being                 |
-   |           |               | configured.  This is the root         |
-   |           |               | domain (the registered domain or      |
-   |           |               | delegated zone).                      |
-   +-----------+---------------+---------------------------------------+
-   | *Host*    | host          | (OPTIONAL) An list of comma           |
-   |           |               | separated host names upon which       |
-   |           |               | the template may be applied.  An      |
-   |           |               | empty string implies the root.        |
-   +-----------+---------------+---------------------------------------+
-   | *Client   | client_id     | The client id that was provided       |
-   | Id*       |               | by the DNS provider to the            |
-   |           |               | service provider during               |
-   |           |               | registration.  It is recommended      |
-   |           |               | that this should be the same as       |
-   |           |               | the providerId in the template.       |
-   +-----------+---------------+---------------------------------------+
-   | *Redirect | redirect_uri  | The location to direct the            |
-   | URI*      |               | client's browser upon successful      |
-   |           |               | authorization or upon error.          |
-   |           |               | Validation of the redirect_uri        |
-   |           |               | will be done by the DNS Provider      |
-   |           |               | to match the values provided          |
-   |           |               | during onboarding.                    |
-   +-----------+---------------+---------------------------------------+
-   | *Response | response_type | (OPTIONAL) If included it must        |
-   | type*     |               | be the string 'code' to indicate      |
-   |           |               | an authorization code is being        |
-   |           |               | requested.                            |
-   +-----------+---------------+---------------------------------------+
-   | *Scope*   | scope         | The OAuth scope corresponds to        |
-   |           |               | the requested templates.  This        |
-   |           |               | is list of space separated            |
-   |           |               | serviceIds.                           |
-   +-----------+---------------+---------------------------------------+
-   | *Provider | providerName  | (OPTIONAL) This parameter allows      |
-   | Name*     |               | for the caller to provide             |
-   |           |               | additional text for display with      |
-   |           |               | the template providerName.  This      |
-   |           |               | text should be used to augment        |
-   |           |               | the providerName value from the       |
-   |           |               | template, not replace it.             |
-   +-----------+---------------+---------------------------------------+
-   | *Service  | serviceName   | (OPTIONAL) This parameter allows      |
-   | Name*     |               | for the caller to provide             |
-
-
-
-Carney, et al.           Expires 29 October 2022               [Page 25]
-
-Internet-Draft               Domain Connect                   April 2022
-
-
-   |           |               | additional text for display with      |
-   |           |               | the template serviceName(s).  It      |
-   |           |               | should be used to augment the         |
-   |           |               | serviceName value(s) from the         |
-   |           |               | template, not replace.                |
-   +-----------+---------------+---------------------------------------+
-   | *State*   | state         | (OPTIONAL) This is a random,          |
-   |           |               | unique string passed along to         |
-   |           |               | prevent CSRF or to pass state         |
-   |           |               | value back to the caller.  It         |
-   |           |               | will be returned as a parameter       |
-   |           |               | appended to the redirect_url          |
-   |           |               | described above.                      |
-   +-----------+---------------+---------------------------------------+
-
-     Table 6: query parameters of the authorization end-point in async
-                                    flow
-
-4.3.3.  oAuth Flow: Requesting an Access Token
+
+
+
+
+Kowalik, et al.          Expires 23 January 2025               [Page 25]
+
+Internet-Draft               Domain Connect                    July 2024
+
+
+     +===========+===============+==================================+
+     | Property  | Key           | Description                      |
+     +===========+===============+==================================+
+     | *Domain*  | domain        | (REQUIRED) The domain name being |
+     |           |               | configured.  This is the root    |
+     |           |               | domain (the registered domain or |
+     |           |               | delegated zone).                 |
+     +-----------+---------------+----------------------------------+
+     | *Host*    | host          | (OPTIONAL) An list of comma      |
+     |           |               | separated host names upon which  |
+     |           |               | the template may be applied.  An |
+     |           |               | empty string implies the root.   |
+     +-----------+---------------+----------------------------------+
+     | *Client   | client_id     | (REQUIRED) The client id that    |
+     | Id*       |               | was provided by the DNS provider |
+     |           |               | to the service provider during   |
+     |           |               | registration.  It is recommended |
+     |           |               | that this should be the same as  |
+     |           |               | the providerId in the template.  |
+     +-----------+---------------+----------------------------------+
+     | *Redirect | redirect_uri  | (REQUIRED) The location to       |
+     | URI*      |               | direct the client's browser upon |
+     |           |               | successful authorization or upon |
+     |           |               | error.  Validation of the        |
+     |           |               | redirect_uri will be done by the |
+     |           |               | DNS Provider to match the values |
+     |           |               | provided during onboarding.      |
+     +-----------+---------------+----------------------------------+
+     | *Response | response_type | (OPTIONAL) If included it must   |
+     | type*     |               | be the string 'code' to indicate |
+     |           |               | an authorization code is being   |
+     |           |               | requested.                       |
+     +-----------+---------------+----------------------------------+
+     | *Scope*   | scope         | (REQUIRED) The OAuth scope       |
+     |           |               | corresponds to the requested     |
+     |           |               | templates.  This is list of      |
+     |           |               | space separated serviceIds.      |
+     +-----------+---------------+----------------------------------+
+     | *Provider | providerName  | (OPTIONAL) This parameter allows |
+     | Name*     |               | for the caller to provide        |
+     |           |               | additional text for display with |
+     |           |               | the template providerName.  This |
+     |           |               | text should be used to augment   |
+     |           |               | the providerName value from the  |
+     |           |               | template, not replace it.        |
+     +-----------+---------------+----------------------------------+
+     | *Service  | serviceName   | (OPTIONAL) This parameter allows |
+     | Name*     |               | for the caller to provide        |
+
+
+
+Kowalik, et al.          Expires 23 January 2025               [Page 26]
+
+Internet-Draft               Domain Connect                    July 2024
+
+
+     |           |               | additional text for display with |
+     |           |               | the template serviceName(s).  It |
+     |           |               | should be used to augment the    |
+     |           |               | serviceName value(s) from the    |
+     |           |               | template, not replace.           |
+     +-----------+---------------+----------------------------------+
+     | *State*   | state         | (OPTIONAL) This is a random,     |
+     |           |               | unique string passed along to    |
+     |           |               | prevent CSRF or to pass state    |
+     |           |               | value back to the caller.  It    |
+     |           |               | will be returned as a parameter  |
+     |           |               | appended to the redirect_url     |
+     |           |               | described above.                 |
+     +-----------+---------------+----------------------------------+
+     | *Name/    | *             | (OPTIONAL) Any key that will be  |
+     | Value     |               | used as a replacement for the "% |
+     | Pairs*    |               | surrounded" value(s) in a        |
+     |           |               | template required for conflict   |
+     |           |               | detection.  This includes        |
+     |           |               | variables used in hosts and data |
+     |           |               | in certain TXT records.          |
+     +-----------+---------------+----------------------------------+
+
+       Table 6: query parameters of the authorization end-point in
+                                async flow
+
+7.3.4.  OAuth Flow: Requesting an Access Token
 
    POST
 
@@ -1428,7 +1492,7 @@ Internet-Draft               Domain Connect                   April 2022
 
    Once authorization has been granted, the Service Provider must use
    the Authorization Code provided to request an Access Token.  The
-   oAuth specification recommends that the Authorization Code be a short
+   OAuth specification recommends that the Authorization Code be a short
    lived token, and a reasonable recommended setting is ten minutes.  As
    such this exchange needs to be completed before that time has expired
    or the process will need to be repeated.
@@ -1442,23 +1506,21 @@ Internet-Draft               Domain Connect                   April 2022
    This is typically done when the OAuth client is a client application.
    When onboarding with the DNS Provider this would need to be enabled.
 
-   When the secret is provided (which is the normal case), care must be
-   taken.  A malicious user could create a domain that returns a false
-   __domainconnect_ TXT record, and subsequently a JSON call to their
-   own server for the API end point.  By doing so, they could then run
-   Domain Connect on their domain and retrieve the secret.
-
-
-
 
 
 
-Carney, et al.           Expires 29 October 2022               [Page 26]
+Kowalik, et al.          Expires 23 January 2025               [Page 27]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
 
 
-   As such the urlAPI used for oAuth by the Service Provider should be
+   When the secret is provided (which is the normal case), care must be
+   taken.  A malicious user could create a domain that returns a false
+   __domainconnect_ TXT record, and subsequently a JSON call to their
+   own server for the API end point.  By doing so, they could then run
+   Domain Connect on their domain and retrieve the secret.
+
+   As such the urlAPI used for OAuth by the Service Provider should be
    maintained per DNS Provider and not the value retrieved during
    discovery.
 
@@ -1503,53 +1565,47 @@ Internet-Draft               Domain Connect                   April 2022
 
 
 
-
-
-
-
-
-
-Carney, et al.           Expires 29 October 2022               [Page 27]
+Kowalik, et al.          Expires 23 January 2025               [Page 28]
 
-Internet-Draft               Domain Connect                   April 2022
-
-
-    +================+===============+================================+
-    | Property       | Key           | Description                    |
-    +================+===============+================================+
-    | *Authorization | code/         | The authorization code that    |
-    | Code/Refresh   | refresh_token | was provided in the previous   |
-    | Code*          |               | step when the customer         |
-    |                |               | accepted the authorization     |
-    |                |               | request, or the refresh_token  |
-    |                |               | for a subsequent access token. |
-    +----------------+---------------+--------------------------------+
-    | *Redirect URI* | redirect_uri  | (OPTIONAL) This is required if |
-    |                |               | a redirect_uri was passed to   |
-    |                |               | request the authorization      |
-    |                |               | code.  When included, it needs |
-    |                |               | to be the same redirect_uri    |
-    |                |               | provided in this step.         |
-    +----------------+---------------+--------------------------------+
-    | *Grant type*   | grant_type    | The type of code in the        |
-    |                |               | request.  Usually the string   |
-    |                |               | 'authorization_code' or        |
-    |                |               | 'refresh_token'                |
-    +----------------+---------------+--------------------------------+
-    | *Client ID*    | client_id     | This is the client id that was |
-    |                |               | provided by the DNS provider   |
-    |                |               | to the Service Provider during |
-    |                |               | registration                   |
-    +----------------+---------------+--------------------------------+
-    | *Client        | client_secret | The secret provided to the     |
-    | Secret*        |               | Service Provider during        |
-    |                |               | registration.  Typically       |
-    |                |               | required unless the rare       |
-    |                |               | circumstance with secret-less  |
-    |                |               | oAuth.                         |
-    +----------------+---------------+--------------------------------+
-
-                 Table 7: parameters of the token end-point
+Internet-Draft               Domain Connect                    July 2024
+
+
+   +================+===============+=================================+
+   | Property       | Key           | Description                     |
+   +================+===============+=================================+
+   | *Authorization | code/         | (REQUIRED) The authorization    |
+   | Code/Refresh   | refresh_token | code that was provided in the   |
+   | Code*          |               | previous step when the customer |
+   |                |               | accepted the authorization      |
+   |                |               | request, or the refresh_token   |
+   |                |               | for a subsequent access token.  |
+   +----------------+---------------+---------------------------------+
+   | *Redirect URI* | redirect_uri  | (OPTIONAL) This is REQUIRED if  |
+   |                |               | a redirect_uri was passed to    |
+   |                |               | request the authorization code. |
+   |                |               | When included, it needs to be   |
+   |                |               | the same redirect_uri provided  |
+   |                |               | in this step.                   |
+   +----------------+---------------+---------------------------------+
+   | *Grant type*   | grant_type    | (REQUIRED) The type of code in  |
+   |                |               | the request.  Usually the       |
+   |                |               | string 'authorization_code' or  |
+   |                |               | 'refresh_token'                 |
+   +----------------+---------------+---------------------------------+
+   | *Client ID*    | client_id     | (REQUIRED) This is the client   |
+   |                |               | id that was provided by the DNS |
+   |                |               | provider to the Service         |
+   |                |               | Provider during registration    |
+   +----------------+---------------+---------------------------------+
+   | *Client        | client_secret | (REQUIRED) The secret provided  |
+   | Secret*        |               | to the Service Provider during  |
+   |                |               | registration.  Typically        |
+   |                |               | required unless the rare        |
+   |                |               | circumstance with secret-less   |
+   |                |               | OAuth.                          |
+   +----------------+---------------+---------------------------------+
+
+                Table 7: parameters of the token end-point
 
    Upon successful token exchange, the DNS Provider will return a
    response with 4 properties in the body of the response.
@@ -1565,9 +1621,9 @@ Internet-Draft               Domain Connect                   April 2022
 
 
 
-Carney, et al.           Expires 29 October 2022               [Page 28]
+Kowalik, et al.          Expires 23 January 2025               [Page 29]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
 
 
       +=================+===========================================+
@@ -1599,7 +1655,7 @@ Internet-Draft               Domain Connect                   April 2022
 
         Table 9: http status codes of the token end-point response
 
-4.3.4.  OAuth Flow: Making Requests with Access Tokens
+7.3.5.  OAuth Flow: Making Requests with Access Tokens
 
    Once the Service Provider has the access token, they can call the DNS
    Provider's API to make changes to DNS on the domain by applying and
@@ -1621,20 +1677,21 @@ Internet-Draft               Domain Connect                   April 2022
 
 
 
-Carney, et al.           Expires 29 October 2022               [Page 29]
+Kowalik, et al.          Expires 23 January 2025               [Page 30]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
 
 
    While the calls below do not have the same security consideration of
    passing the secret, it is recommend that the urlAPI be from a stored
    value vs. the value returned during discovery here as well.
 
