DNO+: making DNO additive
The DNO library entry describes Do Not Originate as it operates today — a default-deny mechanism on calling-number provenance, structured into two tiers. Tier 1 covers numbers that structurally cannot originate (invalid, unallocated, unassigned). Tier 2 covers numbers that can originate but whose holder has declared they won’t (subscriber-requested DNO; the IRS taxpayer assistance line is the canonical example). The mechanism has been useful, the regulatory framework has now codified it under 47 CFR § 64.1200(o), and the operational pattern is well understood.
DNO is one short logical step away from helping solve a much larger problem than the one it currently addresses: the industry’s effort to get to legitimate A-Attestation practice — to give the highest SHAKEN attestation level the external grounding that lets it actually mean what it is supposed to mean. The addition that closes the gap is genuinely additive, not a redesign, and the path it opens is incremental. As enterprises recognize their right-to-use obligations and develop a clearer view of how their calls are being originated and attested, the framework’s coverage grows from the inside out. A proposal the CFCA Telecom Trust Working Group has been working through is what we are calling DNO+. The simple shape of the extension follows.
The structural gap
Tier 2 of DNO today is binary: a number either originates outbound calls or it doesn’t. That binary is a useful coarse filter, but it leaves an enormous category uncovered — numbers that do legitimately originate calls, but only through a small set of authorized providers, and where any other provider signing on the number’s behalf is by definition unauthorized.
This category is most of the high-value telephone identity in the country. A Fortune 500 enterprise’s outbound contact center runs through one or two CCaaS providers. A bank’s customer-facing outbound calling runs through a specific service contract. A government agency’s outbound notifications go through a specific carrier. In every case, the entity that holds the right-to-use of the number has a small, knowable, deliberately-chosen set of providers that may legitimately sign calls from that number. Anybody else signing is, structurally, not authorized.
STIR/SHAKEN already has a placeholder for this distinction. Attestation A is meant to mean that the originating provider has a direct authentication relationship with the customer and has verified the customer’s right to use the calling number. That is the right semantic model. The problem is that the attestation is unilateral. The originating provider tells the verifier “I have this relationship and I have verified this right,” and there is no mechanism to externally check the claim. A bad-actor provider can issue Attestation A on numbers it has no real authority over, and the framework has no built-in way to detect the lie at scale.
The technical gap is the absence of an externally-checkable binding from a number to the providers actually authorized to sign on that number’s behalf.
The authorization-first reframe
DNO+ is DNO with a service provider code (SPC) allowlist. The model maps cleanly onto the existing tiers: Tier 1 covers numbers that cannot originate, Tier 2 covers numbers that will not originate, and DNO+ covers numbers that originate only through providers the right-to-use holder has authorized.
The mechanics follow directly. A signed call carries the same SHAKEN PASSporT it does today, with the originating provider’s STI certificate and SPC. The verifier looks up the calling number’s authorized-SPC list and asks whether the signing SPC is on it. On the list: the call continues. Off the list: the call is treated as DNO — because for any signer not on the holder’s allowlist, the calling number does not originate.
What the data actually looks like
Each RTU holder publishes, against their numbering inventory, a list of SPCs authorized to sign on each number. Scope can be a single TN, a range, an entire toll-free number, or an NPA-NXX block; SPCs are typically OCNs identifying the originating carrier, with toll-free numbers also accepting the holder’s RespOrgID.
A fragment of one such declaration might look like:
| Calling number / range | Authorized SPCs |
|---|---|
| 1-800-555-0100 | ACM01, 4528 |
| 1-888-555-0123 | 7234, 8431 |
| (212) 555-0199 | 8431 |
| (415) 555-01XX | 1234, 8431 |
Five-character codes are RespOrgIDs; four-character codes are OCNs. Toll-free entries most often use the OCNs of the carriers actually originating calls; some also include the holder’s RespOrgID. Multiple SPCs per entry are common — a customer using two CCaaS providers, a number transitioning between providers, an enterprise running redundant outbound paths.
From the consumer’s perspective, DNO+ data rolls up into the same shape as a DNO list. Existing list providers — the ITG Registry, Somos RealNumber, provider-internal lists — can extend their distribution to include it without inventing new mechanics.