-4.3.5.  OAuth Flow: Apply Template to Domain.
+7.3.6.  OAuth Flow: Apply Template to Domain.
 
    POST
 
-   {urlAPI}/v2/domainTemplates/providers/{providerId}/services/{serviceId}/apply?[properties]
+   {urlAPI}/v2/domainTemplates/providers/{providerId}/services
+   /{serviceId}/apply?[properties]
 
    The primary function of the API is to apply a template to a customer
    domain.
@@ -1670,18 +1727,18 @@ Internet-Draft               Domain Connect                   April 2022
     +==============+==============+===================================+
     | Property     | Key          | Description                       |
     +==============+==============+===================================+
-    | *Domain*     | domain       | The root domain name being        |
-    |              |              | configured.  It must match the    |
-    |              |              | domain that was authorized in the |
-    |              |              | token.                            |
+    | *Domain*     | domain       | (REQUIRED) The root domain name   |
+    |              |              | being configured.  It must match  |
+    |              |              | the domain that was authorized in |
 
 
 
-Carney, et al.           Expires 29 October 2022               [Page 30]
+Kowalik, et al.          Expires 23 January 2025               [Page 31]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
 
 
+    |              |              | the token.                        |
     +--------------+--------------+-----------------------------------+
     | *Host*       | host         | (OPTIONAL) The host name of the   |
     |              |              | sub domain of the root domain     |
@@ -1690,14 +1747,15 @@ Internet-Draft               Domain Connect                   April 2022
     |              |              | template is being applied to the  |
     |              |              | root domain.                      |
     +--------------+--------------+-----------------------------------+
-    | *Name/Value  | *            | Any variable fields consumed by   |
-    | Pairs*       |              | this template.  The name portion  |
-    |              |              | of this API call corresponds to   |
-    |              |              | the variable(s) specified in the  |
-    |              |              | record and the value corresponds  |
-    |              |              | to the value that must be used    |
-    |              |              | when applying the template as per |
-    |              |              | the implementation notes.         |
+    | *Name/Value  | *            | (REQUIRED) Any variable fields    |
+    | Pairs*       |              | consumed by this template.  The   |
+    |              |              | name portion of this API call     |
+    |              |              | corresponds to the variable(s)    |
+    |              |              | specified in the record and the   |
+    |              |              | value corresponds to the value    |
+    |              |              | that must be used when applying   |
+    |              |              | the template as per the           |
+    |              |              | implementation notes.             |
     +--------------+--------------+-----------------------------------+
     | *Group ID*   | groupId      | (OPTIONAL) Specifies the group of |
     |              |              | changes in the template to apply. |
@@ -1728,16 +1786,16 @@ Internet-Draft               Domain Connect                   April 2022
     |              |              | additional context for the        |
     |              |              | serviceName that applied the      |
     |              |              | template.  It may be used by some |
-    |              |              | DNS Providers that display state  |
-    |              |              | regarding which templates have    |
 
 
 
-Carney, et al.           Expires 29 October 2022               [Page 31]
+Kowalik, et al.          Expires 23 January 2025               [Page 32]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
 
 
+    |              |              | DNS Providers that display state  |
+    |              |              | regarding which templates have    |
     |              |              | been applied.  It is only allowed |
     |              |              | when the "sharedProviderName"     |
     |              |              | attribute is set in the template  |
@@ -1746,7 +1804,7 @@ Internet-Draft               Domain Connect                   April 2022
     | *InstanceId* | instanceId   | (OPTIONAL) Only applicable to     |
     |              |              | templates supporting multiple     |
     |              |              | instances (see multiInstance      |
-    |              |              | (Section 5.2) template property). |
+    |              |              | (Section 8.2) template property). |
     |              |              | Allows for later removal of one   |
     |              |              | template instance by DNS          |
     |              |              | Providers storing this            |
@@ -1761,7 +1819,9 @@ Internet-Draft               Domain Connect                   April 2022
 
    POST
 
-   https://connect.dnsprovider.com/v2/domainTemplates/providers/exampleservice.domainconnect.org/services/template1/apply?IP=192.168.42.42&RANDOMTEXT=shm%3A1542108821%3AHello&force=1
+   https://connect.dnsprovider.example/v2/domainTemplates/providers/
+   exampleservice.example/services/template1/apply?IP=192.0.2.42
+   &#x26;RANDOMTEXT=shm%3A1542108821%3AHello&#x26;force=1
 
    The API must validate the access token, and that the domain belongs
    to the customer and is represented by the token being presented.  Any
@@ -1785,13 +1845,9 @@ Internet-Draft               Domain Connect                   April 2022
 
 
 
-
-
-
-
-Carney, et al.           Expires 29 October 2022               [Page 32]
+Kowalik, et al.          Expires 23 January 2025               [Page 33]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
 
 
      +================+==========+==================================+
@@ -1845,9 +1901,9 @@ Internet-Draft               Domain Connect                   April 2022
 
 
 
-Carney, et al.           Expires 29 October 2022               [Page 33]
+Kowalik, et al.          Expires 23 January 2025               [Page 34]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
 
 
    As an example:
@@ -1872,7 +1928,7 @@ Internet-Draft               Domain Connect                   April 2022
    In this example, the Service Provider tried to apply a new hosting
    template.  The domain had an existing service applied for hosting.
 
-4.3.6.  OAuth Flow: Revert Template
+7.3.7.  OAuth Flow: Revert Template
 
    This call reverts the application of a specific template from a
    domain.
@@ -1882,7 +1938,8 @@ Internet-Draft               Domain Connect                   April 2022
 
    POST
 
-   {urlAPI}/v2/domainTemplates/providers/{providerId}/services/{serviceId}/revert?domain={domain}&host={host}
+   {urlAPI}/v2/domainTemplates/providers/{providerId}/services
+   /{serviceId}/revert?domain={domain}&host={host}
 
    This API allows the removal of a template from a customer domain/host
    using an OAuth request.
@@ -1900,36 +1957,36 @@ Internet-Draft               Domain Connect                   April 2022
 
 
 
-
-Carney, et al.           Expires 29 October 2022               [Page 34]
+Kowalik, et al.          Expires 23 January 2025               [Page 35]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
 
 
    POST
 
-   https://connect.dnsprovider.com/v2/domainTemplates/providers/exampleservice.domainconnect.org/services/template1/revert?domain=example.com
+   https://connect.dnsprovider.example/v2/domainTemplates/providers
+   /exampleservice.example/services/template1/revert?domain=example.com
 
    Allowed parameters:
 
    +==============+============+======================================+
    | Property     | Key        | Description                          |
    +==============+============+======================================+
-   | *Domain*     | domain     | The root domain name being           |
-   |              |            | configured.  It must match the       |
+   | *Domain*     | domain     | (REQUIRED) The root domain name      |
+   |              |            | being configured.  It must match the |
    |              |            | domain that was authorized in the    |
    |              |            | token.                               |
    +--------------+------------+--------------------------------------+
-   | *Host*       | host       | The host name of the sub domain of   |
-   |              |            | the root domain that was authorized  |
-   |              |            | in the token.  If omitted or left    |
-   |              |            | blank, the template is being applied |
-   |              |            | to the root domain.                  |
+   | *Host*       | host       | (OPTIONAL) The host name of the sub  |
+   |              |            | domain of the root domain that was   |
+   |              |            | authorized in the token.  If omitted |
+   |              |            | or left blank, the template is being |
+   |              |            | applied to the root domain.          |
    +--------------+------------+--------------------------------------+
    | *InstanceId* | instanceId | (OPTIONAL) Only applicable to        |
    |              |            | templates supporting multiple        |
    |              |            | instances (see multiInstance         |
-   |              |            | (Section 5.2) template property).    |
+   |              |            | (Section 8.2) template property).    |
    |              |            | For DNS Provider storing information |
    |              |            | about applied templates allows       |
    |              |            | removal of single instance of        |
@@ -1945,26 +2002,23 @@ Internet-Draft               Domain Connect                   April 2022
    Response codes Success, Authorization, and Errors are identical to
    above with the addition of the 501 code.
 
-4.3.7.  OAuth Flow: Revoking access
+7.3.8.  OAuth Flow: Revoking access
 
-   Like all oAuth flows, the user may revoke the access at any time
+   Like all OAuth flows, the user may revoke the access at any time
    using UX at the DNS Provider site.  As such the Service Provider
    needs to be aware that their access to the API may be denied.
 
+8.  Domain Connect Objects and Templates
 
 
 
 
-
-
-Carney, et al.           Expires 29 October 2022               [Page 35]
+Kowalik, et al.          Expires 23 January 2025               [Page 36]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
 
 
-5.  Domain Connect Objects and Templates
-
-5.1.  Template Versioning
+8.1.  Template Versioning
 
    If a breaking change is made to a template it is recommended that a
    new template be created.  While on the surface versioning looks
@@ -1978,183 +2032,242 @@ Internet-Draft               Domain Connect                   April 2022
    Note that when a template changes, it does need to be on-boarded with
    the DNS Providers.
 
-   The version field (Section 5.2) of the template definition serves the
+   The version field (Section 8.2) of the template definition serves the
    purpose of transparency between the DNS Provider and the Service
    Provider in case of such changes.
 
-5.2.  Template Definition
+8.2.  Template Definition
 
    A template is defined as a standard JSON data structure containing
    the following data.  Fields are required unless otherwise indicated.
 
-   +=============+========+===================+==================================+
-   |Data Element |Type    |Key                |Description                       |
-   +=============+========+===================+==================================+
-   |*Service     |String  |providerId         |The unique identifier of the      |
-   |Provider Id* |        |                   |Service Provider that created this|
-   |             |        |                   |template.  This is used in the    |
-   |             |        |                   |URLs to identify the Service      |
-   |             |        |                   |Provider.  To ensure non-         |
-   |             |        |                   |coordinated uniqueness, this      |
-   |             |        |                   |should be the domain name of the  |
-   |             |        |                   |Service Provider (e.g.            |
-   |             |        |                   |exampleservice.domainconnect.org).|
-   +-------------+--------+-------------------+----------------------------------+
-   |*Service     |String  |providerName       |The name of the Service Provider  |
-   |Provider     |        |                   |suitable for display.  This may be|
-   |Name*        |        |                   |displayed to the user on the DNS  |
-   |             |        |                   |Provider consent UX.              |
-   +-------------+--------+-------------------+----------------------------------+
-   |*Service Id* |String  |serviceId          |The name or identifier of the     |
-   |             |        |                   |template.  This is used in URLs to|
-   |             |        |                   |identify the template.  It is also|
-   |             |        |                   |used in the scope parameter for   |
-   |             |        |                   |oAuth.  It must not contain space |
-
-
-
-Carney, et al.           Expires 29 October 2022               [Page 36]
-
-Internet-Draft               Domain Connect                   April 2022
-
-
-   |             |        |                   |characters, and must be URL       |
-   |             |        |                   |friendly.                         |
-   +-------------+--------+-------------------+----------------------------------+
-   |*Service     |String  |serviceName        |The name of the service suitable  |
-   |Name*        |        |                   |for display to the user.  This may|
-   |             |        |                   |be displayed to the user on the   |
-   |             |        |                   |DNS Provider consent UX.          |
-   +-------------+--------+-------------------+----------------------------------+
-   |*Version*    |Integer |version            |(OPTIONAL) If present this        |
-   |             |        |                   |represents a version of the       |
-   |             |        |                   |template and should be increased  |
-   |             |        |                   |with each update of the template  |
-   |             |        |                   |content.  This value is mainly    |
-   |             |        |                   |informational to improve          |
-   |             |        |                   |communication and transparency    |
-   |             |        |                   |between providers.                |
-   +-------------+--------+-------------------+----------------------------------+
-   |*Logo*       |String  |logoUrl            |(OPTIONAL) A graphical logo       |
-   |             |        |                   |representing the Service Provider |
-   |             |        |                   |and/or Service for use in any web-|
-   |             |        |                   |based flow.  If present this may  |
-   |             |        |                   |be displayed to the user on the   |
-   |             |        |                   |DNS Provider consent UX.          |
-   +-------------+--------+-------------------+----------------------------------+
-   |*Description*|Text    |description        |(OPTIONAL) A textual description  |
-   |             |        |                   |of what this template attempts to |
-   |             |        |                   |do.  This is meant to assist      |
-   |             |        |                   |developers and must not be        |
-   |             |        |                   |displayed to the user.            |
-   +-------------+--------+-------------------+----------------------------------+
-   |*Variable    |Text    |variableDescription|(OPTIONAL) A textual description  |
-   |Description* |        |                   |of what the variables are.  This  |
-   |             |        |                   |is meant to assist developers and |
-   |             |        |                   |must not be displayed to the user.|
-   +-------------+--------+-------------------+----------------------------------+
-   |*Synchronous |Boolean |syncBlock          |(OPTIONAL) Indicates that the     |
-   |Block*       |        |                   |synchronous protocol must be      |
-   |             |        |                   |disabled for this template.  The  |
-   |             |        |                   |default for this is false.        |
-   +-------------+--------+-------------------+----------------------------------+
-   |*Shared*     |Boolean |shared             |(OPTIONAL) This flag has been     |
-   |             |        |                   |deprecated.  It used to indicate  |
-   |             |        |                   |that the template allowed a       |
-   |             |        |                   |dynamic providerName on the query |
-   |             |        |                   |string.  It is replaced with the  |
-   |             |        |                   |sharedProviderName flag in v2.2 of|
-   |             |        |                   |the spec.                         |
-   +-------------+--------+-------------------+----------------------------------+
-
-
-
-Carney, et al.           Expires 29 October 2022               [Page 37]
-
-Internet-Draft               Domain Connect                   April 2022
-
-
-   |*Shared      |Boolean |sharedProviderName |(OPTIONAL) This flag indicates    |
-   |Provider     |        |                   |that the template allows the      |
-   |Name*        |        |                   |caller to pass in additional      |
-   |             |        |                   |information for the providerName. |
-   |             |        |                   |This information should augment   |
-   |             |        |                   |the display of the providerName   |
-   |             |        |                   |from the template.  The default   |
-   |             |        |                   |for this is false.  For backward  |
-   |             |        |                   |compatability with DNS Providers  |
-   |             |        |                   |not at V2.2 of the spec it is     |
-   |             |        |                   |recommended that the shared flag  |
-   |             |        |                   |also be set.                      |
-   +-------------+--------+-------------------+----------------------------------+
-   |*Shared      |Boolean |sharedServiceName  |(OPTIONAL) This flag indicates    |
-   |Service Name*|        |                   |that the template allows the      |
-   |             |        |                   |caller to pass in additional      |
-   |             |        |                   |information for the serviceName.  |
-   |             |        |                   |This information should augment   |
-   |             |        |                   |the display of the serviceName    |
-   |             |        |                   |from the template.  The default   |
-   |             |        |                   |for this is false.                |
-   +-------------+--------+-------------------+----------------------------------+
-   |*Synchronous |String  |syncPubKeyDomain   |(OPTIONAL) When present, indicates|
-   |Public Key   |        |                   |that calls to apply a template    |
-   |Domain*      |        |                   |synchronously must be digitally   |
-   |             |        |                   |signed.  The value indicates the  |
-   |             |        |                   |domain name for querying the TXT  |
-   |             |        |                   |record from DNS that contains the |
-   |             |        |                   |public key used for signing.      |
-   +-------------+--------+-------------------+----------------------------------+
-   |*Synchronous |String  |syncRedirectDomain |(OPTIONAL) When present, this is a|
-   |Redirect     |        |                   |comma separated list of domain    |
-   |Domains*     |        |                   |names for which redirects must be |
-   |             |        |                   |sent to after applying a template |
-   |             |        |                   |for the synchronous flow.         |
-   +-------------+--------+-------------------+----------------------------------+
-   |*Multiple    |Boolean |multiInstance      |(OPTIONAL) Defaults to False.     |
-   |Instance*    |        |                   |When set to True, it indicates    |
-   |             |        |                   |that the template may be applied  |
-   |             |        |                   |multiple times.  This only impacts|
-   |             |        |                   |DNS Providers that maintain       |
-   |             |        |                   |template state in DNS.            |
-   +-------------+--------+-------------------+----------------------------------+
-   |*Warn        |Boolean |warnPhishing       |(OPTIONAL) When present, this     |
-   |Phishing*    |        |                   |tells the DNS Provider that the   |
-   |             |        |                   |template may contain variables    |
-   |             |        |                   |susceptible to phishing attacks   |
-   |             |        |                   |and the provider is unable to     |
-
-
-
-Carney, et al.           Expires 29 October 2022               [Page 38]
-
-Internet-Draft               Domain Connect                   April 2022
-
-
-   |             |        |                   |digitally sign the requests.  When|
-   |             |        |                   |set the DNS Provider should       |
-   |             |        |                   |display warnings to the user.  The|
-   |             |        |                   |default value for this is false.  |
-   +-------------+--------+-------------------+----------------------------------+
-   |*Host        |Boolean |hostRequired       |(OPTIONAL) Defaults to false.     |
-   |Required*    |        |                   |When present this indicates that  |
-   |             |        |                   |the template has been authored to |
-   |             |        |                   |work only when both domain and    |
-   |             |        |                   |host are provided.  An example    |
-   |             |        |                   |where this would be true would be |
-   |             |        |                   |a template where CNAME is set on  |
-   |             |        |                   |the fully qualified domain name.  |
-   |             |        |                   |This is largely informational, as |
-   |             |        |                   |most DNS Providers already enforce|
-   |             |        |                   |such rules.                       |
-   +-------------+--------+-------------------+----------------------------------+
-   |*Template    |Array of|records            |A list of records for the         |
-   |Records*     |Template|                   |template.                         |
-   |             |Records |                   |                                  |
-   +-------------+--------+-------------------+----------------------------------+
+   +=============+========+===================+========================+
+   |Data Element |Type    |Key                |Description             |
+   +=============+========+===================+========================+
+   |*Service     |String  |providerId         |(REQUIRED) The unique   |
+   |Provider Id* |        |                   |identifier of the       |
+   |             |        |                   |Service Provider that   |
+   |             |        |                   |created this template.  |
+   |             |        |                   |This is used in the URLs|
+   |             |        |                   |to identify the Service |
+   |             |        |                   |Provider.  To ensure    |
+   |             |        |                   |non-coordinated         |
+   |             |        |                   |uniqueness, this should |
+   |             |        |                   |be the domain name of   |
+   |             |        |                   |the Service Provider    |
+   |             |        |                   |(e.g.                   |
+   |             |        |                   |exampleservice.example).|
+   +-------------+--------+-------------------+------------------------+
+   |*Service     |String  |providerName       |(REQUIRED) The name of  |
+   |Provider     |        |                   |the Service Provider    |
+   |Name*        |        |                   |suitable for display.   |
+   |             |        |                   |This may be displayed to|
+   |             |        |                   |the user on the DNS     |
+   |             |        |                   |Provider consent UX.    |
+   +-------------+--------+-------------------+------------------------+
+   |*Service Id* |String  |serviceId          |(REQUIRED) The name or  |
+
+
+
+Kowalik, et al.          Expires 23 January 2025               [Page 37]
+
+Internet-Draft               Domain Connect                    July 2024
+
+
+   |             |        |                   |identifier of the       |
+   |             |        |                   |template.  This is used |
+   |             |        |                   |in URLs to identify the |
+   |             |        |                   |template.  It is also   |
+   |             |        |                   |used in the scope       |
+   |             |        |                   |parameter for OAuth.  It|
+   |             |        |                   |must not contain space  |
+   |             |        |                   |characters, and must be |
+   |             |        |                   |URL friendly.           |
+   +-------------+--------+-------------------+------------------------+
+   |*Service     |String  |serviceName        |(REQUIRED) The name of  |
+   |Name*        |        |                   |the service suitable for|
+   |             |        |                   |display to the user.    |
+   |             |        |                   |This may be displayed to|
+   |             |        |                   |the user on the DNS     |
+   |             |        |                   |Provider consent UX.    |
+   +-------------+--------+-------------------+------------------------+
+   |*Version*    |Integer |version            |(OPTIONAL) If present   |
+   |             |        |                   |this represents a       |
+   |             |        |                   |version of the template |
+   |             |        |                   |and should be increased |
+   |             |        |                   |with each update of the |
+   |             |        |                   |template content.  This |
+   |             |        |                   |value is mainly         |
+   |             |        |                   |informational to improve|
+   |             |        |                   |communication and       |
+   |             |        |                   |transparency between    |
+   |             |        |                   |providers.              |
+   +-------------+--------+-------------------+------------------------+
+   |*Logo*       |String  |logoUrl            |(OPTIONAL) A graphical  |
+   |             |        |                   |logo representing the   |
+   |             |        |                   |Service Provider and/or |
+   |             |        |                   |Service for use in any  |
+   |             |        |                   |web-based flow.  If     |
+   |             |        |                   |present this may be     |
+   |             |        |                   |displayed to the user on|
+   |             |        |                   |the DNS Provider consent|
+   |             |        |                   |UX.                     |
+   +-------------+--------+-------------------+------------------------+
+   |*Description*|Text    |description        |(OPTIONAL) A textual    |
+   |             |        |                   |description of what this|
+   |             |        |                   |template attempts to do.|
+   |             |        |                   |This is meant to assist |
+   |             |        |                   |developers and must not |
+   |             |        |                   |be displayed to the     |
+   |             |        |                   |user.                   |
+   +-------------+--------+-------------------+------------------------+
+   |*Variable    |Text    |variableDescription|(OPTIONAL) A textual    |
+
+
+
+Kowalik, et al.          Expires 23 January 2025               [Page 38]
+
+Internet-Draft               Domain Connect                    July 2024
+
+
+   |Description* |        |                   |description of what the |
+   |             |        |                   |variables are.  This is |
+   |             |        |                   |meant to assist         |
+   |             |        |                   |developers and must not |
+   |             |        |                   |be displayed to the     |
+   |             |        |                   |user.                   |
+   +-------------+--------+-------------------+------------------------+
+   |*Synchronous |Boolean |syncBlock          |(OPTIONAL) Indicates    |
+   |Block*       |        |                   |that the synchronous    |
+   |             |        |                   |protocol must be        |
+   |             |        |                   |disabled for this       |
+   |             |        |                   |template.  The default  |
+   |             |        |                   |for this is false.      |
+   +-------------+--------+-------------------+------------------------+
+   |*Shared*     |Boolean |shared             |(OPTIONAL) This flag has|
+   |             |        |                   |been deprecated.  It    |
+   |             |        |                   |used to indicate that   |
+   |             |        |                   |the template allowed a  |
+   |             |        |                   |dynamic providerName on |
+   |             |        |                   |the query string.  It is|
+   |             |        |                   |replaced with the       |
+   |             |        |                   |sharedProviderName flag |
+   |             |        |                   |in v2.2 of the spec.    |
+   +-------------+--------+-------------------+------------------------+
+   |*Shared      |Boolean |sharedProviderName |(OPTIONAL) This flag    |
+   |Provider     |        |                   |indicates that the      |
+   |Name*        |        |                   |template allows the     |
+   |             |        |                   |caller to pass in       |
+   |             |        |                   |additional information  |
+   |             |        |                   |for the providerName.   |
+   |             |        |                   |This information should |
+   |             |        |                   |augment the display of  |
+   |             |        |                   |the providerName from   |
+   |             |        |                   |the template.  The      |
+   |             |        |                   |default for this is     |
+   |             |        |                   |false.  For backward    |
+   |             |        |                   |compatability with DNS  |
+   |             |        |                   |Providers not at V2.2 of|
+   |             |        |                   |the spec it is          |
+   |             |        |                   |recommended that the    |
+   |             |        |                   |shared flag also be set.|
+   +-------------+--------+-------------------+------------------------+
+   |*Shared      |Boolean |sharedServiceName  |(OPTIONAL) This flag    |
+   |Service Name*|        |                   |indicates that the      |
+   |             |        |                   |template allows the     |
+   |             |        |                   |caller to pass in       |
+   |             |        |                   |additional information  |
+   |             |        |                   |for the serviceName.    |
+
+
+
+Kowalik, et al.          Expires 23 January 2025               [Page 39]
+
+Internet-Draft               Domain Connect                    July 2024
+
+
+   |             |        |                   |This information should |
+   |             |        |                   |augment the display of  |
+   |             |        |                   |the serviceName from the|
+   |             |        |                   |template.  The default  |
+   |             |        |                   |for this is false.      |
+   +-------------+--------+-------------------+------------------------+
+   |*Synchronous |String  |syncPubKeyDomain   |(OPTIONAL) When present,|
+   |Public Key   |        |                   |indicates that calls to |
+   |Domain*      |        |                   |apply a template        |
+   |             |        |                   |synchronously must be   |
+   |             |        |                   |digitally signed.  The  |
+   |             |        |                   |value indicates the     |
+   |             |        |                   |domain name for querying|
+   |             |        |                   |the TXT record from DNS |
+   |             |        |                   |that contains the public|
+   |             |        |                   |key used for signing.   |
+   +-------------+--------+-------------------+------------------------+
+   |*Synchronous |String  |syncRedirectDomain |(OPTIONAL) When present,|
+   |Redirect     |        |                   |this is a comma         |
+   |Domains*     |        |                   |separated list of domain|
+   |             |        |                   |names for which         |
+   |             |        |                   |redirects must be sent  |
+   |             |        |                   |to after applying a     |
+   |             |        |                   |template for the        |
+   |             |        |                   |synchronous flow.       |
+   +-------------+--------+-------------------+------------------------+
+   |*Multiple    |Boolean |multiInstance      |(OPTIONAL) Defaults to  |
+   |Instance*    |        |                   |False.  When set to     |
+   |             |        |                   |True, it indicates that |
+   |             |        |                   |the template may be     |
+   |             |        |                   |applied multiple times. |
+   |             |        |                   |This only impacts DNS   |
+   |             |        |                   |Providers that maintain |
+   |             |        |                   |template state in DNS.  |
+   +-------------+--------+-------------------+------------------------+
+   |*Warn        |Boolean |warnPhishing       |(OPTIONAL) When present,|
+   |Phishing*    |        |                   |this tells the DNS      |
+   |             |        |                   |Provider that the       |
+   |             |        |                   |template may contain    |
+   |             |        |                   |variables susceptible to|
+   |             |        |                   |phishing attacks and the|
+   |             |        |                   |provider is unable to   |
+   |             |        |                   |digitally sign the      |
+   |             |        |                   |requests.  When set the |
+   |             |        |                   |DNS Provider should     |
+   |             |        |                   |display warnings to the |
+   |             |        |                   |user.  The default value|
+   |             |        |                   |for this is false.      |
+
+
+
+Kowalik, et al.          Expires 23 January 2025               [Page 40]
+
+Internet-Draft               Domain Connect                    July 2024
+
+
+   +-------------+--------+-------------------+------------------------+
+   |*Host        |Boolean |hostRequired       |(OPTIONAL) Defaults to  |
+   |Required*    |        |                   |false.  When present    |
+   |             |        |                   |this indicates that the |
+   |             |        |                   |template has been       |
+   |             |        |                   |authored to work only   |
+   |             |        |                   |when both domain and    |
+   |             |        |                   |host are provided.  An  |
+   |             |        |                   |example where this would|
+   |             |        |                   |be true would be a      |
+   |             |        |                   |template where CNAME is |
+   |             |        |                   |set on the fully        |
+   |             |        |                   |qualified domain name.  |
+   |             |        |                   |This is largely         |
+   |             |        |                   |informational, as most  |
+   |             |        |                   |DNS Providers already   |
+   |             |        |                   |enforce such rules.     |
+   +-------------+--------+-------------------+------------------------+
+   |*Template    |Array of|records            |(REQUIRED) A list of    |
+   |Records*     |Template|                   |records for the         |
+   |             |Records |                   |template.               |
+   +-------------+--------+-------------------+------------------------+
 