Why I describe this as additive
What DNO+ adds is exactly two things: a publication mechanism for RTU-holder authorization declarations, and an additional check at network entry that compares the signing SPC to the declared list. The network-entry check is a new branch in code that already runs the DNO scrub. The publication mechanism is the new piece — composing with the broader RTU authentication work the industry is developing. On the technical layer, nothing else changes: no new PASSporT extension, no new certificate profile, no new attestation level.
A-Attestation that means what it says
A-Attestation in SHAKEN is the highest attestation level and the one meant to carry the most weight: the originating provider asserts a direct customer relationship and verified right-to-use. The semantic is right. The gap today is that the assertion is unilateral — no way to check it externally — and DNO+ is what closes that gap. A signed call whose originating SPC is on the holder’s allowlist has external grounding for its A-Attestation; one whose SPC is not on the list does not.
The reframe is constructive, not enforcement-driven. The point isn’t primarily to catch bad signers; it’s to make legitimate A-Attestation visible. As more enterprises publish their authorization lists, the population of externally-grounded A-Attestations grows, and the legitimate population becomes structurally distinguishable from the unsupported one. Detection is a corollary of visibility, not the headline.
┌──────────────────────────────────────────────────┐
│ Sources: │
│ │
│ DNO data: │
│ Tier 1 — invalid, unallocated, unassigned │
│ Tier 2 — subscriber-requested DNO │
│ │
│ DNO+ data: │
│ RTU-holder authorization declarations │
│ (TN → enabled SPC list) │
└──────────────────┬───────────────────────────────┘
│ distribute (API or bulk)
▼
┌────────────────────────┐
signed INVITE ──► │ DNO+ Check │
(calling TN + │ TN against DNO list │
signing SPC │ signing SPC against │
from SHAKEN │ TN's enabled list │
PASSporT) │ (if declared) │
└─────┬──────────┬───────┘
│ match │ pass
▼ ▼
┌──────────────┐ ┌────────────────┐
│ Block │ │ Continue: │
│ │ │ A-Attestation │
│ TN on DNO, │ │ has external │
│ or signing │ │ grounding │
│ SPC absent │ │ (or no DNO+ │
│ from TN's │ │ data on file) │
│ enabled list │ │ │
└──────────────┘ └────────────────┘
Detection and ecosystem transparency
DNO+ violations are detectable by any provider along the call path. A SHAKEN-signed call carries the signing SPC where every downstream provider can see it, and comparing that SPC against the calling number’s allowlist is the same lookup any DNO scrub already performs. Detection isn’t concentrated at the terminating end or in a regulator’s hands — it’s distributed across the ecosystem.
Existing information-sharing mechanisms propagate signals about suspicious traffic across that ecosystem. The ITG traceback process lets providers backtrack a specific call to its origin. Honeypot services — third-party operators that maintain trap numbers and publish what they observe — surface noncompliance continuously and transparently. With DNO+ in place, the signal these mechanisms carry has a deterministic substrate: a violation isn’t a probabilistic inference from a downstream complaint, it’s a structural mismatch visible at every hop. Compliance with proper A-Attestation practice — and noncompliance — becomes transparent across the call path rather than relying on after-the-fact reconstruction.
Adoption
DNO+ is being discussed in the CFCA Telecom Trust Working Group, which is an operational and fraud-focused forum rather than a technical standards body. The point of working through it there is to align industry stakeholders on a framework that exposes A-Attestation noncompliance more transparently — not to ratify a spec.
The adoption path mirrors DNO itself. DNO never had a technical standard; it gained traction because the concept was sound, implementation was straightforward, and the industry adopted it. DNO+ follows the same pattern. If the concept gains industry endorsement, the list providers who already aggregate and distribute DNO data extend their offerings to include the new SPC allowlist data category, and enterprises holding right-to-use of their numbers begin publishing their authorization lists. The same § 64.1200(o) “reasonable” DNO list interpretation that anchors DNO today is likely wide enough to accommodate DNO+ entries within its existing scope.
DNO+ is straightforward, additive, and ready to extend DNO’s success as STIR/SHAKEN adoption continues to strengthen across the industry.