               Table 13: properties of the template definition
 
-5.3.  Template Record
+8.3.  Template Record
 
    Each template record is an entry that contains a type and several
    other values depending on the type.
@@ -2180,15 +2293,14 @@ Internet-Draft               Domain Connect                   April 2022
 
 
 
-
-Carney, et al.           Expires 29 October 2022               [Page 39]
+Kowalik, et al.          Expires 23 January 2025               [Page 41]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
 
 
-   Note: The trailing dot here is similar to the bind protocol, which
+   Note: The trailing dot here is similar to the bind notation, which
    indicates the value is absolute.  Without the trailing ".", the value
-   in this field is relative to the [host.]domain.com value.
+   in this field is relative to the [host.]example.com value.
 
    For the pointsTo/data field it is a shortcut for for the "%fqdn%".
    When appling the template to a domain only, it represents
@@ -2214,183 +2326,226 @@ Internet-Draft               Domain Connect                   April 2022
 
    Each record will contain the following elements.
 
-   +===========+======+=========================+=========================+
-   |Data       |Type  |Key                      |Description              |
-   |Element    |      |                         |                         |
-   +===========+======+=========================+=========================+
-   |*Type*     |enum  |type                     |Describes the type of    |
-   |           |      |                         |record in DNS, or the    |
-   |           |      |                         |operation impacting DNS. |
-   |           |      |                         |Valid values include: A, |
-   |           |      |                         |AAAA, CNAME, MX, TXT,    |
-   |           |      |                         |SRV, or SPFM For each    |
-   |           |      |                         |type, additional fields  |
-   |           |      |                         |would be required.  A:   |
-   |           |      |                         |host, pointsTo, TTL AAAA:|
-   |           |      |                         |host, pointsTo, TTL      |
-   |           |      |                         |CNAME: host, pointsTo,   |
-   |           |      |                         |TTL (host must not be    |
-   |           |      |                         |null or @) NS: host,     |
-   |           |      |                         |pointsTo, TTL (host must |
-   |           |      |                         |not be null or @) TXT:   |
-   |           |      |                         |host, data, TTL,         |
-
-
-
-Carney, et al.           Expires 29 October 2022               [Page 40]
-
-Internet-Draft               Domain Connect                   April 2022
-
-
-   |           |      |                         |txtConflictMatchingMode, |
-   |           |      |                         |txtConflictMatchingPrefix|
-   |           |      |                         |MX: host, pointsTo, TTL, |
-   |           |      |                         |priority SRV: name,      |
-   |           |      |                         |target, TTL, priority,   |
-   |           |      |                         |protocol, service,       |
-   |           |      |                         |weight, port SPFM: host, |
-   |           |      |                         |spfRules                 |
-   +-----------+------+-------------------------+-------------------------+
-   |*Group Id* |String|groupId                  |(OPTIONAL) This parameter|
-   |           |      |                         |identifies the group the |
-   |           |      |                         |record belongs to when   |
-   |           |      |                         |applying changes.  This  |
-   |           |      |                         |must not contain         |
-   |           |      |                         |variables.               |
-   +-----------+------+-------------------------+-------------------------+
-   |*Essential*|enum  |essential                |(OPTIONAL) This parameter|
-   |           |      |                         |indicates how the record |
-   |           |      |                         |is treated during        |
-   |           |      |                         |conflict detection with  |
-   |           |      |                         |existing templates.  If  |
-   |           |      |                         |the DNS Provider is not  |
-   |           |      |                         |implementing applied     |
-   |           |      |                         |template state in DNS    |
-   |           |      |                         |this is ignored.  Always |
-   |           |      |                         |(default) - record MUST  |
-   |           |      |                         |be applied and kept with |
-   |           |      |                         |the template OnApply -   |
-   |           |      |                         |record MUST be applied   |
-   |           |      |                         |but can be later removed |
-   |           |      |                         |without dropping the     |
-   |           |      |                         |whole template           |
-   +-----------+------+-------------------------+-------------------------+
-   |*Host*     |String|host                     |The host for A, AAAA,    |
-   |           |      |                         |CNAME, NS, TXT, and MX   |
-   |           |      |                         |values.  This value is   |
-   |           |      |                         |relative to the applied  |
-   |           |      |                         |host and domain, unless  |
-   |           |      |                         |trailed by a ".".  A     |
-   |           |      |                         |value of empty or @      |
-   |           |      |                         |indicates the root of the|
-   |           |      |                         |applied host and domain. |
-   |           |      |                         |In other words           |
-   |           |      |                         |"[host.]domain.com.".    |
-   |           |      |                         |This value should not    |
-   |           |      |                         |contain variables unless |
-   |           |      |                         |absolutely necessary.    |
-   |           |      |                         |This is discussed below. |
-
-
-
-Carney, et al.           Expires 29 October 2022               [Page 41]
-
-Internet-Draft               Domain Connect                   April 2022
-
-
-   +-----------+------+-------------------------+-------------------------+
-   |*Name*     |String|name                     |The name for the SRV     |
-   |           |      |                         |record.  This value is   |
-   |           |      |                         |relative to the applied  |
-   |           |      |                         |host and domain.  A value|
-   |           |      |                         |of empty or @ indicates  |
-   |           |      |                         |the root of the applied  |
-   |           |      |                         |host and domain.  This   |
-   |           |      |                         |value should not contain |
-   |           |      |                         |variables unless         |
-   |           |      |                         |absolutely necessary.    |
-   |           |      |                         |This is discussed below. |
-   +-----------+------+-------------------------+-------------------------+
-   |*Points To*|String|pointsTo                 |The pointsTo location for|
-   |           |      |                         |A, AAAA, CNAME, NS and MX|
-   |           |      |                         |records.  A value of     |
-   |           |      |                         |empty or @ indicates the |
-   |           |      |                         |host and domain name     |
-   |           |      |                         |being applied or         |
-   |           |      |                         |[host.]domain.com        |
-   +-----------+------+-------------------------+-------------------------+
-   |*TTL*      |Int   |ttl                      |The time-to-live for the |
-   |           |      |                         |record in DNS.  Valid for|
-   |           |      |                         |A, AAAA, CNAME, NS, TXT, |
-   |           |      |                         |MX, and SRV records.     |
-   |           |      |                         |This must not contain    |
-   |           |      |                         |variables.               |
-   +-----------+------+-------------------------+-------------------------+
-   |*Data*     |String|data                     |The data for a TXT record|
-   |           |      |                         |in DNS.  A value of empty|
-   |           |      |                         |or @ indicates the host  |
-   |           |      |                         |and domain name being    |
-   |           |      |                         |applied or               |
-   |           |      |                         |[host.]domain.com        |
-   +-----------+------+-------------------------+-------------------------+
-   |*TXT       |String|txtConflictMatchingMode  |Describes how conflicts  |
-   |Conflict   |      |                         |on the TXT record are    |
-   |Matching   |      |                         |detected.  Possible      |
-   |Mode*      |      |                         |values are None, All, or |
-   |           |      |                         |Prefix.  The default     |
-   |           |      |                         |value is None.  See below|
-   |           |      |                         |(Section 6.3).           |
-   +-----------+------+-------------------------+-------------------------+
-   |*TXT       |String|txtConflictMatchingPrefix|The prefix to detect     |
-   |Conflict   |      |                         |conflicts when           |
-   |Matching   |      |                         |txtConflictMatchingMode  |
-   |Prefix*    |      |                         |is "Prefix".  This must  |
-   |           |      |                         |not contain variables.   |
-
-
-
-Carney, et al.           Expires 29 October 2022               [Page 42]
-
-Internet-Draft               Domain Connect                   April 2022
-
-
-   |           |      |                         |See below (Section 6.3). |
-   +-----------+------+-------------------------+-------------------------+
-   |*Priority* |Int   |priority                 |The priority for an MX or|
-   |           |      |                         |SRV record.  This must   |
-   |           |      |                         |not contain variables.   |
-   +-----------+------+-------------------------+-------------------------+
-   |*Weight*   |Int   |weight                   |The weight for the SRV   |
-   |           |      |                         |record.  This must not   |
-   |           |      |                         |contain variables.       |
-   +-----------+------+-------------------------+-------------------------+
-   |*Port*     |Int   |port                     |The port for the SRV     |
-   |           |      |                         |record.  This must not   |
-   |           |      |                         |contain variables.       |
-   +-----------+------+-------------------------+-------------------------+
-   |*Protocol* |String|protocol                 |The protocol for the SRV |
-   |           |      |                         |record.                  |
-   +-----------+------+-------------------------+-------------------------+
-   |*Service*  |String|service                  |The symbolic name for the|
-   |           |      |                         |SRV record.              |
-   +-----------+------+-------------------------+-------------------------+
-   |*Target*   |String|target                   |The target for the SRV   |
-   |           |      |                         |record.                  |
-   +-----------+------+-------------------------+-------------------------+
-   |*SPF Rules*|String|spfRules                 |These are desired rules  |
-   |           |      |                         |for the SPF TXT record.  |
-   |           |      |                         |These rules will be      |
-   |           |      |                         |merged with other SPFM   |
-   |           |      |                         |records into final SPF   |
-   |           |      |                         |TXT record.  See         |
-   |           |      |                         |Section 6.10.            |
-   +-----------+------+-------------------------+-------------------------+
+   +===========+======+=========================+======================+
+   |Data       |Type  |Key                      |Description           |
+   |Element    |      |                         |                      |
+   +===========+======+=========================+======================+
+   |*Type*     |enum  |type                     |(REQUIRED) Describes  |
+   |           |      |                         |the type of record in |
+   |           |      |                         |DNS, or the operation |
+   |           |      |                         |impacting DNS.        |
+   |           |      |                         |Valid values include: |
+   |           |      |                         |A, AAAA, CNAME, MX,   |
+   |           |      |                         |TXT, SRV, or SPFM     |
+   |           |      |                         |For each type,        |
+   |           |      |                         |additional fields     |
+   |           |      |                         |would be REQUIRED.    |
+   |           |      |                         |* A: host, pointsTo,  |
+   |           |      |                         |TTL                   |
+   |           |      |                         |* AAAA: host,         |
+   |           |      |                         |pointsTo, TTL         |
+   |           |      |                         |* CNAME: host,        |
+   |           |      |                         |pointsTo, TTL (host   |
+
+
+
+Kowalik, et al.          Expires 23 January 2025               [Page 42]
+
+Internet-Draft               Domain Connect                    July 2024
+
+
+   |           |      |                         |must not be null or @ |
+   |           |      |                         |unless hostRequired is|
+   |           |      |                         |defined true for the  |
+   |           |      |                         |template)             |
+   |           |      |                         |* NS: host, pointsTo, |
+   |           |      |                         |TTL (host must not be |
+   |           |      |                         |null or @ unless      |
+   |           |      |                         |hostRequired is       |
+   |           |      |                         |defined true for the  |
+   |           |      |                         |template)             |
+   |           |      |                         |* TXT: host, data,    |
+   |           |      |                         |TTL, txtConflict-     |
+   |           |      |                         |MatchingMode,         |
+   |           |      |                         |txtConflict-          |
+   |           |      |                         |MatchingPrefix        |
+   |           |      |                         |* MX: host, pointsTo, |
+   |           |      |                         |TTL, priority         |
+   |           |      |                         |* SRV: name, target,  |
+   |           |      |                         |TTL, priority,        |
+   |           |      |                         |protocol, service,    |
+   |           |      |                         |weight, port          |
+   |           |      |                         |* SPFM: host, spfRules|
+   +-----------+------+-------------------------+----------------------+
+   |*Group Id* |String|groupId                  |(OPTIONAL) This       |
+   |           |      |                         |parameter identifies  |
+   |           |      |                         |the group the record  |
+   |           |      |                         |belongs to when       |
+   |           |      |                         |applying changes.     |
+   |           |      |                         |This must not contain |
+   |           |      |                         |variables.            |
+   +-----------+------+-------------------------+----------------------+
+   |*Essential*|enum  |essential                |(OPTIONAL) This       |
+   |           |      |                         |parameter indicates   |
+   |           |      |                         |how the record is     |
+   |           |      |                         |treated during        |
+   |           |      |                         |conflict detection    |
+   |           |      |                         |with existing         |
+   |           |      |                         |templates.            |
+   |           |      |                         |If the DNS Provider is|
+   |           |      |                         |not implementing      |
+   |           |      |                         |applied template state|
+   |           |      |                         |in DNS this is        |
+   |           |      |                         |ignored.              |
+   |           |      |                         |Always (default) -    |
+   |           |      |                         |record MUST be applied|
+   |           |      |                         |and kept with the     |
+   |           |      |                         |template              |
+   |           |      |                         |OnApply - record MUST |
+
+
+
+Kowalik, et al.          Expires 23 January 2025               [Page 43]
+
+Internet-Draft               Domain Connect                    July 2024
+
+
+   |           |      |                         |be applied but can be |
+   |           |      |                         |later removed without |
+   |           |      |                         |dropping the whole    |
+   |           |      |                         |template              |
+   +-----------+------+-------------------------+----------------------+
+   |*Host*     |String|host                     |(REQUIRED) The host   |
+   |           |      |                         |for A, AAAA, CNAME,   |
+   |           |      |                         |NS, TXT, and MX       |
+   |           |      |                         |values.               |
+   |           |      |                         |This value is relative|
+   |           |      |                         |to the applied host   |
+   |           |      |                         |and domain, unless    |
+   |           |      |                         |trailed by a ".".     |
+   |           |      |                         |A value of empty or @ |
+   |           |      |                         |indicates the root of |
+   |           |      |                         |the applied host and  |
+   |           |      |                         |domain.  In other     |
+   |           |      |                         |words                 |
+   |           |      |                         |"[host.]example.com.".|
+   |           |      |                         |This value should not |
+   |           |      |                         |contain variables     |
+   |           |      |                         |unless absolutely     |
+   |           |      |                         |necessary.  This is   |
+   |           |      |                         |discussed below.      |
+   +-----------+------+-------------------------+----------------------+
+   |*Name*     |String|name                     |The name for the SRV  |
+   |           |      |                         |record.               |
+   |           |      |                         |This value is relative|
+   |           |      |                         |to the applied host   |
+   |           |      |                         |and domain.  A value  |
+   |           |      |                         |of empty or @         |
+   |           |      |                         |indicates the root of |
+   |           |      |                         |the applied host and  |
+   |           |      |                         |domain.               |
+   |           |      |                         |This value should not |
+   |           |      |                         |contain variables     |
+   |           |      |                         |unless absolutely     |
+   |           |      |                         |necessary.  This is   |
+   |           |      |                         |discussed below.      |
+   +-----------+------+-------------------------+----------------------+
+   |*Points To*|String|pointsTo                 |The pointsTo location |
+   |           |      |                         |for A, AAAA, CNAME, NS|
+   |           |      |                         |and MX records.       |
+   |           |      |                         |A value of empty or @ |
+   |           |      |                         |indicates the host and|
+   |           |      |                         |domain name being     |
+   |           |      |                         |applied or            |
+   |           |      |                         |[host.]example.com    |
+
+
+
+Kowalik, et al.          Expires 23 January 2025               [Page 44]
+
+Internet-Draft               Domain Connect                    July 2024
+
+
+   +-----------+------+-------------------------+----------------------+
+   |*TTL*      |Int   |ttl                      |The time-to-live for  |
+   |           |      |                         |the record in DNS.    |
+   |           |      |                         |Valid for A, AAAA,    |
+   |           |      |                         |CNAME, NS, TXT, MX,   |
+   |           |      |                         |and SRV records.  This|
+   |           |      |                         |must not contain      |
+   |           |      |                         |variables.            |
+   +-----------+------+-------------------------+----------------------+
+   |*Data*     |String|data                     |The data for a TXT    |
+   |           |      |                         |record in DNS.  A     |
+   |           |      |                         |value of empty or @   |
+   |           |      |                         |indicates the host and|
+   |           |      |                         |domain name being     |
+   |           |      |                         |applied or            |
+   |           |      |                         |[host.]example.com    |
+   +-----------+------+-------------------------+----------------------+
+   |*TXT       |String|txtConflictMatchingMode  |Describes how         |
+   |Conflict   |      |                         |conflicts on the TXT  |
+   |Matching   |      |                         |record are detected.  |
+   |Mode*      |      |                         |Possible values are   |
+   |           |      |                         |None, All, or Prefix. |
+   |           |      |                         |The default value is  |
+   |           |      |                         |None.  See below      |
+   |           |      |                         |(Section 9.3).        |
+   +-----------+------+-------------------------+----------------------+
+   |*TXT       |String|txtConflictMatchingPrefix|The prefix to detect  |
+   |Conflict   |      |                         |conflicts when        |
+   |Matching   |      |                         |txtConflict-          |
+   |Prefix*    |      |                         |MatchingMode is       |
+   |           |      |                         |"Prefix".  This must  |
+   |           |      |                         |not contain variables.|
+   |           |      |                         |See below             |
+   |           |      |                         |(Section 9.3).        |
+   +-----------+------+-------------------------+----------------------+
+   |*Priority* |Int   |priority                 |The priority for an MX|
+   |           |      |                         |or SRV record.  This  |
+   |           |      |                         |must not contain      |
+   |           |      |                         |variables.            |
+   +-----------+------+-------------------------+----------------------+
+   |*Weight*   |Int   |weight                   |The weight for the SRV|
+   |           |      |                         |record.  This must not|
+   |           |      |                         |contain variables.    |
+   +-----------+------+-------------------------+----------------------+
+   |*Port*     |Int   |port                     |The port for the SRV  |
+   |           |      |                         |record.  This must not|
+   |           |      |                         |contain variables.    |
+   +-----------+------+-------------------------+----------------------+
+
+
+
+Kowalik, et al.          Expires 23 January 2025               [Page 45]
+
+Internet-Draft               Domain Connect                    July 2024
+
+
+   |*Protocol* |String|protocol                 |The protocol for the  |
+   |           |      |                         |SRV record.           |
+   +-----------+------+-------------------------+----------------------+
+   |*Service*  |String|service                  |The symbolic name for |
+   |           |      |                         |the SRV record.       |
+   +-----------+------+-------------------------+----------------------+
+   |*Target*   |String|target                   |The target for the SRV|
+   |           |      |                         |record.               |
+   +-----------+------+-------------------------+----------------------+
+   |*SPF Rules*|String|spfRules                 |These are desired     |
+   |           |      |                         |rules for the SPF TXT |
+   |           |      |                         |record.  These rules  |
+   |           |      |                         |will be merged with   |
+   |           |      |                         |other SPFM records    |
+   |           |      |                         |into final SPF TXT    |
+   |           |      |                         |record.  See          |
+   |           |      |                         |Section 9.10.         |
+   +-----------+------+-------------------------+----------------------+
 
            Table 14: properties of the template record definition
 
-6.  Template Considerations
+9.  Template Considerations
 
-6.1.  Template State in DNS
+9.1.  Template State in DNS
 
    DNS Providers may chose to maintain state inside records in DNS
    indicating the templates writing the records.  Other providers may
@@ -2403,14 +2558,7 @@ Internet-Draft               Domain Connect                   April 2022
    To make the implementation burden reasonable for DNS Providers,
    Domain Connect does not dictate the approach.
 
-
-
-Carney, et al.           Expires 29 October 2022               [Page 43]
-
-Internet-Draft               Domain Connect                   April 2022
-
-
-6.2.  Disclosure of Changes and Conflicts
+9.2.  Disclosure of Changes and Conflicts
 
    It is left to the discretion of the DNS Provider to determine what is
    disclosed to the user when granting permission and/or applying
@@ -2422,6 +2570,14 @@ Internet-Draft               Domain Connect                   April 2022
    to display the records being set.  And another may progressively
    display both.
 
+
+
+
+Kowalik, et al.          Expires 23 January 2025               [Page 46]
+
+Internet-Draft               Domain Connect                    July 2024
+
+
    For conflict detection, one DNS Provider may simply overwrite changed
    records without warning.  Another may detect conflicts and warn the
    user of the records that will change.  And another may implement
@@ -2458,14 +2614,6 @@ Internet-Draft               Domain Connect                   April 2022
 
    A reasonable set of recommendations for the UX might consist of:
 
-
-
-
-Carney, et al.           Expires 29 October 2022               [Page 44]
-
-Internet-Draft               Domain Connect                   April 2022
-
-
    *  The consent UX should inform the customer of the service that will
       be enabled.  If the customer want to know the specifics, the DNS
       Provider could provide a "show details" link to the user.  This
@@ -2478,7 +2626,15 @@ Internet-Draft               Domain Connect                   April 2022
       records, this would be records that would be deleted or
       overwritten.  This could be progressively disclosed.
 
-6.3.  Record Types and Conflicts
+
+
+
+Kowalik, et al.          Expires 23 January 2025               [Page 47]
+
+Internet-Draft               Domain Connect                    July 2024
+
+
+9.3.  Record Types and Conflicts
 
    Conflict detection done by the DNS provider prior to template
    application has to take into consideration specifics of each DNS
@@ -2513,16 +2669,9 @@ Internet-Draft               Domain Connect                   April 2022
          other TXT record
 
       -  Prefix: This indicates that TXT record conflict with any other
-         TXT containing value starting with txtConfictMatchingPrefix
-
-
-
-Carney, et al.           Expires 29 October 2022               [Page 45]
-
-Internet-Draft               Domain Connect                   April 2022
+         TXT containing value starting with txtConflictMatchingPrefix
 
-
-6.4.  Apply, Re-apply, and Multi-Instance
+9.4.  Apply, Re-apply, and Multi-Instance
 
    There is an additional consideration for DNS Providers that maintain
    the state of an applied template when re-applying a template.
@@ -2531,9 +2680,19 @@ Internet-Draft               Domain Connect                   April 2022
    when re-applying a template such a DNS Provider should remove the
    previously applied template on the same host.
 
+
+
+
+
+
+Kowalik, et al.          Expires 23 January 2025               [Page 48]
+
+Internet-Draft               Domain Connect                    July 2024
+
+
    This may not be desireable for all templates, as a limited set of
    templates are designed to be applied multiple times.  To faciliate
-   this the template can have the flag multiInstance (Section 5.2) set.
+   this the template can have the flag multiInstance (Section 8.2) set.
    This tells the DNS Provider that the template is expected to be
    written multiple times and that a re-apply must not remove previous
    instances.
@@ -2543,7 +2702,7 @@ Internet-Draft               Domain Connect                   April 2022
    state must rely on the normal conflict resolution rules, and this
    flag has no impact.
 
-6.5.  Non-essential records
+9.5.  Non-essential records
 
    Typically a template specifies a list of DNS records which are
    required for the service.  There may be cases where some records are
@@ -2552,60 +2711,55 @@ Internet-Draft               Domain Connect                   April 2022
    application of another template) should not trigger conflict
    detection.
 
-   This can be controlled by the essential (Section 5.3) property of a
+   This can be controlled by the essential (Section 8.3) property of a
    record in the template.
 
    Again, this setting only impacts DNS Providers that maintain applied
    template state.
 
-6.6.  Template Scope
+9.6.  Template Scope
 
    For DNS Providers that maintain template state, an individual
    template is scoped to the set of records applied to a fully qualified
    domain.  This includes the root domain and the host (aka sub-domain)
    at apply time.
 
+   As an example, if a template is applied on domain=example.com=sub1 a
+   later application of the template on domain=example.com=sub2 must be
+   treated as a distinct template.  If a conflict is detected later with
+   the records set into "sub2.example.com", only the records set with
+   this template would be removed.
 
+9.7.  Host/Name in Template
 
+   Template records contain the host name of the record to set into the
+   zone (called name for SRV records).  This value must be considered
+   relative to the domain/host when the template is applied, unless
+   followed by a trailing ".".
 
 
 
 
 
-
-Carney, et al.           Expires 29 October 2022               [Page 46]
+Kowalik, et al.          Expires 23 January 2025               [Page 49]
 
-Internet-Draft               Domain Connect                   April 2022
-
+Internet-Draft               Domain Connect                    July 2024
 
-   As an example, if a template is applied on
-   domain=example.com&host=sub1 a later application of the template on
-   domain=example.com&host=sub2 must be treated as a distinct template.
-   If a conflict is detected later with the records set into
-   "sub2.example.com", only the records set with this template would be
-   removed.
-
-6.7.  Host/Name in Template
-
-   Template records contain the host name of the record to set into the
-   zone (called name for SRV records).  This value must be considered
-   relative to the domain/host when the template is applied, unless
-   followed by a trailing ".".
 
    Consider a template record of type A with a host value of "xyz".
-   When the template is applied to a domain=foo.com and an empty host
-   value, the resulting zone after the template is applied will contain
-   an A record of "xyz" (or "xyz.foo.com." in bind format).
+   When the template is applied to a domain=example.com and an empty
+   host value, the resulting zone after the template is applied will
+   contain an A record of "xyz" (or "xyz.example.com." in bind format).
 
-   If the same template is applied to a domain=foo.com and host=bar, the
-   zone will contain an A record of "xyz.bar" (or "xyz.bar.foo.com." in
-   bind format).
+   If the same template is applied to a domain=example.com and host=bar,
+   the zone will contain an A record of "xyz.bar" (or
+   "xyz.bar.example.com." in bind format).
 
    A value of @ for host in the template is a placeholder for an empty
-   value.  In other words @ would point to "bar.foo.com." when the same
-   template is applied to domain=foo.com and host=bar.
+   value.  In other words @ would point to "bar.example.com." when the
+   same template is applied to domain=example.com and host=bar.
 
-6.8.  PointsTo in Template
+9.8.  PointsTo in Template
 
    Template records of certain types contain the pointsTo value to set
    in the zone.  For record types such as CNAME where this can be a
@@ -2615,42 +2769,43 @@ Internet-Draft               Domain Connect                   April 2022
    fully qualified domain name of the domain/host being applied.
 
    Consider a template record of type CNAME with a pointsTo value of
-   "@".  After a template of domain=foo.com and an empty host is
+   "@".  After a template of domain=example.com and an empty host is
    applied, the pointsTo value (or corresponding field) in the resulting
-   zone would be "foo.com".  After a template of domain=foo.com with
-   host=bar is applied, the points to value would be "bar.foo.com".
+   zone would be "example.com".  After a template of domain=example.com
+   with host=bar is applied, the points to value would be
+   "bar.example.com".
 
    Any domain in a pointsTo field in a template must be considered fully
    qualified and not relative.
 
+9.9.  Variables
 
+9.9.1.  Variables and Host/Name in Template
 
+   While templates do allow for variables in a host or name field
+   values, these should be used very sparingly.
 
+   As an example, consider setting up hosting for a site.  But instead
+   of applying the template to a domain/host, the name of the host is
+   placed as a variable in the template.
 
+   Such a template might contain an A record of the form:
 
 
-Carney, et al.           Expires 29 October 2022               [Page 47]
-
-Internet-Draft               Domain Connect                   April 2022
 
 
-6.9.  Variables
 
-6.9.1.  Variables and Host/Name in Template
 
-   While templates do allow for variables in a host or name field
-   values, these should be used very sparingly.
 
-   As an example, consider setting up hosting for a site.  But instead
-   of applying the template to a domain/host, the name of the host is
-   placed as a variable in the template.
+Kowalik, et al.          Expires 23 January 2025               [Page 50]
+
+Internet-Draft               Domain Connect                    July 2024
 
-   Such a template might contain an A record of the form:
 
    {
        "type": "A",
        "host": "%var%",
-       "pointsTo": "2.2.2.2",
+       "pointsTo": "192.0.2.2",
        "ttl": 1800
    }
 
@@ -2665,10 +2820,10 @@ Internet-Draft               Domain Connect                   April 2022
    providers that maintain template state would remove previous
    instances of the template before re-application.  This means applying
    this template with var=sub would result in the A record for
-   sub.example.com to be set to the value 2.2.2.2.  Later, applying the
-   template on "example.com" with the var=sub2 should remove the old
+   sub.example.com to be set to the value 192.0.2.2.  Later, applying
+   the template on "example.com" with the var=sub2 should remove the old
    template before setting the new one. sub.example.com would be
-   removed, and sub2.example.com would be set to the value 2.2.2.2.
+   removed, and sub2.example.com would be set to the value 192.0.2.2.
 
    Furthermore, determining conflicts would be impossible when the user
    is granting consent for asynchronous operations (OAuth).  This is
@@ -2680,16 +2835,6 @@ Internet-Draft               Domain Connect                   April 2022
    specific host values, whose value is later specified when applying
    the template.
 
-
-
-
-
-
-Carney, et al.           Expires 29 October 2022               [Page 48]
-
-Internet-Draft               Domain Connect                   April 2022
-
-
    Note: There are some templates that utilize CNAME or TXT records with
    host values containing some form of user identification for
    validation of domain ownership, and these are often passed in
@@ -2698,19 +2843,26 @@ Internet-Draft               Domain Connect                   April 2022
    To support this use case, variables are allowed for the host name.
    But only in this limited circumstance.
 
-6.9.2.  Variable Values
+9.9.2.  Variable Values
 
    To allow for the use of the host name or domain name in templates,
    the values of %host% and %domain% are available.  A third value of
    %fqdn% is also available.  This value is the result of combining the
    host and domain name with the necessary ".".
 
-   For example, with the query string "domain=example.com&host=", %fqdn%
-   in a template would be "example.com", and with
-   "domain=example.com&host=sub1", %fqdn% in a template would be
-   "sub1.example.com".
 
-6.9.3.  Variables and Security
+
+
+Kowalik, et al.          Expires 23 January 2025               [Page 51]
+
+Internet-Draft               Domain Connect                    July 2024
+
+
+   For example, with the query string "domain=example.com=", %fqdn% in a
+   template would be "example.com", and with "domain=example.com=sub1",
+   %fqdn% in a template would be "sub1.example.com".
+
+9.9.3.  Variables and Security
 
    As discussed, with variables consideration is necessary to prevent
    certain styles of phishing attacks.
@@ -2721,7 +2873,7 @@ Internet-Draft               Domain Connect                   April 2022
 
    Mitigations to this are discussed above.
 
-6.9.4.  Variable Examples
+9.9.4.  Variable Examples
 
    Example template:
 
@@ -2734,42 +2886,42 @@ Internet-Draft               Domain Connect                   April 2022
    {
        "type": "A",
        "host": "@",
-       "pointsTo": "1.1.1.1",
+       "pointsTo": "192.0.2.1",
        "ttl": 1800
    }]
 
+   Template applied with _domain_=example.com and _host_ parameter
+   missing or empty:
 
+   www 1800 IN CNAME example.com.
+   @   1800 IN A 192.0.2.1
 
+   _alternatively_
 
-Carney, et al.           Expires 29 October 2022               [Page 49]
-
-Internet-Draft               Domain Connect                   April 2022
+   www.example.com.    1800 IN CNAME example.com.
+   example.com.        1800 IN A 192.0.2.1
 
+   Template applied with _domain_=example.com and _host_=bar:
 
-   Template applied with _domain_=foo.com and _host_ parameter missing
-   or empty:
+   www.bar 1800 IN CNAME bar.example.com.
+   bar     1800 IN A 192.0.2.1
 
-   www 1800 IN CNAME foo.com.
-   @   1800 IN A 1.1.1.1
 
-   _alternatively_
 
-   www.foo.com.    1800 IN CNAME foo.com.
-   foo.com.        1800 IN A 1.1.1.1
 
-   Template applied with _domain_=foo.com and _host_=bar:
+Kowalik, et al.          Expires 23 January 2025               [Page 52]
+
+Internet-Draft               Domain Connect                    July 2024
 
-   www.bar 1800 IN CNAME bar.foo.com.
-   bar     1800 IN A 1.1.1.1
 
    _alternatively_
 
-   www.bar.foo.com.    1800 IN CNAME bar.foo.com.
-   bar.foo.com.        1800 IN A 1.1.1.1
+   www.bar.example.com.    1800 IN CNAME bar.example.com.
+   bar.example.com.        1800 IN A 192.0.2.1
 
-6.10.  SPF TXT Record
+9.10.  SPF TXT Record
 
-6.10.1.  What is SPF?
+9.10.1.  What is SPF?
 
    SPF stands for Sender Policy Framework specified in [RFC7208].  It is
    a record that specifies a list of authorized host names and/or IP
@@ -2780,11 +2932,11 @@ Internet-Draft               Domain Connect                   April 2022
    a rule passes, the mail is allowed.  If it fails, it moves to the
    next rule.  Typical record might appear as:
 
-   v=spf1 include:policy.exampleprovider.com -all
+   v=spf1 include:policy.exampleprovider.example -all
 
    This is an SPF record with two rules.  The first rule indicates that
-   the rules for SPF record _policy.exampleprovider.com be included in
-   this record.  The second rule is a catch all (_all_).  The default
+   the rules for SPF record _policy.exampleprovider.example be included
+   in this record.  The second rule is a catch all (_all_).  The default
    modifier for a rule is _pass_ (+).  Other modifiers are _hard
    failure_(-), _soft failure_ (~) and _neutral_ (?).
 
@@ -2793,21 +2945,12 @@ Internet-Draft               Domain Connect                   April 2022
    classified with _hard failure_ or _soft failure_ may not be delivered
    or marked as spam.
 
-
-
-
-
-Carney, et al.           Expires 29 October 2022               [Page 50]
-
-Internet-Draft               Domain Connect                   April 2022
-
-
    The use of "all" at the end is pretty common, although some providers
    mark it as ~ (soft fail) or ? (neutral).  The reality is that a good
    SPF record is tuned based on what services are attached to a domain.
    Not just one individual service.
 
-6.10.2.  Multiple Services
+9.10.2.  Multiple Services
 
    If only one email sending service were active, the SPF record
    recommended by the provider is sufficient.  But mail from a domain
@@ -2817,8 +2960,15 @@ Internet-Draft               Domain Connect                   April 2022
    newsletter service.  Let's look at the SPF records recommended for
    individual services.
 
-   Mailer1: v=spf1 include:spf.mailer1.com -all Newsletter1: v=spf1
-   include:_spf.newsletter.net ~all
+   Mailer1: v=spf1 include:spf.mailer1.example -all Newsletter1: v=spf1
+   include:_spf.newsletter.example ~all
+
+
+
+Kowalik, et al.          Expires 23 January 2025               [Page 53]
+
+Internet-Draft               Domain Connect                    July 2024
+
 
    All of these examples use the include syntax.  This is fairly common.
    The use of all at the end is common, although is often inconsistent
@@ -2827,12 +2977,13 @@ Internet-Draft               Domain Connect                   April 2022
    If a customer installed Mailer1 and Newsletter1, their combined SPF
    record ought to be something like:
 
-   v=spf1 include:spf.mailer1.com include:_spf.newsletter.net ~all
+   v=spf1 include:spf.mailer1.example include:_spf.newsletter.example
+    ~all
 
    We combined the two rules, and in this case picked the least
    restrictive all modifier.
 
-6.10.3.  SPF Record Merging
+9.10.3.  SPF Record Merging
 
    The challenge with SPF records and Domain Connect is that an
    individual service might recommend an SPF record.  If only one
@@ -2851,20 +3002,14 @@ Internet-Draft               Domain Connect                   April 2022
    on the other side does not reject the message in case forwarding
    facility is in place.
 
-
-
-Carney, et al.           Expires 29 October 2022               [Page 51]
-
-Internet-Draft               Domain Connect                   April 2022
-
-
-   @ TXT v=spf1 include:spf.mailer1.com include:_spf.newsletter.net ~all
+   @ TXT v=spf1 include:spf.mailer1.example include:_spf.newsletter.exam
+   ple ~all
 
    The other would be to write intermediate records, and reference these
    locally.
 
-   r1.example.com. TXT v=spf1 include:spf.mailer1.com ~all
-   r2.example.com. TXT v=spf1 include:_spf.newsletter.net ~all
+   r1.example.com. TXT v=spf1 include:spf.mailer1.example ~all
+   r2.example.com. TXT v=spf1 include:_spf.newsletter.example ~all
    @ TXT v=spf1 include:r1.example.com include:r2.example.com ~all
 
    There are advantages and disadvantages to both approaches.  SPF
@@ -2872,6 +3017,15 @@ Internet-Draft               Domain Connect                   April 2022
    to 255 characters.  So depending on the embedded records both
    approaches might have advantages.
 
+
+
+
+
+Kowalik, et al.          Expires 23 January 2025               [Page 54]
+
+Internet-Draft               Domain Connect                    July 2024
+
+
    The implementation would be left to the DNS Provider, but to
    facilitate this SPF records must NOT be included in templates.
    Instead, we introduce a new pseudo-record type in the template called
@@ -2879,7 +3033,7 @@ Internet-Draft               Domain Connect                   April 2022
 
    spfRules  Determines the desired rules, basically everything but
       leading "v=spf1" and trailing _all_ rule - see: SPF Rules
-      (Section 5.3)
+      (Section 8.3)
 
    When a template is added or removed with an _SPFM_ record in the
    template, some code would need to take the aggregate value of all
@@ -2894,7 +3048,7 @@ Internet-Draft               Domain Connect                   April 2022
    after merging.
 
    Due to merging step in between, the resulting SPF TXT records are
-   considered non-essential (see: Section 6.5).  That means the user may
+   considered non-essential (see: Section 9.5).  That means the user may
    decide to override the final calculated value or remove the whole SPF
    record.  This action must not lead to removal of any related
    templates in conflict detection and template integrity routines if
@@ -2907,20 +3061,28 @@ Internet-Draft               Domain Connect                   April 2022
    in the Asynchronous flow unless the _force=true_ parameter is used,
    effectively removing the existing record.
 
-
-
-Carney, et al.           Expires 29 October 2022               [Page 52]
-
-Internet-Draft               Domain Connect                   April 2022
-
-
    Service providers should avoid exact match checking content of TXT
    SPF record, as it might be strongly influenced by the DNS Provider
    merging strategy and user actions.
 
    See Appendix A.5.
 
-6.10.4.  Alternatives
+
+
+
+
+
+
+
+
+
+
+Kowalik, et al.          Expires 23 January 2025               [Page 55]
+
+Internet-Draft               Domain Connect                    July 2024
+
+
+9.10.4.  Alternatives
 
    Some DNS Providers may decide not to support the SPFM record.  The
    following alternative solution should allow general interoperability
@@ -2930,13 +3092,15 @@ Internet-Draft               Domain Connect                   April 2022
    _essential=OnApply_ set to avoid removal of the whole template by a
    conflict.
 
-6.11.  Public Template Repository
+9.11.  Public Template Repository
+
+9.11.1.  General information
 
    The Public Template Repository is an open accessible location where
    Service Providers MAY publish their Service Templates in the format
    specified in this specification.  DNS Providers MAY support all of
    the published templates, just a subset or none of them according to
-   own onboarding policies (see also: Section 7.1).
+   own onboarding policies (see also: Section 10.1).
 
    The template format is intended largely for documentation and
    communication between the DNS Providers and Service Providers, and
@@ -2948,12 +3112,12 @@ Internet-Draft               Domain Connect                   April 2022
    format, it is believed it will make it easier for Service Providers
    to share their configuration across DNS Providers.
 
-6.11.1.  Repository Location
+9.11.2.  Repository Location
 
    The repository of the templates is maintained under
    https://github.com/Domain-Connect/templates.
 
-6.11.2.  File naming requirements
+9.11.3.  File naming requirements
 
    The file names in this repository MUST be all lower case, including
    the providerId and serviceId.  As a result, while the providerId and
@@ -2965,17 +3129,21 @@ Internet-Draft               Domain Connect                   April 2022
 
 
 
-Carney, et al.           Expires 29 October 2022               [Page 53]
+
+
+
+
+Kowalik, et al.          Expires 23 January 2025               [Page 56]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
 
 
-   providerId: Acme.com
+   providerId: example.com
    serviceId: WebsiteBuilder
 
-   Template file name: acme.com.websitebuilder.json
+   Template file name: example.com.websitebuilder.json
 
-6.11.3.  Template Integrity
+9.11.4.  Template Integrity
 
    Implementers are responsible for data integrity and should use the
    record type field to validate that variable input meets the criteria
@@ -2987,9 +3155,9 @@ Internet-Draft               Domain Connect                   April 2022
    mail.) or internal names that provide critical functionality that is
    outside the scope of this specification.
 
-7.  General considerations
+10.  General considerations
 
-7.1.  Onboarding
+10.1.  Onboarding
 
    This specification is an open standard that describes the protocol,
    messages and formats used to enable Domain Connect between a Service
@@ -3008,7 +3176,7 @@ Internet-Draft               Domain Connect                   April 2022
    between unique DNS Providers.  The DNS providerId is typically a
    domain name.
 
-7.2.  Case Sensitivity
+10.2.  Case Sensitivity
 
    All values are case sensitive.  This includes variable names, values,
    parameters and objects returned.
@@ -3021,31 +3189,33 @@ Internet-Draft               Domain Connect                   April 2022
 
 
 
-Carney, et al.           Expires 29 October 2022               [Page 54]
+Kowalik, et al.          Expires 23 January 2025               [Page 57]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
 
 
    The values for providerId/serviceId in the template and passed
    through URIs in the path or query string are case sensitive.
    Different rules apply to the file naming in the Public Template
-   Repository (Section 6.11.2).
+   Repository (Section 9.11.3).
+
+11.  Extensions/Exclusions
 
-8.  Extensions/Exclusions
+11.1.  General information
 
    Additional record types and/or extensions to records in the template
    can be implemented on a per DNS Provider basis.  However, care should
    be taken when defining extensions so as to not conflict with other
    protocols and standards.  Certain record names are reserved for use
-   in DNS for protocols like DNSSEC (DNSKEY, RRSIG) at the registry
-   level.
+   in DNS for protocols like DNSSEC (DNSKEY, RRSIG) [RFC9364] at the
+   registry level.
 
    Defining these OPTIONAL extensions in an open manner as part of this
    specification is done to provide consistency.  The following are the
    initial OPTIONAL extensions a DNS Provider/Service Provider may
    support.
 
-8.1.  APEXCNAME
+11.2.  APEXCNAME
 
    Some Service Providers desire the behavior of a CNAME record, but in
    the apex record.  This would allow for an A Record at the root of the
@@ -3060,7 +3230,7 @@ Internet-Draft               Domain Connect                   April 2022
    functionality, using the same record type name across DNS Providers
    allows template reuse.
 
-8.2.  Redirection
+11.3.  Redirection
 
    Some Service Providers desire a redirection service associated with
    the A Record.  A typical example is a service that requires a
@@ -3075,11 +3245,9 @@ Internet-Draft               Domain Connect                   April 2022
 
 
 
-
-
-Carney, et al.           Expires 29 October 2022               [Page 55]
+Kowalik, et al.          Expires 23 January 2025               [Page 58]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
 
 
    While technically not a "record" in DNS, when supporting this
@@ -3090,7 +3258,7 @@ Internet-Draft               Domain Connect                   April 2022
    respectively.  Associated with this record would be a single field
    called the "target", containing the target url of the redirect.
 
-8.3.  Nameservers
+11.4.  Nameservers
 
    Several service providers have asked for functionality supporting an
    update to the nameserver records at the registry associated with the
@@ -3105,7 +3273,7 @@ Internet-Draft               Domain Connect                   April 2022
    This functionality is again deemed as OPTIONAL and up to the DNS
    Provider to determine if they will support this.
 
-8.4.  DS (DNSSEC)
+11.5.  DS (DNSSEC)
 
    Requests have been made to allow for updates to the DS record for
    DNSSEC.  This record is required at the registry to enable DNSSEC,
@@ -3115,34 +3283,30 @@ Internet-Draft               Domain Connect                   April 2022
    DS.  Values will be keyTag, algorithm, digestType, and digest.
 
    Again it should be noted that a DS update would require that the DNS
-   Provider is the registrar, and is again deemed as OPTIONAL and up to
+   Provider is the registrar, and is again deemed as optional and up to
    the DNS Provider to determine if they will support.
 
-9.  IANA Considerations
+12.  IANA Considerations
 
-   TODO
+   None.
 
-10.  Acknowledgments
+13.  Change History
 
-   The authors wish to thank the following persons for their feedback
-   and suggestions:
+13.1.  Change from 03 to 04
 
-   *  Chris Ambler of GoDaddy Inc.
+   Version synchronized with 2.2 version rev. 66 of the public Domain
+   Connect specification.
 
-   *  Jody Kolker of GoDaddy Inc.
+                                  Figure 5
 
 
 
-Carney, et al.           Expires 29 October 2022               [Page 56]
+Kowalik, et al.          Expires 23 January 2025               [Page 59]
 
-Internet-Draft               Domain Connect                   April 2022
-
+Internet-Draft               Domain Connect                    July 2024
 
-11.  Change History
 
-11.1.  Change from 03 to 04
-
-11.2.  Change from 02 to 03
+13.2.  Change from 02 to 03
 
    Added width/height JSON values returned by DNS Provider Discovery.
    Corrected text of GET method for getting the authorization token.
@@ -3151,48 +3315,56 @@ Internet-Draft               Domain Connect                   April 2022
    that were found during implementation, especially in the
    Implementation Considerations section.
 
-                                  Figure 5
+                                  Figure 6
 
-11.3.  Change from 01 to 02
+13.3.  Change from 01 to 02
 
    Added new GET method for Service Providers to determine if the DNS
    Provider supports a specific template.  Some other minor edits for
    clarification.
 
-                                  Figure 6
+                                  Figure 7
 
-11.4.  Change from 00 to 01
+13.4.  Change from 00 to 01
 
    Minor edits and clarifications found during implementation.
 
-                                  Figure 7
+                                  Figure 8
 
-12.  Normative References
+14.  Normative References
 
    [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", RFC 2119, RFC 2119,
-              DOI 10.17487/RFC2119, March 1997,
+              Requirement Levels", IETF, DOI 10.17487/RFC2119, BCP 14,
+              RFC 2119, March 1997,
               <https://www.rfc-editor.org/info/rfc2119>.
 
-13.  Informative References
-
-   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
-              2119 Key Words", RFC 8174, RFC 8174, DOI 10.17487/RFC8174,
-              May 2017, <https://www.rfc-editor.org/info/rfc8174>.
-
    [RFC7208]  Kitterman, S., "Sender Policy Framework (SPF) for
-              Authorizing Use of Domains in Email, Version 1", RFC 7208,
-              RFC 7208, DOI 10.17487/RFC7208, April 2014,
+              Authorizing Use of Domains in Email, Version 1", IETF,
+              DOI 10.17487/RFC7208, RFC 7208, April 2014,
               <https://www.rfc-editor.org/info/rfc7208>.
 
+   [RFC6749]  Hardt, D., "The OAuth 2.0 Authorization Framework", IETF,
+              DOI 10.17487/RFC6749, RFC 6749, October 2012,
+              <https://www.rfc-editor.org/info/rfc6749>.
 
+15.  Informative References
+
+   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
+              2119 Key Words", IETF, DOI 10.17487/RFC8174, BCP 14,
+              RFC 8174, May 2017,
+              <https://www.rfc-editor.org/info/rfc8174>.
 
 
 
-Carney, et al.           Expires 29 October 2022               [Page 57]
+
+Kowalik, et al.          Expires 23 January 2025               [Page 60]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
+
 
+   [RFC9364]  Hoffman, P., "DNS Security Extensions (DNSSEC)", IETF,
+              DOI 10.17487/RFC9364, BCP 237, RFC 9364, February 2023,
+              <https://www.rfc-editor.org/info/rfc9364>.
 
 Appendix A.  Examples
 
@@ -3205,36 +3377,35 @@ A.1.  Example Template
        "serviceName": "Wordpress by example.com",
        "version": 1,
        "logoUrl": "https://www.example.com/images/billthecat.jpg",
-       "description": "This connects your domain to our super cool web hosting",
-       "launchURL" : "https://www.example.com/connectlaunch",
+       "description": "This connects your domain to our web hosting",
        "records": [
            {
-               "groupId" : "service",
                "type": "A",
+               "groupId": "service",
                "host": "www",
                "pointsTo": "%var1%",
-               "ttl": "%var2%"
+               "ttl": 600
            },
            {
-               "groupId" : "service",
                "type": "A",
+               "groupId": "service",
                "host": "m",
-               "pointsTo": "%var3%",
-               "ttl": "%var2%"
+               "pointsTo": "%var2%",
+               "ttl": 600
            },
            {
-               "groupId" : "service",
                "type": "CNAME",
+               "groupId": "service",
                "host": "webmail",
-               "pointsTo": "%var4%",
-               "ttl": "%var2%"
+               "pointsTo": "%var3%",
+               "ttl": 600
            },
            {
-               "groupId" : "verification",
                "type": "TXT",
+               "groupId": "verification",
                "host": "example",
-               "data": "%var5%",
-               "ttl": "%var2%"
+               "ttl": 600,
+               "data": "%var4%"
            }
        ]
    }
@@ -3242,12 +3413,9 @@ A.1.  Example Template
 
 
 
-
-
-
-Carney, et al.           Expires 29 October 2022               [Page 58]
+Kowalik, et al.          Expires 23 January 2025               [Page 61]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
 
 
 A.2.  Example Records: Single static host record
@@ -3259,13 +3427,13 @@ A.2.  Example Records: Single static host record
    [{
        "type": "A",
        "host": "www",
-       "pointsTo": "192.168.1.1",
+       "pointsTo": "192.0.2.1",
        "ttl": 600
    }]
 
    This would have no variable substitution and the application of this
    template to a domain would simply set the host name "www" to the IP
-   address "192.168.1.1"
+   address "192.0.2.1"
 
 A.3.  Example Records: Single variable host record for A
 
@@ -3276,7 +3444,7 @@ A.3.  Example Records: Single variable host record for A
    [{
        "type": "A",
        "host": "@",
-       "pointsTo": "192.168.1.%srv%",
+       "pointsTo": "198.51.100.%srv%",
        "ttl": 600
    }]
 
@@ -3285,7 +3453,7 @@ A.3.  Example Records: Single variable host record for A
    srv=2
 
    would cause the application of this template to a domain to set the
-   host name for the apex A record to the IP address "192.168.1.2" with
+   host name for the apex A record to the IP address "198.51.100.2" with
    a TTL of 600
 
 A.4.  Example: DNS Zone merging
@@ -3301,25 +3469,25 @@ A.4.  Example: DNS Zone merging
 
 
 
-Carney, et al.           Expires 29 October 2022               [Page 59]
+Kowalik, et al.          Expires 23 January 2025               [Page 62]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
 
 
-   $ORIGIN test-domain.com.
+   $ORIGIN example.com.
 
-   @ 3600 IN SOA ns11.acme.net. support.acme.net. 2017050817 7200 1800
-   1209600 3600
-   @ 3600 IN NS ns11.acme.net.
-   @ 3600 IN NS ns12.acme.net.
-   @ 3600 IN A 1.1.1.1
-   @ 3600 IN A 1.1.1.2
+   @ 3600 IN SOA ns11.example.net. support.example.net. 2017050817 7200
+   1800 1209600 3600
+   @ 3600 IN NS ns11.example.net.
+   @ 3600 IN NS ns12.example.net.
+   @ 3600 IN A 192.0.2.1
+   @ 3600 IN A 192.0.2.2
    @ 3600 IN AAAA 2001:db8:1234:0000:0000:0000:0000:0000
    @ 3600 IN AAAA 2001:db8:1234:0000:0000:0000:0000:0001
-   @ 3600 IN MX 10 mx1.acme.net.
-   @ 3600 IN MX 10 mx2.acme.net.
-   @ 3600 IN TXT "v=spf1 a include:spf.acme.com ~all"
-   www 3600 IN CNAME other.host.com.
+   @ 3600 IN MX 10 mx1.example.net.
+   @ 3600 IN MX 10 mx2.example.net.
+   @ 3600 IN TXT "v=spf1 a include:spf.example.org ~all"
+   www 3600 IN CNAME other.host.example.
 
    Now application of the following template:
 
@@ -3327,19 +3495,19 @@ Internet-Draft               Domain Connect                   April 2022
        {
            "type":"A",
            "host":"@",
-           "pointsTo":"2.2.2.2",
+           "pointsTo":"203.0.113.2",
            "ttl":"1800"
        },
        {
            "type":"A",
            "host":"www",
-           "pointsTo":"2.2.2.2",
+           "pointsTo":"203.0.113.2",
            "ttl":"1800"
        },
        {
            "type":"SPFM",
            "host":"@",
-           "spfRules":"a include:spf.hoster.com"
+           "spfRules":"a include:spf.hoster.example"
        }
    ]
 
@@ -3357,33 +3525,34 @@ Internet-Draft               Domain Connect                   April 2022
 
 
 
-Carney, et al.           Expires 29 October 2022               [Page 60]
+Kowalik, et al.          Expires 23 January 2025               [Page 63]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
 
 
-   $ORIGIN test-domain.com.
+   $ORIGIN example.com.
 
-   @ 3600 IN SOA ns11.acme.net. support.acme.net. 2017050920 7200 1800
-   1209600 3600
-   @ 3600 IN NS ns11.acme.net.
-   @ 3600 IN NS ns12.acme.net.
-   @ 1800 IN A 2.2.2.2
-   @ 3600 IN MX 10 mx1.acme.net.
-   @ 3600 IN MX 10 mx2.acme.net.
-   @ 1800 IN TXT "v=spf1 a include:spf.acme.com include:spf.hoster.com ~all"
-   www 1800 IN A 2.2.2.2
+   @ 3600 IN SOA ns11.example.net. support.example.net. 2017050920 7200
+   1800 1209600 3600
+   @ 3600 IN NS ns11.example.net.
+   @ 3600 IN NS ns12.example.net.
+   @ 1800 IN A 203.0.113.2
+   @ 3600 IN MX 10 mx1.example.net.
+   @ 3600 IN MX 10 mx2.example.net.
+   @ 1800 IN TXT "v=spf1 a include:spf.example.org include:spf.hoster.ex
+   ample ~all"
+   www 1800 IN A 203.0.113.2
 
 A.5.  Example: SPF Record Merging
 
    Consider a DNS Zone before a template application:
 
-   $ORIGIN test-domain.com.
+   $ORIGIN example.com.
 
-   @ 3600 IN SOA ns11.acme.net. support.acme.net. 2017050817 7200 1800
-   1209600 3600
-   @ 3600 IN NS ns11.acme.net.
-   @ 3600 IN NS ns12.acme.net.
+   @ 3600 IN SOA ns11.example.net. support.example.net. 2017050817 7200
+   1800 1209600 3600
+   @ 3600 IN NS ns11.example.net.
+   @ 3600 IN NS ns12.example.net.
 
    Now application of the following template of Mail service:
 
@@ -3392,41 +3561,42 @@ A.5.  Example: SPF Record Merging
            "type":"MX",
            "host":"@",
            "priority": "10",
-           "pointsTo":"mx1.acme.net",
+           "pointsTo":"mx1.example.net",
            "ttl":"1800"
        },
        {
            "type":"MX",
            "host":"www",
            "priority": "10",
-           "pointsTo":"mx2.acme.net",
+           "pointsTo":"mx2.example.net",
            "ttl":"1800"
        },
        {
            "type":"SPFM",
            "host":"@",
-           "spfRules":"a include:spf.acme.net"
+           "spfRules":"a include:spf.example.net"
        }
    ]
 
-   Expected result in the DNS Zone
 
 
 
-Carney, et al.           Expires 29 October 2022               [Page 61]
+Kowalik, et al.          Expires 23 January 2025               [Page 64]
 
-Internet-Draft               Domain Connect                   April 2022
+Internet-Draft               Domain Connect                    July 2024
+
 
+   Expected result in the DNS Zone
 
-   $ORIGIN test-domain.com.
+   $ORIGIN example.com.
 
-   @ 3600 IN SOA ns11.acme.net. support.acme.net. 2017050817 7200 1800
-   1209600 3600
-   @ 3600 IN NS ns11.acme.net.
-   @ 3600 IN NS ns12.acme.net.
-   @ 3600 IN MX 10 mx1.acme.net.
-   @ 3600 IN MX 10 mx2.acme.net.
-   @ 3600 IN TXT "v=spf1 a include:spf.acme.net ~all"
+   @ 3600 IN SOA ns11.example.net. support.example.net. 2017050817 7200
+   1800 1209600 3600
+   @ 3600 IN NS ns11.example.net.
+   @ 3600 IN NS ns12.example.net.
+   @ 3600 IN MX 10 mx1.example.net.
+   @ 3600 IN MX 10 mx2.example.net.
+   @ 3600 IN TXT "v=spf1 a include:spf.example.net ~all"
 
    In the next step application of the following template of Newsletter
    service:
@@ -3435,65 +3605,63 @@ Internet-Draft               Domain Connect                   April 2022
        {
            "type":"SPFM",
            "host":"@",
-           "spfRules":"include:_spf.newsletter.com"
+           "spfRules":"include:_spf.newsletter.example"
        }
    ]
 
    Expected result in the DNS Zone
 
-   $ORIGIN test-domain.com.
+   $ORIGIN example.com.
 
-   @ 3600 IN SOA ns11.acme.net. support.acme.net. 2017050817 7200 1800
-   1209600 3600
-   @ 3600 IN NS ns11.acme.net.
-   @ 3600 IN NS ns12.acme.net.
-   @ 3600 IN MX 10 mx1.acme.net.
-   @ 3600 IN MX 10 mx2.acme.net.
-   @ 3600 IN TXT "v=spf1 a include:spf.acme.net include:_spf.newsletter.com ~all"
+   @ 3600 IN SOA ns11.example.net. support.example.net. 2017050817 7200
+   1800 1209600 3600
+   @ 3600 IN NS ns11.example.net.
+   @ 3600 IN NS ns12.example.net.
+   @ 3600 IN MX 10 mx1.example.net.
+   @ 3600 IN MX 10 mx2.example.net.
+   @ 3600 IN TXT "v=spf1 a include:spf.example.net include:_spf.newslett
+   er.
+   example ~all"
 
 Authors' Addresses
 
-   R Carney
-   GoDaddy Inc.
-   14455 N. Hayden Rd. #219
-   Scottsdale,
-   United States of America
-   Email: rcarney@godaddy.com
-   URI:   http://www.godaddy.com
-
-
-   A Blinn
-   Email: arnold@arnoldblinn.com
-
-
-
-
-
-Carney, et al.           Expires 29 October 2022               [Page 62]
-
-Internet-Draft               Domain Connect                   April 2022
-
-
    P Kowalik
-   IONOS SE
-   Elgendorfer Str. 57
-   Montabaur
+   DENIC eG
+   Theodor-Stern-Kai 1
+   Frankfurt am Main
    Germany
-   Email: pawel.kowalik@ionos.com
-   URI:   https://ionos.com
-
-
+   Email: pawel.kowalik@denic.de
+   URI:   https://denic.de
 
 
 
 
 
+Kowalik, et al.          Expires 23 January 2025               [Page 65]
+
+Internet-Draft               Domain Connect                    July 2024
 
 
+   A Blinn
+   Email: arnold@arnoldblinn.com
 
 
+   J Kolker
+   GoDaddy Inc.
+   14455 N. Hayden Rd. #219
+   Scottsdale,
+   United States of America
+   Email: jkolker@godaddy.com
+   URI:   https://www.godaddy.com
 
 
+   S Kerola
+   Cloudflare, Inc.
+   101 Townsend St
+   San Francisco,
+   United States of America
+   Email: kerolasa@cloudflare.com
+   URI:   https://cloudflare.com
 
 
 
@@ -3525,4 +3693,4 @@ Internet-Draft               Domain Connect                   April 2022
 
 
 
-Carney, et al.           Expires 29 October 2022               [Page 63]
+Kowalik, et al.          Expires 23 January 2025               [Page 66]